redline | fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2

Analysis

max time kernel
55s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/04/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe
Size

660KB
MD5

5743c7ab489eedd761711087005e0a52
SHA1

3f8f1d1dbda9f6ac3c8090a0f774c49bb7caf3d2
SHA256

fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2
SHA512

35dbf0ee1e38eb63d8664ee053d375e5fb2789d82d4ee02c27b77a12a9b965427b19d1e8f51d77ac30eefc9a620bb3daf6a50c906dd5610a29d7a610bd14631f
SSDEEP

12288:vMrgy90DKwHLH+G8vSmUJpzKI6S79FjlRkoP1w4lHgXeC:XygNLIvS7t9F1PG4lfC

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7911.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4500-179-0x00000000024C0000-0x0000000002506000-memory.dmp	family_redline
behavioral1/memory/4500-180-0x0000000002820000-0x0000000002864000-memory.dmp	family_redline
behavioral1/memory/4500-181-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-182-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-184-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-186-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-189-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-192-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-196-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-198-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-200-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-202-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-204-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-206-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-208-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-210-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-212-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-214-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-216-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4500-218-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2464	un664526.exe
2528	pro7911.exe
4500	qu9287.exe
2568	si501840.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7911.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un664526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un664526.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2528	pro7911.exe
2528	pro7911.exe
4500	qu9287.exe
4500	qu9287.exe
2568	si501840.exe
2568	si501840.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	pro7911.exe
Token: SeDebugPrivilege	4500	qu9287.exe
Token: SeDebugPrivilege	2568	si501840.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2464	2136	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe	66
PID 2136 wrote to memory of 2464	2136	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe	66
PID 2136 wrote to memory of 2464	2136	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe	66
PID 2464 wrote to memory of 2528	2464	un664526.exe	67
PID 2464 wrote to memory of 2528	2464	un664526.exe	67
PID 2464 wrote to memory of 2528	2464	un664526.exe	67
PID 2464 wrote to memory of 4500	2464	un664526.exe	68
PID 2464 wrote to memory of 4500	2464	un664526.exe	68
PID 2464 wrote to memory of 4500	2464	un664526.exe	68
PID 2136 wrote to memory of 2568	2136	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe	70
PID 2136 wrote to memory of 2568	2136	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe	70
PID 2136 wrote to memory of 2568	2136	fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe	70

C:\Users\Admin\AppData\Local\Temp\fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe
"C:\Users\Admin\AppData\Local\Temp\fe2e5b143085a1bb1c1976e3767dc3b7bb391cfc89f25fc23891359ec43525a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un664526.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un664526.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7911.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7911.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9287.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9287.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501840.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501840.exe

Filesize
176KB

MD5
56967c40f47534962f244f29cac81c80

SHA1
886685f011447a3be41683f0ea9fad5ce31a20d0

SHA256
1841a38271a1dd30850f60299dab85e359712a742290b3899cc349d905f7ea79

SHA512
60a500bffd90bb62ffa891ac95ed710af5ec5557f4e36f0dbcd757854ff8e391bbed47955211bfbe11abe1add46bff8982a0cede08422ccb2d1ce647609af8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501840.exe

Filesize
176KB

MD5
56967c40f47534962f244f29cac81c80

SHA1
886685f011447a3be41683f0ea9fad5ce31a20d0

SHA256
1841a38271a1dd30850f60299dab85e359712a742290b3899cc349d905f7ea79

SHA512
60a500bffd90bb62ffa891ac95ed710af5ec5557f4e36f0dbcd757854ff8e391bbed47955211bfbe11abe1add46bff8982a0cede08422ccb2d1ce647609af8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un664526.exe

Filesize
518KB

MD5
2d631f02764d2997e496de626414ab1e

SHA1
3a76b80d7dc96ca8056058510a65ff2ea3a3125e

SHA256
47ff0e5d1323e185e9ef7ecd3da6e9f769fc557409cd62383febb7cece5df0ad

SHA512
80e4ddff84b8fb99f86544a32bb1da3940b9e009c95d7740bbfb2f20adb84c6e5ef6261b0f5ffb1ce94a9a12fb8f8e24fecd048e03a2d035033a14551e327d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un664526.exe

Filesize
518KB

MD5
2d631f02764d2997e496de626414ab1e

SHA1
3a76b80d7dc96ca8056058510a65ff2ea3a3125e

SHA256
47ff0e5d1323e185e9ef7ecd3da6e9f769fc557409cd62383febb7cece5df0ad

SHA512
80e4ddff84b8fb99f86544a32bb1da3940b9e009c95d7740bbfb2f20adb84c6e5ef6261b0f5ffb1ce94a9a12fb8f8e24fecd048e03a2d035033a14551e327d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7911.exe

Filesize
295KB

MD5
37e2c3547a1fc3a2ab0912006f18ec16

SHA1
894ea22cda6fcbf11f3ec97c6e750989411672e2

SHA256
b22d064809df460c7101011201a2f91ed5bf250cc4bfcf31bf903e7dcd137ee3

SHA512
28fdd56b4d1b845556540b1cecf6d2a199baa9b8ed5b4caa44cc08d4ed77707687852f9c23ff73b9675019911b69e480ef6e7d5610dc2984ed577942a3485436

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7911.exe

Filesize
295KB

MD5
37e2c3547a1fc3a2ab0912006f18ec16

SHA1
894ea22cda6fcbf11f3ec97c6e750989411672e2

SHA256
b22d064809df460c7101011201a2f91ed5bf250cc4bfcf31bf903e7dcd137ee3

SHA512
28fdd56b4d1b845556540b1cecf6d2a199baa9b8ed5b4caa44cc08d4ed77707687852f9c23ff73b9675019911b69e480ef6e7d5610dc2984ed577942a3485436

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9287.exe

Filesize
353KB

MD5
4ec9306a4fb866cf2e9423ae7ebd6514

SHA1
e799640f52eb3f8a43d320021031a45753781bbb

SHA256
fdc1da9085878e5ba764f7bef643b41571b3ffacf67787227f49fd12b93c4c8f

SHA512
38cd3cd81ce63087cbfe88b39cac3f719ab68b150ba3289c34195d4c0140ebe8f28eba040b733f2f84c1d140f70820f09fce14e1c14dc05b08d96e269e0f7f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9287.exe

Filesize
353KB

MD5
4ec9306a4fb866cf2e9423ae7ebd6514

SHA1
e799640f52eb3f8a43d320021031a45753781bbb

SHA256
fdc1da9085878e5ba764f7bef643b41571b3ffacf67787227f49fd12b93c4c8f

SHA512
38cd3cd81ce63087cbfe88b39cac3f719ab68b150ba3289c34195d4c0140ebe8f28eba040b733f2f84c1d140f70820f09fce14e1c14dc05b08d96e269e0f7f37

Download Submit
memory/2528-136-0x0000000002310000-0x000000000232A000-memory.dmp

Filesize
104KB

Download
memory/2528-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2528-138-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2528-139-0x0000000004EB0000-0x00000000053AE000-memory.dmp

Filesize
5.0MB

Download
memory/2528-140-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/2528-144-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-146-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-142-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-141-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-158-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-160-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-166-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-164-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-168-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-162-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-156-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-154-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-152-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-150-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-148-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2528-169-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2528-170-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2528-171-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2528-172-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2528-174-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2568-1112-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/2568-1114-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/2568-1113-0x0000000004E40000-0x0000000004E8B000-memory.dmp

Filesize
300KB

Download
memory/4500-181-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-214-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-184-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-186-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-188-0x00000000008E0000-0x000000000092B000-memory.dmp

Filesize
300KB

Download
memory/4500-189-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-191-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-194-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-192-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-196-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-195-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-198-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-200-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-202-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-204-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-206-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-208-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-210-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-212-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-182-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-216-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-218-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4500-1091-0x00000000054F0000-0x0000000005AF6000-memory.dmp

Filesize
6.0MB

Download
memory/4500-1092-0x0000000004E90000-0x0000000004F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4500-1093-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/4500-1094-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-1095-0x0000000005B20000-0x0000000005B5E000-memory.dmp

Filesize
248KB

Download
memory/4500-1096-0x0000000005C60000-0x0000000005CAB000-memory.dmp

Filesize
300KB

Download
memory/4500-1098-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/4500-1099-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4500-1100-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-1102-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-1101-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4500-1103-0x00000000067D0000-0x0000000006846000-memory.dmp

Filesize
472KB

Download
memory/4500-180-0x0000000002820000-0x0000000002864000-memory.dmp

Filesize
272KB

Download
memory/4500-179-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/4500-1104-0x0000000006850000-0x00000000068A0000-memory.dmp

Filesize
320KB

Download
memory/4500-1105-0x0000000006A00000-0x0000000006BC2000-memory.dmp

Filesize
1.8MB

Download
memory/4500-1106-0x0000000006BE0000-0x000000000710C000-memory.dmp

Filesize
5.2MB

Download