redline | 3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c

Analysis

max time kernel
61s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe
Size

658KB
MD5

17d182e0c3296e368f6734798698f528
SHA1

f4b2e290d957cf6dc0a51d2f31d5d85e5132069f
SHA256

3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c
SHA512

3120087dd051849e7634080fa51543a995638700b88ab00202c40038684c55014208bc53b04b7a76eb6b4c12c0e1186b4f2078a8448b10fa4f98a75d84472cc2
SSDEEP

12288:AMr/y90YCg+b0HTZu9o5Ty68HpvCPGgBIHN+5h+EXZxJkQhI2JnLG4:Py5Cg+qT0a8HpvI+N4+EXzx62FG4

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7808.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4728-192-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-194-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-197-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-199-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-201-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-203-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-205-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-207-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-209-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-211-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-213-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-215-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-217-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-219-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-221-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-223-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-225-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/4728-227-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3744	un650967.exe
2948	pro7808.exe
4728	qu7398.exe
3704	si741116.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7808.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un650967.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un650967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4984	2948	WerFault.exe	84
2340	4728	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2948	pro7808.exe
2948	pro7808.exe
4728	qu7398.exe
4728	qu7398.exe
3704	si741116.exe
3704	si741116.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	pro7808.exe
Token: SeDebugPrivilege	4728	qu7398.exe
Token: SeDebugPrivilege	3704	si741116.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3744	540	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe	83
PID 540 wrote to memory of 3744	540	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe	83
PID 540 wrote to memory of 3744	540	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe	83
PID 3744 wrote to memory of 2948	3744	un650967.exe	84
PID 3744 wrote to memory of 2948	3744	un650967.exe	84
PID 3744 wrote to memory of 2948	3744	un650967.exe	84
PID 3744 wrote to memory of 4728	3744	un650967.exe	90
PID 3744 wrote to memory of 4728	3744	un650967.exe	90
PID 3744 wrote to memory of 4728	3744	un650967.exe	90
PID 540 wrote to memory of 3704	540	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe	95
PID 540 wrote to memory of 3704	540	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe	95
PID 540 wrote to memory of 3704	540	3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe	95

C:\Users\Admin\AppData\Local\Temp\3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe
"C:\Users\Admin\AppData\Local\Temp\3197e4e31539ef52e8efc5577ddb3e8af4be55db5331065d8c6180384207641c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650967.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650967.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7808.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7808.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1088
      4⤵
      Program crash
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7398.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7398.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1348
      4⤵
      Program crash
      PID:2340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si741116.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si741116.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2948 -ip 2948
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4728 -ip 4728
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si741116.exe

Filesize
176KB

MD5
6591863efa48535fd6fa9e4db182099c

SHA1
f2ce20d931a38aff73b5ada8442e1d7bc1be9d43

SHA256
330ea88303a14f0abd3cadf9e19cd5da38f5ce10044c8560c40b359e25bb8d71

SHA512
c1f4516422d1e4ea6d1a4141d429300f43a8747a3a729ec9f7683fe2e812274f382bea7b524d607124715ec66c1a10f09cd6e6082fd9095985069e3f07071e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si741116.exe

Filesize
176KB

MD5
6591863efa48535fd6fa9e4db182099c

SHA1
f2ce20d931a38aff73b5ada8442e1d7bc1be9d43

SHA256
330ea88303a14f0abd3cadf9e19cd5da38f5ce10044c8560c40b359e25bb8d71

SHA512
c1f4516422d1e4ea6d1a4141d429300f43a8747a3a729ec9f7683fe2e812274f382bea7b524d607124715ec66c1a10f09cd6e6082fd9095985069e3f07071e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650967.exe

Filesize
516KB

MD5
40e12765b1e94986d8cfae791fc12eca

SHA1
b5c1cd6e4fb02146935406781a6d4186b6e5342e

SHA256
6076c680d248f4b832b0530c22219ad3dd7d6ac4b2b7a2322d63af20a499c38b

SHA512
d536f975626383365be5680941d4c331fdb7a70d039541f589f5c481132495393987477b08d5e6b84722623d3a7df8fb3426750f34e3e96607fd4d92954a208f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650967.exe

Filesize
516KB

MD5
40e12765b1e94986d8cfae791fc12eca

SHA1
b5c1cd6e4fb02146935406781a6d4186b6e5342e

SHA256
6076c680d248f4b832b0530c22219ad3dd7d6ac4b2b7a2322d63af20a499c38b

SHA512
d536f975626383365be5680941d4c331fdb7a70d039541f589f5c481132495393987477b08d5e6b84722623d3a7df8fb3426750f34e3e96607fd4d92954a208f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7808.exe

Filesize
295KB

MD5
aaee6b0006073afa4c7a4d3335687ee4

SHA1
bdcc78a0eb6e4e14a860bea91cdbe02038acbb10

SHA256
88c8a660dafd7f0b05ad4ccc8ff3d4fe936c06d827f1a12ad02e5a12d4474579

SHA512
9b46b8396e0d97956665ec34bd24aa79c9bb715b1c7de914c8b736f8eb84d5905d80f39e6535a92074029c5df6f54a0699d5cb2a8d369e2a8cf722937ee44c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7808.exe

Filesize
295KB

MD5
aaee6b0006073afa4c7a4d3335687ee4

SHA1
bdcc78a0eb6e4e14a860bea91cdbe02038acbb10

SHA256
88c8a660dafd7f0b05ad4ccc8ff3d4fe936c06d827f1a12ad02e5a12d4474579

SHA512
9b46b8396e0d97956665ec34bd24aa79c9bb715b1c7de914c8b736f8eb84d5905d80f39e6535a92074029c5df6f54a0699d5cb2a8d369e2a8cf722937ee44c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7398.exe

Filesize
354KB

MD5
f9e6fcb284f0a294ddd7a8cbb391ed9c

SHA1
6a751f2f934c8cbb6cb083af93c37f171ac3feb2

SHA256
f0d1997ff873a06d7918aa8c4633c29d75775656e4db7cd550b6c50f61362f9b

SHA512
27c9463a4b12c1a164e6a6d48b00a42d3124fd56fe6f130749af95e8ed90c218012e5afda23114a22eaed6e74d86914d862080a4913d39248bf10789ee128726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7398.exe

Filesize
354KB

MD5
f9e6fcb284f0a294ddd7a8cbb391ed9c

SHA1
6a751f2f934c8cbb6cb083af93c37f171ac3feb2

SHA256
f0d1997ff873a06d7918aa8c4633c29d75775656e4db7cd550b6c50f61362f9b

SHA512
27c9463a4b12c1a164e6a6d48b00a42d3124fd56fe6f130749af95e8ed90c218012e5afda23114a22eaed6e74d86914d862080a4913d39248bf10789ee128726

Download Submit
memory/2948-152-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/2948-151-0x0000000002D00000-0x0000000002D2D000-memory.dmp

Filesize
180KB

Download
memory/2948-153-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/2948-154-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-155-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-157-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-159-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-161-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-163-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-165-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-167-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-169-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-171-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-173-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-175-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-177-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-179-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-181-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/2948-182-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/2948-183-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/2948-185-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/3704-1121-0x0000000000890000-0x00000000008C2000-memory.dmp

Filesize
200KB

Download
memory/3704-1122-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4728-197-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-225-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-194-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-191-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-195-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-199-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-193-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-201-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-203-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-205-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-207-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-209-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-211-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-213-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-215-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-217-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-219-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-221-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-223-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-192-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-227-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4728-1100-0x0000000007880000-0x0000000007E98000-memory.dmp

Filesize
6.1MB

Download
memory/4728-1101-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/4728-1102-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-1103-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/4728-1104-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

Filesize
240KB

Download
memory/4728-1106-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/4728-1107-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4728-1108-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-1109-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-1110-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-1111-0x0000000008B50000-0x0000000008D12000-memory.dmp

Filesize
1.8MB

Download
memory/4728-1112-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/4728-190-0x0000000002CF0000-0x0000000002D3B000-memory.dmp

Filesize
300KB

Download
memory/4728-1113-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4728-1114-0x00000000094D0000-0x0000000009546000-memory.dmp

Filesize
472KB

Download
memory/4728-1115-0x0000000009560000-0x00000000095B0000-memory.dmp

Filesize
320KB

Download