redline | 925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab

Analysis

max time kernel
55s
max time network
60s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-04-2023 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe
Size

659KB
MD5

eb8ec1238201569a375429be37e3dbaf
SHA1

139bd89ec17ac38dc297603ae3b12a62467a6648
SHA256

925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab
SHA512

40ec839843f424b9355ed6857f8e63eac0d75db349ec75f6e0df3c588aea22a207e4de9d66d6ed8b5ff4805705430fcd420733232e9b0c8af031198aebf0b3f7
SSDEEP

12288:VMrUy90vLCneQppM35tupjpjuk9FBlRXHeaOKzDwvTb2ymF8q:Fy8LCeQpyDs39FB5OKzkvKH

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1361.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4228-178-0x00000000027C0000-0x0000000002806000-memory.dmp	family_redline
behavioral1/memory/4228-179-0x0000000002870000-0x00000000028B4000-memory.dmp	family_redline
behavioral1/memory/4228-180-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-181-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-183-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-185-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-187-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-189-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-191-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-193-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-195-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-197-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-199-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-201-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-203-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-205-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-207-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-209-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-211-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/4228-213-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2560	un365799.exe
3232	pro1361.exe
4228	qu4453.exe
4740	si534227.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1361.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un365799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un365799.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3232	pro1361.exe
3232	pro1361.exe
4228	qu4453.exe
4228	qu4453.exe
4740	si534227.exe
4740	si534227.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	pro1361.exe
Token: SeDebugPrivilege	4228	qu4453.exe
Token: SeDebugPrivilege	4740	si534227.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2560	2408	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe	66
PID 2408 wrote to memory of 2560	2408	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe	66
PID 2408 wrote to memory of 2560	2408	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe	66
PID 2560 wrote to memory of 3232	2560	un365799.exe	67
PID 2560 wrote to memory of 3232	2560	un365799.exe	67
PID 2560 wrote to memory of 3232	2560	un365799.exe	67
PID 2560 wrote to memory of 4228	2560	un365799.exe	68
PID 2560 wrote to memory of 4228	2560	un365799.exe	68
PID 2560 wrote to memory of 4228	2560	un365799.exe	68
PID 2408 wrote to memory of 4740	2408	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe	70
PID 2408 wrote to memory of 4740	2408	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe	70
PID 2408 wrote to memory of 4740	2408	925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe	70

C:\Users\Admin\AppData\Local\Temp\925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe
"C:\Users\Admin\AppData\Local\Temp\925fa3e165c70213e8635080750a43799be88432ab72eb707c5c91e4c27ddfab.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un365799.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un365799.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1361.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1361.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4453.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4453.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si534227.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si534227.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si534227.exe

Filesize
176KB

MD5
73cce65581e94c4af58e29143caab3f8

SHA1
523ef1743d0bb7f55bb35384e3f36aee40e82bbb

SHA256
39727af3923ab57692188c2a64c88c28810872bdb2035e412f7981d389f8f03e

SHA512
330b1cbf57af91bb3dec17cc9fb83ff68b0962936ef46cdc105b1691d4f27d100ce37c8983f6a788b2f3f05389aaae2568422de6e779c6aeeaf4e7a06815bdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si534227.exe

Filesize
176KB

MD5
73cce65581e94c4af58e29143caab3f8

SHA1
523ef1743d0bb7f55bb35384e3f36aee40e82bbb

SHA256
39727af3923ab57692188c2a64c88c28810872bdb2035e412f7981d389f8f03e

SHA512
330b1cbf57af91bb3dec17cc9fb83ff68b0962936ef46cdc105b1691d4f27d100ce37c8983f6a788b2f3f05389aaae2568422de6e779c6aeeaf4e7a06815bdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un365799.exe

Filesize
517KB

MD5
8f7b6aa6dafc7e25bba6dcaa1707cbf3

SHA1
edf6cac5815d3e2660136ab0dc7c236aaabd2f4f

SHA256
e78f818896462cffde69de6aad3f7be829ea69670373246987295f7de9fc7646

SHA512
9b9652a9f55e8e54f8e84ab7961a38fef925446da049674de9d22c9d9f167c980cbff84b41f74686dd0b293248dc0136ab7c3e1e546b271e0104966ecae0b4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un365799.exe

Filesize
517KB

MD5
8f7b6aa6dafc7e25bba6dcaa1707cbf3

SHA1
edf6cac5815d3e2660136ab0dc7c236aaabd2f4f

SHA256
e78f818896462cffde69de6aad3f7be829ea69670373246987295f7de9fc7646

SHA512
9b9652a9f55e8e54f8e84ab7961a38fef925446da049674de9d22c9d9f167c980cbff84b41f74686dd0b293248dc0136ab7c3e1e546b271e0104966ecae0b4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1361.exe

Filesize
295KB

MD5
3a5108676d10465666c37366da06bf1a

SHA1
0ba7dcb36c31f3e18095223b5859ad4c5c6f2f17

SHA256
5d945af12172d583f97324a4fb6b2d532c8ea4475770675d3b802f1ee21a71a7

SHA512
4078194ea7966643e4186f0e500d206302eab90cf0c0d8cc0dac4ba4b48f1d8844c47b0417078d461d258be5bd0ee6707f9c52565ca4ab5f34d761886bcab11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1361.exe

Filesize
295KB

MD5
3a5108676d10465666c37366da06bf1a

SHA1
0ba7dcb36c31f3e18095223b5859ad4c5c6f2f17

SHA256
5d945af12172d583f97324a4fb6b2d532c8ea4475770675d3b802f1ee21a71a7

SHA512
4078194ea7966643e4186f0e500d206302eab90cf0c0d8cc0dac4ba4b48f1d8844c47b0417078d461d258be5bd0ee6707f9c52565ca4ab5f34d761886bcab11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4453.exe

Filesize
353KB

MD5
ec8d09eae95a334cbafaf3556436ad56

SHA1
4451af89968891d2d2fdce4ba19d1d8bf35c67a9

SHA256
67eb216c014f8574699a142122c1ebdb1031b11975d9ff9ff3687b2370352e9e

SHA512
ea5805631101da8e3d85f82bbc3c13358988dd435573179d487c3197ea6a8dbc4a9b20af7f2572dce85d0d20e8b32d2cc5f7d2814f400a4cbab73231fe60fcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4453.exe

Filesize
353KB

MD5
ec8d09eae95a334cbafaf3556436ad56

SHA1
4451af89968891d2d2fdce4ba19d1d8bf35c67a9

SHA256
67eb216c014f8574699a142122c1ebdb1031b11975d9ff9ff3687b2370352e9e

SHA512
ea5805631101da8e3d85f82bbc3c13358988dd435573179d487c3197ea6a8dbc4a9b20af7f2572dce85d0d20e8b32d2cc5f7d2814f400a4cbab73231fe60fcf5

Download Submit
memory/3232-136-0x00000000008D0000-0x00000000008FD000-memory.dmp

Filesize
180KB

Download
memory/3232-137-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/3232-138-0x0000000004E90000-0x000000000538E000-memory.dmp

Filesize
5.0MB

Download
memory/3232-139-0x0000000002530000-0x0000000002548000-memory.dmp

Filesize
96KB

Download
memory/3232-140-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3232-141-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3232-142-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3232-143-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-144-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-146-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-148-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-150-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-152-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-154-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-156-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-158-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-160-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-162-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-164-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-166-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-168-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-170-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/3232-171-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3232-173-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4228-178-0x00000000027C0000-0x0000000002806000-memory.dmp

Filesize
280KB

Download
memory/4228-179-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/4228-180-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-181-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-183-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-185-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-187-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-189-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-191-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-193-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-195-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-197-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-199-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-201-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-203-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-205-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-207-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-209-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-211-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-213-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4228-237-0x0000000000810000-0x000000000085B000-memory.dmp

Filesize
300KB

Download
memory/4228-239-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-240-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-243-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-1090-0x0000000005420000-0x0000000005A26000-memory.dmp

Filesize
6.0MB

Download
memory/4228-1091-0x0000000005A30000-0x0000000005B3A000-memory.dmp

Filesize
1.0MB

Download
memory/4228-1092-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/4228-1093-0x0000000005B40000-0x0000000005B7E000-memory.dmp

Filesize
248KB

Download
memory/4228-1094-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-1095-0x0000000005C80000-0x0000000005CCB000-memory.dmp

Filesize
300KB

Download
memory/4228-1097-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-1098-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-1099-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4228-1100-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/4228-1101-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4228-1102-0x0000000006690000-0x0000000006852000-memory.dmp

Filesize
1.8MB

Download
memory/4228-1103-0x0000000006880000-0x0000000006DAC000-memory.dmp

Filesize
5.2MB

Download
memory/4228-1104-0x0000000006ED0000-0x0000000006F46000-memory.dmp

Filesize
472KB

Download
memory/4228-1105-0x0000000006F60000-0x0000000006FB0000-memory.dmp

Filesize
320KB

Download
memory/4228-1106-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4740-1112-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/4740-1113-0x00000000055D0000-0x000000000561B000-memory.dmp

Filesize
300KB

Download
memory/4740-1114-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download