redline | a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24

Analysis

max time kernel
99s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe
Size

697KB
MD5

2b1b6875a87a164a885722db9b9f1058
SHA1

5900e92cf9cbdd0c531cb256de0b29d8dbf21b77
SHA256

a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24
SHA512

26e172a7d48e81797cb303c93904c7109e8f9eb59aee56ff422137ed9a5747fa6ad268a63f09a59bf9adf2d0b64b7f920bd5e3d22cb163a0313891ba4a120082
SSDEEP

12288:fMrFy900QURNc3JZsvzv9F5XXLxAuIYRhRwEk5ob2Vrot:uyLLNc3J0b7xX/tNHC+t

Score

10^/10

redline muse rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

176.113.115.145:4125

Attributes

auth_value
b91988a63a24940038d9262827a5320c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9417.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/5020-187-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-188-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-190-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-192-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-194-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-197-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-201-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-203-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-205-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-207-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-209-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-213-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-211-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-215-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-217-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-219-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-221-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline
behavioral1/memory/5020-223-0x0000000007700000-0x000000000773F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4272	un783779.exe
880	pro9417.exe
5020	qu1962.exe
1256	si746546.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9417.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un783779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un783779.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2336	880	WerFault.exe	85
2620	5020	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
880	pro9417.exe
880	pro9417.exe
5020	qu1962.exe
5020	qu1962.exe
1256	si746546.exe
1256	si746546.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	pro9417.exe
Token: SeDebugPrivilege	5020	qu1962.exe
Token: SeDebugPrivilege	1256	si746546.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4272	1448	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe	84
PID 1448 wrote to memory of 4272	1448	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe	84
PID 1448 wrote to memory of 4272	1448	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe	84
PID 4272 wrote to memory of 880	4272	un783779.exe	85
PID 4272 wrote to memory of 880	4272	un783779.exe	85
PID 4272 wrote to memory of 880	4272	un783779.exe	85
PID 4272 wrote to memory of 5020	4272	un783779.exe	91
PID 4272 wrote to memory of 5020	4272	un783779.exe	91
PID 4272 wrote to memory of 5020	4272	un783779.exe	91
PID 1448 wrote to memory of 1256	1448	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe	95
PID 1448 wrote to memory of 1256	1448	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe	95
PID 1448 wrote to memory of 1256	1448	a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe	95

C:\Users\Admin\AppData\Local\Temp\a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe
"C:\Users\Admin\AppData\Local\Temp\a18d6029404c50128e9acbace031a19127c8c2ae9f188c108ba8a94df6900e24.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un783779.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un783779.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9417.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9417.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1080
      4⤵
      Program crash
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1962.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1962.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1548
      4⤵
      Program crash
      PID:2620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si746546.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si746546.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 880 -ip 880
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si746546.exe

Filesize
175KB

MD5
1e763ebd221580f547c9f6d31663476d

SHA1
ca4ae7f3075d244992af04df25a33f8a5809838d

SHA256
b829af88b7a4278b8a23672b8234d4b631bc5268ee132deb0e4fe0135dbd41a1

SHA512
2d0b1af3df0ed2fe42539da3e7d534eae7746d892ce94fc9c2b3b2e09943a470f5614899910b04729d320c1788c5d65cef299ed9fd39a238e5f026c83ce79a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si746546.exe

Filesize
175KB

MD5
1e763ebd221580f547c9f6d31663476d

SHA1
ca4ae7f3075d244992af04df25a33f8a5809838d

SHA256
b829af88b7a4278b8a23672b8234d4b631bc5268ee132deb0e4fe0135dbd41a1

SHA512
2d0b1af3df0ed2fe42539da3e7d534eae7746d892ce94fc9c2b3b2e09943a470f5614899910b04729d320c1788c5d65cef299ed9fd39a238e5f026c83ce79a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un783779.exe

Filesize
555KB

MD5
aba676d8660a9ac69ca44205a7ffacd3

SHA1
2e42c70d16b50ffbcfd92763d0853007e25d9805

SHA256
d0611706dbf5c7fdaf92e2e41e7a7d46c4d75f333860a257fabcfe58926b19d5

SHA512
386ef48c911e99ed36ac5f367a0ea937558323c9efba5e9c6710bb0ee491fde133b07f4b20ca1906c31d125a4810558c91dab364d44c30e500e14cc545501307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un783779.exe

Filesize
555KB

MD5
aba676d8660a9ac69ca44205a7ffacd3

SHA1
2e42c70d16b50ffbcfd92763d0853007e25d9805

SHA256
d0611706dbf5c7fdaf92e2e41e7a7d46c4d75f333860a257fabcfe58926b19d5

SHA512
386ef48c911e99ed36ac5f367a0ea937558323c9efba5e9c6710bb0ee491fde133b07f4b20ca1906c31d125a4810558c91dab364d44c30e500e14cc545501307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9417.exe

Filesize
348KB

MD5
ff6474011f7f21ddb1c9c114e1e3a5ba

SHA1
f055ea22ccc29d2b819541cc41780014c7020981

SHA256
067265aa1525e93f559ddc27c7a1ee748d251427fb3e7c362d91a7073fbe0f74

SHA512
0c7e245960ef64a4f9749ee231962fa38782618050cfa20632769eb8c1b35662e0f230be77107edfbe5b44335a806263211617e20b98ddb093d5f5c8af0f08c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9417.exe

Filesize
348KB

MD5
ff6474011f7f21ddb1c9c114e1e3a5ba

SHA1
f055ea22ccc29d2b819541cc41780014c7020981

SHA256
067265aa1525e93f559ddc27c7a1ee748d251427fb3e7c362d91a7073fbe0f74

SHA512
0c7e245960ef64a4f9749ee231962fa38782618050cfa20632769eb8c1b35662e0f230be77107edfbe5b44335a806263211617e20b98ddb093d5f5c8af0f08c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1962.exe

Filesize
406KB

MD5
afaf42668bc801cd9ffbdfd5d3ed192f

SHA1
2da391e7ec3ba219d9018bb0035eb06b9d9909b0

SHA256
6145a18f269e0a3c3269bcf93f3a95840a91b4a2237d927418c835ff1c172d95

SHA512
f9ba92b4ab0b38562d0dbc96cc9dcc425fdeaa3ae1d7769c9a7ade2660f90a0769a30a38bf7f3ab7d6a3b15e026e67645519c92baf082cf54ea1d3fab6b32a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1962.exe

Filesize
406KB

MD5
afaf42668bc801cd9ffbdfd5d3ed192f

SHA1
2da391e7ec3ba219d9018bb0035eb06b9d9909b0

SHA256
6145a18f269e0a3c3269bcf93f3a95840a91b4a2237d927418c835ff1c172d95

SHA512
f9ba92b4ab0b38562d0dbc96cc9dcc425fdeaa3ae1d7769c9a7ade2660f90a0769a30a38bf7f3ab7d6a3b15e026e67645519c92baf082cf54ea1d3fab6b32a6e

Download Submit
memory/880-148-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/880-149-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/880-150-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/880-151-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/880-152-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-153-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-155-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-157-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-159-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-161-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-163-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-165-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-167-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-169-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-171-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-173-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-175-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-177-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-179-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/880-180-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/880-182-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/1256-1118-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1256-1117-0x0000000000500000-0x0000000000532000-memory.dmp

Filesize
200KB

Download
memory/5020-192-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-221-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-194-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-197-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-196-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/5020-198-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-200-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-201-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-203-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-205-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-207-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-209-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-213-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-211-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-215-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-217-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-219-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-190-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-223-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-1096-0x00000000077A0000-0x0000000007DB8000-memory.dmp

Filesize
6.1MB

Download
memory/5020-1097-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/5020-1098-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/5020-1099-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/5020-1100-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-1102-0x0000000008290000-0x0000000008322000-memory.dmp

Filesize
584KB

Download
memory/5020-1103-0x0000000008330000-0x0000000008396000-memory.dmp

Filesize
408KB

Download
memory/5020-1104-0x0000000008A60000-0x0000000008C22000-memory.dmp

Filesize
1.8MB

Download
memory/5020-1105-0x0000000008C30000-0x000000000915C000-memory.dmp

Filesize
5.2MB

Download
memory/5020-1106-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-1107-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-1108-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-1109-0x0000000007100000-0x0000000007110000-memory.dmp

Filesize
64KB

Download
memory/5020-188-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-187-0x0000000007700000-0x000000000773F000-memory.dmp

Filesize
252KB

Download
memory/5020-1110-0x00000000094C0000-0x0000000009536000-memory.dmp

Filesize
472KB

Download
memory/5020-1111-0x0000000009550000-0x00000000095A0000-memory.dmp

Filesize
320KB

Download