redline | fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882

Analysis

max time kernel
108s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe
Size

530KB
MD5

b52004ffb148171d78dcaea46236ee08
SHA1

4b70ee6720be5d38f436295bec60300c053ef543
SHA256

fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882
SHA512

94b69f766559da1d079c63ee79c87a61cbd55a5986082dff258043cb2f8508c88c8c8e04a6e454670eb6b1c3f03a1d8bc84e73e4c7737f8103ecbd147f6432ec
SSDEEP

12288:NMray90C3u9ULo4tQ2nd0zjtjyf5KXa/Im38/67:DyJi4/wEADm38/67

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr743286.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr743286.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr743286.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr743286.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr743286.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr743286.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

resource	yara_rule
behavioral1/memory/240-158-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-159-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-161-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-163-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-165-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-169-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-167-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-171-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-173-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-175-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-177-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-179-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-181-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-183-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-185-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-187-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-189-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-191-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-193-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-195-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-197-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-199-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-201-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-203-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-205-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-207-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-209-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-211-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-213-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-215-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-217-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-219-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/240-221-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1712	ziae7760.exe
3400	jr743286.exe
240	ku776635.exe
3872	lr783654.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr743286.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziae7760.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziae7760.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	240	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3400	jr743286.exe
3400	jr743286.exe
240	ku776635.exe
240	ku776635.exe
3872	lr783654.exe
3872	lr783654.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	jr743286.exe
Token: SeDebugPrivilege	240	ku776635.exe
Token: SeDebugPrivilege	3872	lr783654.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1712	2412	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe	87
PID 2412 wrote to memory of 1712	2412	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe	87
PID 2412 wrote to memory of 1712	2412	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe	87
PID 1712 wrote to memory of 3400	1712	ziae7760.exe	88
PID 1712 wrote to memory of 3400	1712	ziae7760.exe	88
PID 1712 wrote to memory of 240	1712	ziae7760.exe	89
PID 1712 wrote to memory of 240	1712	ziae7760.exe	89
PID 1712 wrote to memory of 240	1712	ziae7760.exe	89
PID 2412 wrote to memory of 3872	2412	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe	93
PID 2412 wrote to memory of 3872	2412	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe	93
PID 2412 wrote to memory of 3872	2412	fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe	93

C:\Users\Admin\AppData\Local\Temp\fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe
"C:\Users\Admin\AppData\Local\Temp\fa406b721d3112593769e24bd34da7bf41b2274a09ac9cfd33f05a9718e0f882.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziae7760.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziae7760.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr743286.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr743286.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776635.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776635.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 1356
      4⤵
      Program crash
      PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr783654.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr783654.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 240 -ip 240
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr783654.exe

Filesize
176KB

MD5
af64d54415127b90e78f1a197a6af6dd

SHA1
fe63fe22fcb8b5c71fb86dddf019d9c384f60adc

SHA256
c10f1c18151ca88f994120efa676dfe5537583f51df70e8205ec970d48d47631

SHA512
af58b52e1d93ed920ae36231cc6bf77f9f0c9909cada0bf18df951e4c043c38a71f77e116b7e24181c151abd77b484fa002f91d7ce2e4726ad9c0fbaf77997a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr783654.exe

Filesize
176KB

MD5
af64d54415127b90e78f1a197a6af6dd

SHA1
fe63fe22fcb8b5c71fb86dddf019d9c384f60adc

SHA256
c10f1c18151ca88f994120efa676dfe5537583f51df70e8205ec970d48d47631

SHA512
af58b52e1d93ed920ae36231cc6bf77f9f0c9909cada0bf18df951e4c043c38a71f77e116b7e24181c151abd77b484fa002f91d7ce2e4726ad9c0fbaf77997a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziae7760.exe

Filesize
388KB

MD5
4e5de196ab7c381b91cb327521bd2aa5

SHA1
cd6c486e9d4e8f87436ef178c6147ccb6267b732

SHA256
aa1be19c6cbc1e58e8c9a1f06d4e75cdfa477bb695a6d68192a8d15066edbfed

SHA512
b2f7a72c47ed70682e37a9b79738a7682c2b97ed4838bebd8ac6fc92c87d8f854a5cf7aca0c8f137d24cf2cfbf132b54e2f99e7c0f8cce43182144824fbd1ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziae7760.exe

Filesize
388KB

MD5
4e5de196ab7c381b91cb327521bd2aa5

SHA1
cd6c486e9d4e8f87436ef178c6147ccb6267b732

SHA256
aa1be19c6cbc1e58e8c9a1f06d4e75cdfa477bb695a6d68192a8d15066edbfed

SHA512
b2f7a72c47ed70682e37a9b79738a7682c2b97ed4838bebd8ac6fc92c87d8f854a5cf7aca0c8f137d24cf2cfbf132b54e2f99e7c0f8cce43182144824fbd1ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr743286.exe

Filesize
11KB

MD5
d7a7116167a6c60a3c647ca61e7e6941

SHA1
ee28334678459ac5d5491126a11df86e55c7ad1b

SHA256
c6dd6f60d807bedef6d46fc2018421d1ade288f48ddb93468f9143d21d0f616b

SHA512
8edb3705e346c6dec6f399a9b6374a1bcd8e06bf6910573ed2242bb1c1ab4144662808ccc1f31eba5a48de40a9015e4de8bf729485c1114f1a5410921c023b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr743286.exe

Filesize
11KB

MD5
d7a7116167a6c60a3c647ca61e7e6941

SHA1
ee28334678459ac5d5491126a11df86e55c7ad1b

SHA256
c6dd6f60d807bedef6d46fc2018421d1ade288f48ddb93468f9143d21d0f616b

SHA512
8edb3705e346c6dec6f399a9b6374a1bcd8e06bf6910573ed2242bb1c1ab4144662808ccc1f31eba5a48de40a9015e4de8bf729485c1114f1a5410921c023b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776635.exe

Filesize
434KB

MD5
50c773daa155b28bb5d263421d6f4990

SHA1
0bbe6e922993b240a9eed5b15029dd8a316581eb

SHA256
5d4ab781b21e88a9557499154f49804599770c9f47973cdc78aa2f0af083ebbc

SHA512
69ac8ca5b819925d3979ab49a364199d5612c9c4c2832a87e82ad5eb092eaa73a4963f9e7ae33e56a151df268a5428c5797038759089e6edc76257df41cb6509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku776635.exe

Filesize
434KB

MD5
50c773daa155b28bb5d263421d6f4990

SHA1
0bbe6e922993b240a9eed5b15029dd8a316581eb

SHA256
5d4ab781b21e88a9557499154f49804599770c9f47973cdc78aa2f0af083ebbc

SHA512
69ac8ca5b819925d3979ab49a364199d5612c9c4c2832a87e82ad5eb092eaa73a4963f9e7ae33e56a151df268a5428c5797038759089e6edc76257df41cb6509

Download Submit
memory/240-153-0x0000000002230000-0x000000000227B000-memory.dmp

Filesize
300KB

Download
memory/240-154-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/240-155-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/240-156-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/240-157-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/240-158-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-159-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-161-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-163-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-165-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-169-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-167-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-171-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-173-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-175-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-177-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-179-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-181-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-183-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-185-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-187-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-189-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-191-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-193-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-195-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-197-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-199-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-201-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-203-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-205-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-207-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-209-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-211-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-213-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-215-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-217-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-219-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-221-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/240-1064-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/240-1065-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/240-1066-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/240-1067-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/240-1068-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/240-1070-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/240-1071-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/240-1072-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/240-1073-0x0000000007960000-0x0000000007B22000-memory.dmp

Filesize
1.8MB

Download
memory/240-1074-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/240-1075-0x0000000007B30000-0x000000000805C000-memory.dmp

Filesize
5.2MB

Download
memory/240-1076-0x0000000008110000-0x0000000008186000-memory.dmp

Filesize
472KB

Download
memory/240-1077-0x00000000081A0000-0x00000000081F0000-memory.dmp

Filesize
320KB

Download
memory/3400-147-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/3872-1087-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/3872-1088-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3872-1089-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download