redline | 35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a

Analysis

max time kernel
58s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-04-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe
Size

659KB
MD5

3cf89559b707657aec53e5b2eb92f9a5
SHA1

52a764e018511167c53a10d4c4445041db2a386a
SHA256

35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a
SHA512

835c3103640fdbd634ddf9ba496dd69781ec7a490817ac61e761d63e8c3dce2a89243127af6731872498ee39625b2ad58eeead042e46459329c721ce50b45d92
SSDEEP

12288:qMrqy9014VzMgFw6agjBUibszb6EJOFhlRYHlJZrvD67Et6:0yIovFwVoBbaJOFC87Et6

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7433.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4620-177-0x00000000024A0000-0x00000000024E6000-memory.dmp	family_redline
behavioral1/memory/4620-180-0x0000000002820000-0x0000000002864000-memory.dmp	family_redline
behavioral1/memory/4620-183-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-186-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-184-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-188-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-190-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-192-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-194-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-196-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-198-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-200-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-202-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-204-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-206-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-208-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-210-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-212-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-214-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline
behavioral1/memory/4620-216-0x0000000002820000-0x000000000285F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3472	un275350.exe
4532	pro7433.exe
4620	qu4344.exe
1536	si092197.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7433.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un275350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un275350.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4532	pro7433.exe
4532	pro7433.exe
4620	qu4344.exe
4620	qu4344.exe
1536	si092197.exe
1536	si092197.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	pro7433.exe
Token: SeDebugPrivilege	4620	qu4344.exe
Token: SeDebugPrivilege	1536	si092197.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3472	3440	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe	66
PID 3440 wrote to memory of 3472	3440	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe	66
PID 3440 wrote to memory of 3472	3440	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe	66
PID 3472 wrote to memory of 4532	3472	un275350.exe	67
PID 3472 wrote to memory of 4532	3472	un275350.exe	67
PID 3472 wrote to memory of 4532	3472	un275350.exe	67
PID 3472 wrote to memory of 4620	3472	un275350.exe	68
PID 3472 wrote to memory of 4620	3472	un275350.exe	68
PID 3472 wrote to memory of 4620	3472	un275350.exe	68
PID 3440 wrote to memory of 1536	3440	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe	70
PID 3440 wrote to memory of 1536	3440	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe	70
PID 3440 wrote to memory of 1536	3440	35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe	70

C:\Users\Admin\AppData\Local\Temp\35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe
"C:\Users\Admin\AppData\Local\Temp\35239ee8ab38b5be126c1f8942e792547bf262b13aafdeb23ea73d3c5185516a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275350.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275350.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7433.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7433.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4344.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4344.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si092197.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si092197.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si092197.exe

Filesize
177KB

MD5
fbfe252d6ab4639daea7cdc13a6b8c12

SHA1
4f4f0a3da26053e2956345a2f6303a15d530bb78

SHA256
ee9c27c0fe3aeededd364cd45853e0858dcaca674b60cdd1766a437ae2c8789e

SHA512
49f63aa567786069f097301367b4523e10c376b83a94191dff192b1ec8b1653eaf760257b06fb8cccded6e84144ee264570a63e1b7fd5c8069531112b60fb724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si092197.exe

Filesize
177KB

MD5
fbfe252d6ab4639daea7cdc13a6b8c12

SHA1
4f4f0a3da26053e2956345a2f6303a15d530bb78

SHA256
ee9c27c0fe3aeededd364cd45853e0858dcaca674b60cdd1766a437ae2c8789e

SHA512
49f63aa567786069f097301367b4523e10c376b83a94191dff192b1ec8b1653eaf760257b06fb8cccded6e84144ee264570a63e1b7fd5c8069531112b60fb724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275350.exe

Filesize
518KB

MD5
83e6cc7258bbae40c024d1c963b42abf

SHA1
6a7279a1999c844b5914510f4325da6a8c8e3c10

SHA256
132713b8448b9bf280d958cc614100a1040687fb3f45ab18728ae93d9b41b66c

SHA512
f2fbe617f71ab16ffa1fff060b6545d35e413e73dc44518c68029ba548a6230112705b2fa45f990f1614fa429f3c08320e1f02401f00afcd5e226c0c2dacc5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un275350.exe

Filesize
518KB

MD5
83e6cc7258bbae40c024d1c963b42abf

SHA1
6a7279a1999c844b5914510f4325da6a8c8e3c10

SHA256
132713b8448b9bf280d958cc614100a1040687fb3f45ab18728ae93d9b41b66c

SHA512
f2fbe617f71ab16ffa1fff060b6545d35e413e73dc44518c68029ba548a6230112705b2fa45f990f1614fa429f3c08320e1f02401f00afcd5e226c0c2dacc5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7433.exe

Filesize
295KB

MD5
295bdfd3bc66ab99a1aa1599be3df59d

SHA1
799ae88c5baff18bc65cd02c93b0da0f2c767a5e

SHA256
711952bb928ede3c9d1a49dca0b790f51ea4ee81f170fc477614d7ef52818f25

SHA512
4dfeab71e0ead88f219a4ce6bcebe4168df13f8573b8adeffa8bbfd106361f43882c136b2cb53e9fcc267b28973b5e5badc10b3ef16222f72a09329c0ef52bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7433.exe

Filesize
295KB

MD5
295bdfd3bc66ab99a1aa1599be3df59d

SHA1
799ae88c5baff18bc65cd02c93b0da0f2c767a5e

SHA256
711952bb928ede3c9d1a49dca0b790f51ea4ee81f170fc477614d7ef52818f25

SHA512
4dfeab71e0ead88f219a4ce6bcebe4168df13f8573b8adeffa8bbfd106361f43882c136b2cb53e9fcc267b28973b5e5badc10b3ef16222f72a09329c0ef52bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4344.exe

Filesize
353KB

MD5
a10c23c815e00fb99fded0c4f1f8d2a9

SHA1
c18c484880c861333ade38742b5da247b2b21f76

SHA256
269fa89942a72e10affc5b0aab71dc1364bc15033cfdbc266a018417e4e04d70

SHA512
2525fe42670ba8a284cf81d6a30d74362560bf7f4bb580ec83ddcbdb393c6160eff82e89c0506da7ba2faaa80a3a6ae2dbc2f32eac737339c412db599530b154

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4344.exe

Filesize
353KB

MD5
a10c23c815e00fb99fded0c4f1f8d2a9

SHA1
c18c484880c861333ade38742b5da247b2b21f76

SHA256
269fa89942a72e10affc5b0aab71dc1364bc15033cfdbc266a018417e4e04d70

SHA512
2525fe42670ba8a284cf81d6a30d74362560bf7f4bb580ec83ddcbdb393c6160eff82e89c0506da7ba2faaa80a3a6ae2dbc2f32eac737339c412db599530b154

Download Submit
memory/1536-1111-0x0000000000E50000-0x0000000000E82000-memory.dmp

Filesize
200KB

Download
memory/1536-1112-0x0000000005890000-0x00000000058DB000-memory.dmp

Filesize
300KB

Download
memory/1536-1113-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/1536-1114-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4532-147-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-161-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-139-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-141-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-143-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-145-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-137-0x0000000002550000-0x0000000002568000-memory.dmp

Filesize
96KB

Download
memory/4532-149-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-151-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-153-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-155-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-157-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-159-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-138-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-163-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-165-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4532-166-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4532-167-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4532-168-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4532-169-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4532-171-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4532-172-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4532-136-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/4532-135-0x00000000024E0000-0x00000000024FA000-memory.dmp

Filesize
104KB

Download
memory/4532-134-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/4620-179-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-214-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-182-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-183-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-186-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-184-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-188-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-190-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-192-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-194-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-196-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-198-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-200-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-202-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-204-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-206-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-208-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-210-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-212-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-181-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-216-0x0000000002820000-0x000000000285F000-memory.dmp

Filesize
252KB

Download
memory/4620-1089-0x0000000005430000-0x0000000005A36000-memory.dmp

Filesize
6.0MB

Download
memory/4620-1090-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/4620-1091-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/4620-1092-0x0000000004EE0000-0x0000000004F1E000-memory.dmp

Filesize
248KB

Download
memory/4620-1093-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-1094-0x0000000005C60000-0x0000000005CAB000-memory.dmp

Filesize
300KB

Download
memory/4620-1096-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4620-1097-0x00000000064C0000-0x0000000006552000-memory.dmp

Filesize
584KB

Download
memory/4620-1098-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-1099-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-1100-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-1101-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4620-1102-0x0000000007A50000-0x0000000007AC6000-memory.dmp

Filesize
472KB

Download
memory/4620-180-0x0000000002820000-0x0000000002864000-memory.dmp

Filesize
272KB

Download
memory/4620-178-0x0000000000920000-0x000000000096B000-memory.dmp

Filesize
300KB

Download
memory/4620-177-0x00000000024A0000-0x00000000024E6000-memory.dmp

Filesize
280KB

Download
memory/4620-1103-0x0000000002740000-0x0000000002790000-memory.dmp

Filesize
320KB

Download
memory/4620-1104-0x0000000007AD0000-0x0000000007C92000-memory.dmp

Filesize
1.8MB

Download
memory/4620-1105-0x0000000007CB0000-0x00000000081DC000-memory.dmp

Filesize
5.2MB

Download