redline | 63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685

Analysis

max time kernel
56s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/04/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe
Size

666KB
MD5

390865128d8592f9784b9753370a3280
SHA1

9a3afcec4ddc28e715b0b1aedb505e154fd2523e
SHA256

63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685
SHA512

c0d51115c2e87f936ab833d2d3e3fbce85afa843d764240cbe4e90111927dba9e2e677e63fb177ffabc5b2785ce4cf00b51fba66ab56a47395ecca869ff6f159
SSDEEP

12288:wMrgy90kjzlTvvMO17H0SEmva0rq2oBD4yLFUe4gV95HulmvHkFd5w/bF:AyrD17UQS0rqRBD4cFUVgVPusfkn5w/J

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6733.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2136-177-0x00000000027C0000-0x0000000002806000-memory.dmp	family_redline
behavioral1/memory/2136-178-0x00000000028B0000-0x00000000028F4000-memory.dmp	family_redline
behavioral1/memory/2136-179-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-180-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-182-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-186-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-190-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-192-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-194-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-196-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-198-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-200-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-202-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-204-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-206-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-208-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-210-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-212-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-214-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline
behavioral1/memory/2136-216-0x00000000028B0000-0x00000000028EF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4692	un378260.exe
2332	pro6733.exe
2136	qu6508.exe
4752	si202819.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6733.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un378260.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un378260.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2332	pro6733.exe
2332	pro6733.exe
2136	qu6508.exe
2136	qu6508.exe
4752	si202819.exe
4752	si202819.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	pro6733.exe
Token: SeDebugPrivilege	2136	qu6508.exe
Token: SeDebugPrivilege	4752	si202819.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4692	1980	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe	66
PID 1980 wrote to memory of 4692	1980	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe	66
PID 1980 wrote to memory of 4692	1980	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe	66
PID 4692 wrote to memory of 2332	4692	un378260.exe	67
PID 4692 wrote to memory of 2332	4692	un378260.exe	67
PID 4692 wrote to memory of 2332	4692	un378260.exe	67
PID 4692 wrote to memory of 2136	4692	un378260.exe	68
PID 4692 wrote to memory of 2136	4692	un378260.exe	68
PID 4692 wrote to memory of 2136	4692	un378260.exe	68
PID 1980 wrote to memory of 4752	1980	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe	70
PID 1980 wrote to memory of 4752	1980	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe	70
PID 1980 wrote to memory of 4752	1980	63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe	70

C:\Users\Admin\AppData\Local\Temp\63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe
"C:\Users\Admin\AppData\Local\Temp\63cee45dc4f3b93b96f2886bb6fe7bcacdb4ad6f158f7238b9b64d2e6ae36685.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378260.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378260.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6733.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6733.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6508.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6508.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si202819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si202819.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si202819.exe

Filesize
175KB

MD5
55cdea1e46ff445f1eba8971f44ebf36

SHA1
442a975b2d5775ee28c2504c753b8456cbdf5373

SHA256
4134b7b62bfcb90df5244a2eaeff2b8320af26c594a3ba5b8737dc2981354b6e

SHA512
dd21515dd5dfd327cfd29c5ea91ba6c171f0ae98937c3b81295686c891d3354b28ec6c2e7184c6b67e18bfc235a475b63453767325fce06c020ed186cd05f1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si202819.exe

Filesize
175KB

MD5
55cdea1e46ff445f1eba8971f44ebf36

SHA1
442a975b2d5775ee28c2504c753b8456cbdf5373

SHA256
4134b7b62bfcb90df5244a2eaeff2b8320af26c594a3ba5b8737dc2981354b6e

SHA512
dd21515dd5dfd327cfd29c5ea91ba6c171f0ae98937c3b81295686c891d3354b28ec6c2e7184c6b67e18bfc235a475b63453767325fce06c020ed186cd05f1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378260.exe

Filesize
524KB

MD5
5e40000546bf5ba1b7a920f13acdf116

SHA1
c767a2bb2ee396ff33c6f257b1f590e14297b602

SHA256
dc2b663bb43f983298003ed053531ae8fb8019d1e32a2834e291daace284407a

SHA512
2184c5d1507ba5f5a46058f6dfdb739130db779c2c68dbd7f587c8802d18f41e92eea176e4314ea24c6ec422bd8b06e79ff31a41cc3027ed8fbb87aec8c28042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378260.exe

Filesize
524KB

MD5
5e40000546bf5ba1b7a920f13acdf116

SHA1
c767a2bb2ee396ff33c6f257b1f590e14297b602

SHA256
dc2b663bb43f983298003ed053531ae8fb8019d1e32a2834e291daace284407a

SHA512
2184c5d1507ba5f5a46058f6dfdb739130db779c2c68dbd7f587c8802d18f41e92eea176e4314ea24c6ec422bd8b06e79ff31a41cc3027ed8fbb87aec8c28042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6733.exe

Filesize
295KB

MD5
d574849945d46b2d877cf8dc9f7222f5

SHA1
5b62bbb8cf8c191f4c7e7acace71fcaf186a016a

SHA256
6bb290390fd7058c40ffcf043501c770aebadbb0004d4d22bdc41f02d0726a7d

SHA512
3bec8da9471053bfc0a2f730f82e6a27cbe5dc7b5d824279ebb248bb3c0c0c478a037d84b4c82974746feec5a2b2511b42b6633bfe016d015e527591946dcaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6733.exe

Filesize
295KB

MD5
d574849945d46b2d877cf8dc9f7222f5

SHA1
5b62bbb8cf8c191f4c7e7acace71fcaf186a016a

SHA256
6bb290390fd7058c40ffcf043501c770aebadbb0004d4d22bdc41f02d0726a7d

SHA512
3bec8da9471053bfc0a2f730f82e6a27cbe5dc7b5d824279ebb248bb3c0c0c478a037d84b4c82974746feec5a2b2511b42b6633bfe016d015e527591946dcaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6508.exe

Filesize
353KB

MD5
95a58fbe33f442a40d03ad44c331ca89

SHA1
3f58f098f2dfe42105fc5a2add2e83c4bae97b86

SHA256
185111840d8fcd9f07ed88bea784f8af0326d3d5d6ff75c61a2773fd2f23d532

SHA512
fc36508c2e0fd167caf701926bae804347b4e47047e613ee7c0f7cc651b5f91c220de36a126f07ddb67bca20ed31e58da9de5a2f07be9ad5eda4a467d1bb694f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6508.exe

Filesize
353KB

MD5
95a58fbe33f442a40d03ad44c331ca89

SHA1
3f58f098f2dfe42105fc5a2add2e83c4bae97b86

SHA256
185111840d8fcd9f07ed88bea784f8af0326d3d5d6ff75c61a2773fd2f23d532

SHA512
fc36508c2e0fd167caf701926bae804347b4e47047e613ee7c0f7cc651b5f91c220de36a126f07ddb67bca20ed31e58da9de5a2f07be9ad5eda4a467d1bb694f

Download Submit
memory/2136-1090-0x00000000059E0000-0x0000000005AEA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-1093-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-192-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-1105-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-1104-0x0000000006960000-0x0000000006E8C000-memory.dmp

Filesize
5.2MB

Download
memory/2136-1103-0x0000000006790000-0x0000000006952000-memory.dmp

Filesize
1.8MB

Download
memory/2136-1102-0x0000000006700000-0x0000000006750000-memory.dmp

Filesize
320KB

Download
memory/2136-1101-0x0000000006670000-0x00000000066E6000-memory.dmp

Filesize
472KB

Download
memory/2136-1100-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/2136-1099-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/2136-1098-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-1096-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-1097-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-1094-0x0000000005C60000-0x0000000005CAB000-memory.dmp

Filesize
300KB

Download
memory/2136-1092-0x0000000005B10000-0x0000000005B4E000-memory.dmp

Filesize
248KB

Download
memory/2136-1091-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/2136-1089-0x00000000053D0000-0x00000000059D6000-memory.dmp

Filesize
6.0MB

Download
memory/2136-216-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-214-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-212-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-194-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-177-0x00000000027C0000-0x0000000002806000-memory.dmp

Filesize
280KB

Download
memory/2136-178-0x00000000028B0000-0x00000000028F4000-memory.dmp

Filesize
272KB

Download
memory/2136-179-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-180-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-182-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-184-0x00000000008E0000-0x000000000092B000-memory.dmp

Filesize
300KB

Download
memory/2136-187-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-186-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-188-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-185-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2136-190-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-208-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-196-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-210-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-198-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-200-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-202-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-204-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2136-206-0x00000000028B0000-0x00000000028EF000-memory.dmp

Filesize
252KB

Download
memory/2332-148-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-136-0x0000000002620000-0x000000000263A000-memory.dmp

Filesize
104KB

Download
memory/2332-140-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2332-172-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2332-170-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2332-169-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2332-138-0x0000000005230000-0x0000000005248000-memory.dmp

Filesize
96KB

Download
memory/2332-168-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-166-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-141-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-158-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-142-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-139-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/2332-162-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-160-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-154-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-152-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-150-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-156-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-146-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-144-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/2332-137-0x0000000004CF0000-0x00000000051EE000-memory.dmp

Filesize
5.0MB

Download
memory/2332-164-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4752-1111-0x0000000000C20000-0x0000000000C52000-memory.dmp

Filesize
200KB

Download
memory/4752-1112-0x0000000005660000-0x00000000056AB000-memory.dmp

Filesize
300KB

Download
memory/4752-1113-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download