redline | 565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532

Analysis

max time kernel
52s
max time network
63s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
31/03/2023, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe
Size

533KB
MD5

956be027656a2cfcb38974126b6b60da
SHA1

ff2fe50ff8e4b808553d1f5291596d5c6542dd44
SHA256

565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532
SHA512

e3fbe9278072a52af97322113496228b02cfc4af29910cc4c3f22f107919bbc643c5dd381eec9cf7c925597c72fe2bf6a30b9ec688400cc3e9a6785ebf13249b
SSDEEP

12288:pMr+y90QNyjRBwxM0i3tVA/SnObxrmVna1uHmnB:PycjPwxhdbUNLHmB

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr660877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr660877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr660877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr660877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr660877.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4092-141-0x0000000002270000-0x00000000022B6000-memory.dmp	family_redline
behavioral1/memory/4092-147-0x0000000002530000-0x0000000002574000-memory.dmp	family_redline
behavioral1/memory/4092-148-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-149-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-151-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-153-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-155-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-157-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-159-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-161-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-165-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-163-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-173-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-171-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-175-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-169-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-177-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-167-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-179-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-187-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-191-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-197-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-201-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-211-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-209-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-207-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-205-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-203-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-199-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-195-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-193-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-189-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-185-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-183-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4092-181-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2680	ziqC9139.exe
3412	jr660877.exe
4092	ku023723.exe
1908	lr713087.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr660877.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziqC9139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziqC9139.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3412	jr660877.exe
3412	jr660877.exe
4092	ku023723.exe
4092	ku023723.exe
1908	lr713087.exe
1908	lr713087.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	jr660877.exe
Token: SeDebugPrivilege	4092	ku023723.exe
Token: SeDebugPrivilege	1908	lr713087.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2680	1012	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe	66
PID 1012 wrote to memory of 2680	1012	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe	66
PID 1012 wrote to memory of 2680	1012	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe	66
PID 2680 wrote to memory of 3412	2680	ziqC9139.exe	67
PID 2680 wrote to memory of 3412	2680	ziqC9139.exe	67
PID 2680 wrote to memory of 4092	2680	ziqC9139.exe	68
PID 2680 wrote to memory of 4092	2680	ziqC9139.exe	68
PID 2680 wrote to memory of 4092	2680	ziqC9139.exe	68
PID 1012 wrote to memory of 1908	1012	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe	70
PID 1012 wrote to memory of 1908	1012	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe	70
PID 1012 wrote to memory of 1908	1012	565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe	70

C:\Users\Admin\AppData\Local\Temp\565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe
"C:\Users\Admin\AppData\Local\Temp\565eef7995bc25f48f866a3648fed64ee304bf4db58d90c9396e1bb42001b532.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqC9139.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqC9139.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr660877.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr660877.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku023723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku023723.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr713087.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr713087.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr713087.exe

Filesize
175KB

MD5
5b91d3ad54eae27feb0c5e438a9b8908

SHA1
644e7ad0fb1e0edd4e3dacef4fe5095287ff3518

SHA256
eb82369510994d45a7e3525a92f5c512fed0ed0c4d6561e1308b5060e665c836

SHA512
14015e59eb5e73bb34793adef8bd6db24f0c904ace4a95abea092754e6e8ba5b24c586e4b1ca0a6c8222ff5fbf3fbb29bbe6ba6da51ed65d3685924de1555618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr713087.exe

Filesize
175KB

MD5
5b91d3ad54eae27feb0c5e438a9b8908

SHA1
644e7ad0fb1e0edd4e3dacef4fe5095287ff3518

SHA256
eb82369510994d45a7e3525a92f5c512fed0ed0c4d6561e1308b5060e665c836

SHA512
14015e59eb5e73bb34793adef8bd6db24f0c904ace4a95abea092754e6e8ba5b24c586e4b1ca0a6c8222ff5fbf3fbb29bbe6ba6da51ed65d3685924de1555618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqC9139.exe

Filesize
391KB

MD5
55fab0a72cb4d7f9631cc917be3bee83

SHA1
1091db9c479c06ff77809d860b411ddb6ac516f0

SHA256
3b3438019d6b1cddfbf169756e20173d4469724b1ca455c534ed141b995af1e6

SHA512
acdd1e918796952c1a607b917de3a4539a531af7e9e2ae8b523ca148cff3ea499f8b45b0c0e6ededb5108de41c8052f41843f5b164b06bab0ed53cd4e6881b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqC9139.exe

Filesize
391KB

MD5
55fab0a72cb4d7f9631cc917be3bee83

SHA1
1091db9c479c06ff77809d860b411ddb6ac516f0

SHA256
3b3438019d6b1cddfbf169756e20173d4469724b1ca455c534ed141b995af1e6

SHA512
acdd1e918796952c1a607b917de3a4539a531af7e9e2ae8b523ca148cff3ea499f8b45b0c0e6ededb5108de41c8052f41843f5b164b06bab0ed53cd4e6881b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr660877.exe

Filesize
11KB

MD5
c980f9b51f735536cb17f33896f058f5

SHA1
8bb70679a73bf5239032ecde2bc9958f1811dbe7

SHA256
8c5ce5f2fce798c91cb265b84aea50262834c4e3399d28efece531e8209a8c66

SHA512
5435e6993a4bdc23e93cf3bef623cb5493d37ecf79532316f583a7f1ff2355ca676e3b1f05740a54bd8eb36c86e3169c9f5663ec5ce8bb1f363e254f4461546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr660877.exe

Filesize
11KB

MD5
c980f9b51f735536cb17f33896f058f5

SHA1
8bb70679a73bf5239032ecde2bc9958f1811dbe7

SHA256
8c5ce5f2fce798c91cb265b84aea50262834c4e3399d28efece531e8209a8c66

SHA512
5435e6993a4bdc23e93cf3bef623cb5493d37ecf79532316f583a7f1ff2355ca676e3b1f05740a54bd8eb36c86e3169c9f5663ec5ce8bb1f363e254f4461546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku023723.exe

Filesize
318KB

MD5
4ef0bb8be0ae818a8ea4dc5806242115

SHA1
d71a795c036100e0fd1759758f1ba12fd272f55c

SHA256
b5472ae62c1af2069b5aedbd9e0d3becd3904fe541ba403c2542a9a69897629c

SHA512
2865f425564200d6c521bf8bfb0d2c964d5f08182d668af60905289556ee26b5bb475ef169219a2150cb8c8fafa3e373a5f53789c807c0740007498668755712

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku023723.exe

Filesize
318KB

MD5
4ef0bb8be0ae818a8ea4dc5806242115

SHA1
d71a795c036100e0fd1759758f1ba12fd272f55c

SHA256
b5472ae62c1af2069b5aedbd9e0d3becd3904fe541ba403c2542a9a69897629c

SHA512
2865f425564200d6c521bf8bfb0d2c964d5f08182d668af60905289556ee26b5bb475ef169219a2150cb8c8fafa3e373a5f53789c807c0740007498668755712

Download Submit
memory/1908-1075-0x00000000004D0000-0x0000000000502000-memory.dmp

Filesize
200KB

Download
memory/1908-1077-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1908-1076-0x0000000004D50000-0x0000000004D9B000-memory.dmp

Filesize
300KB

Download
memory/3412-135-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/4092-167-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-209-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-145-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-147-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download
memory/4092-146-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-148-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-149-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-151-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-153-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-155-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-157-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-159-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-161-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-165-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-163-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-173-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-171-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-175-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-169-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-177-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-142-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/4092-179-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-187-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-191-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-197-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-201-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-211-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-144-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-207-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-205-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-203-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-199-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-195-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-193-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-189-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-185-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-183-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-181-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4092-1054-0x0000000005840000-0x0000000005E46000-memory.dmp

Filesize
6.0MB

Download
memory/4092-1055-0x0000000005230000-0x000000000533A000-memory.dmp

Filesize
1.0MB

Download
memory/4092-1056-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4092-1057-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4092-1058-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-1059-0x0000000005440000-0x000000000548B000-memory.dmp

Filesize
300KB

Download
memory/4092-1061-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-1062-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-1063-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4092-1064-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/4092-1065-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4092-1066-0x0000000008B70000-0x0000000008BE6000-memory.dmp

Filesize
472KB

Download
memory/4092-143-0x0000000004C30000-0x000000000512E000-memory.dmp

Filesize
5.0MB

Download
memory/4092-141-0x0000000002270000-0x00000000022B6000-memory.dmp

Filesize
280KB

Download
memory/4092-1067-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/4092-1068-0x0000000008C50000-0x0000000008E12000-memory.dmp

Filesize
1.8MB

Download
memory/4092-1069-0x0000000008E20000-0x000000000934C000-memory.dmp

Filesize
5.2MB

Download