redline | 2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d

Analysis

max time kernel
54s
max time network
58s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
01/04/2023, 04:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe
Size

673KB
MD5

11802d8a977378dc7e851eb6305c9090
SHA1

28bf1d89a5e5b0cced81c7125010d54a55c1c40f
SHA256

2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d
SHA512

093f1f2177afd31b30eee640343612d06e3629886302e137bf45794e19acaaf3eeff17f1d1cc53bcb5d3e731e9b965d0bf79ca11eceb85ec608d7c9c227409a3
SSDEEP

12288:QMrsy90D8okBMoH70MG0BVp+WTbuWaHmM8:syu8okBV70T0BVpx3uln8

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7972.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4888-180-0x00000000022F0000-0x0000000002336000-memory.dmp	family_redline
behavioral1/memory/4888-181-0x0000000004F70000-0x0000000004FB4000-memory.dmp	family_redline
behavioral1/memory/4888-182-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-183-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-185-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-187-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-189-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-191-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-193-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-195-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-197-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-199-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-201-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-203-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-205-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-207-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-209-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-211-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-218-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4888-214-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2464	un698908.exe
2492	pro7972.exe
4888	qu3018.exe
4060	si911580.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7972.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un698908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un698908.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2492	pro7972.exe
2492	pro7972.exe
4888	qu3018.exe
4888	qu3018.exe
4060	si911580.exe
4060	si911580.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	pro7972.exe
Token: SeDebugPrivilege	4888	qu3018.exe
Token: SeDebugPrivilege	4060	si911580.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2464	2168	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe	66
PID 2168 wrote to memory of 2464	2168	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe	66
PID 2168 wrote to memory of 2464	2168	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe	66
PID 2464 wrote to memory of 2492	2464	un698908.exe	67
PID 2464 wrote to memory of 2492	2464	un698908.exe	67
PID 2464 wrote to memory of 2492	2464	un698908.exe	67
PID 2464 wrote to memory of 4888	2464	un698908.exe	68
PID 2464 wrote to memory of 4888	2464	un698908.exe	68
PID 2464 wrote to memory of 4888	2464	un698908.exe	68
PID 2168 wrote to memory of 4060	2168	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe	70
PID 2168 wrote to memory of 4060	2168	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe	70
PID 2168 wrote to memory of 4060	2168	2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe	70

C:\Users\Admin\AppData\Local\Temp\2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe
"C:\Users\Admin\AppData\Local\Temp\2092a635272559aa69de62a2b46c641c2b8aaa3aa989e35554f91308253bd80d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un698908.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un698908.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7972.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7972.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3018.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3018.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911580.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911580.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911580.exe

Filesize
176KB

MD5
79759121d5180e1f82f8a8bdf779da8f

SHA1
82f6110ece1b71fd38ae631caa0e1b0c4de8df37

SHA256
344a98416475f83211a7a52b429d8e5c7a87904157a0c013f88abd955b8e0948

SHA512
501d63cdd779c3e40b72086218aa428b2ef13a8bf3be6badd6aaa35bae9667aa51e5dfa99e5736c69eebf03d3ac433db1cf6070cb11bf29f78a3eadbf2a158ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si911580.exe

Filesize
176KB

MD5
79759121d5180e1f82f8a8bdf779da8f

SHA1
82f6110ece1b71fd38ae631caa0e1b0c4de8df37

SHA256
344a98416475f83211a7a52b429d8e5c7a87904157a0c013f88abd955b8e0948

SHA512
501d63cdd779c3e40b72086218aa428b2ef13a8bf3be6badd6aaa35bae9667aa51e5dfa99e5736c69eebf03d3ac433db1cf6070cb11bf29f78a3eadbf2a158ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un698908.exe

Filesize
531KB

MD5
126845a40353f968c6f166e6c859c0e0

SHA1
f25a247e0d06e7206c3dcc95ddc74be3e7f6afcf

SHA256
7e56a94dc27e0d19902e84e964552a2dda520da66ffa03b3b5c5c325d93bde74

SHA512
94982071d99f28ce7d176f8b172ca02bbc92df141f4d2916c4fce2a9a04937aed5b6cb91097da8a38790c9946e5252f5b109585ec01bb2ddd623bed7e6dc0700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un698908.exe

Filesize
531KB

MD5
126845a40353f968c6f166e6c859c0e0

SHA1
f25a247e0d06e7206c3dcc95ddc74be3e7f6afcf

SHA256
7e56a94dc27e0d19902e84e964552a2dda520da66ffa03b3b5c5c325d93bde74

SHA512
94982071d99f28ce7d176f8b172ca02bbc92df141f4d2916c4fce2a9a04937aed5b6cb91097da8a38790c9946e5252f5b109585ec01bb2ddd623bed7e6dc0700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7972.exe

Filesize
260KB

MD5
6bf508212993c458968208adbfdc6c11

SHA1
7538375fe18207b26a43c52f6505bad10478539b

SHA256
3b3f4d50a203e5896ed1603fc0843adda9a3ebc2ded9a2894d5cc1068d5d517f

SHA512
e49ab8206eba0b265944e4c8e84729abec4536cf499f7f9733116051a6c5464db7680b11aa808f7cd7c78fe27423761925b46324aff27b17d9a6fd1c55dff40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7972.exe

Filesize
260KB

MD5
6bf508212993c458968208adbfdc6c11

SHA1
7538375fe18207b26a43c52f6505bad10478539b

SHA256
3b3f4d50a203e5896ed1603fc0843adda9a3ebc2ded9a2894d5cc1068d5d517f

SHA512
e49ab8206eba0b265944e4c8e84729abec4536cf499f7f9733116051a6c5464db7680b11aa808f7cd7c78fe27423761925b46324aff27b17d9a6fd1c55dff40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3018.exe

Filesize
319KB

MD5
f16f95c5c58c7f6599f04d4c34860595

SHA1
ba3e55a6df802c6ff5d31591d4c2ceb457498283

SHA256
ed58be83bebcca0a1be5c3300b2d0eb3eecf6e5fa3384ad4d246289320483205

SHA512
b73059029d78d32e017321dd589c2c882ad646a8e4eae287d44a00c7aefca98213d071dcaeec7657ac8d587b05772a0dc2bcd599abdc9d8bce249d4e379a1119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3018.exe

Filesize
319KB

MD5
f16f95c5c58c7f6599f04d4c34860595

SHA1
ba3e55a6df802c6ff5d31591d4c2ceb457498283

SHA256
ed58be83bebcca0a1be5c3300b2d0eb3eecf6e5fa3384ad4d246289320483205

SHA512
b73059029d78d32e017321dd589c2c882ad646a8e4eae287d44a00c7aefca98213d071dcaeec7657ac8d587b05772a0dc2bcd599abdc9d8bce249d4e379a1119

Download Submit
memory/2492-136-0x00000000020D0000-0x00000000020EA000-memory.dmp

Filesize
104KB

Download
memory/2492-137-0x0000000004A80000-0x0000000004F7E000-memory.dmp

Filesize
5.0MB

Download
memory/2492-138-0x0000000002590000-0x00000000025A8000-memory.dmp

Filesize
96KB

Download
memory/2492-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2492-140-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2492-141-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2492-142-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2492-143-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-144-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-146-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-148-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-150-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-152-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-154-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-156-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-158-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-160-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-162-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-164-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-166-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-168-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-170-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2492-171-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2492-172-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2492-173-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2492-175-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4060-1114-0x0000000000120000-0x0000000000152000-memory.dmp

Filesize
200KB

Download
memory/4060-1116-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4060-1115-0x00000000049A0000-0x00000000049EB000-memory.dmp

Filesize
300KB

Download
memory/4888-183-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-219-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-185-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-187-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-189-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-191-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-193-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-195-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-197-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-199-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-201-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-203-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-205-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-207-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-209-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-211-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-213-0x0000000002020000-0x000000000206B000-memory.dmp

Filesize
300KB

Download
memory/4888-215-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-218-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-182-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-217-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-214-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4888-1092-0x0000000004FD0000-0x00000000055D6000-memory.dmp

Filesize
6.0MB

Download
memory/4888-1093-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/4888-1094-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/4888-1095-0x0000000005800000-0x000000000583E000-memory.dmp

Filesize
248KB

Download
memory/4888-1096-0x0000000005940000-0x000000000598B000-memory.dmp

Filesize
300KB

Download
memory/4888-1097-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-1098-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/4888-1100-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/4888-1101-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-1102-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-1103-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/4888-1104-0x0000000007610000-0x0000000007686000-memory.dmp

Filesize
472KB

Download
memory/4888-1105-0x0000000007690000-0x00000000076E0000-memory.dmp

Filesize
320KB

Download
memory/4888-181-0x0000000004F70000-0x0000000004FB4000-memory.dmp

Filesize
272KB

Download
memory/4888-180-0x00000000022F0000-0x0000000002336000-memory.dmp

Filesize
280KB

Download
memory/4888-1106-0x00000000076F0000-0x00000000078B2000-memory.dmp

Filesize
1.8MB

Download
memory/4888-1107-0x00000000078C0000-0x0000000007DEC000-memory.dmp

Filesize
5.2MB

Download
memory/4888-1108-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download