redline | 2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/04/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe
Size

666KB
MD5

b3e36223d3d075e550e97baab6c626bb
SHA1

125cc6bc5d604786220e5c6978707bfb92e6e430
SHA256

2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16
SHA512

3eecd4ba06323a6984665b7f76d922527500ea3568c41aa6bb66bbd6971d841b9b2cf629462052d318af59d6816aa0b8b8a8f44298875a9ea49a60d5ff2e3b51
SSDEEP

12288:DMrUy90T8vRnaakDJNwTGlfFQrwH7o7lktS8PKxklyohWzC6dckkL:DyHvRpkDJNwBwHlixklpWdi

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4363.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/952-179-0x00000000024D0000-0x0000000002516000-memory.dmp	family_redline
behavioral1/memory/952-180-0x0000000002720000-0x0000000002764000-memory.dmp	family_redline
behavioral1/memory/952-181-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-184-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-182-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-186-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-188-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-190-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-192-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-194-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-196-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-198-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-200-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-202-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-204-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-206-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-208-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-210-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-215-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/952-218-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4236	un098761.exe
4208	pro4363.exe
952	qu4191.exe
4916	si527760.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4363.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un098761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un098761.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4208	pro4363.exe
4208	pro4363.exe
952	qu4191.exe
952	qu4191.exe
4916	si527760.exe
4916	si527760.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	pro4363.exe
Token: SeDebugPrivilege	952	qu4191.exe
Token: SeDebugPrivilege	4916	si527760.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4236	2760	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe	66
PID 2760 wrote to memory of 4236	2760	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe	66
PID 2760 wrote to memory of 4236	2760	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe	66
PID 4236 wrote to memory of 4208	4236	un098761.exe	67
PID 4236 wrote to memory of 4208	4236	un098761.exe	67
PID 4236 wrote to memory of 4208	4236	un098761.exe	67
PID 4236 wrote to memory of 952	4236	un098761.exe	68
PID 4236 wrote to memory of 952	4236	un098761.exe	68
PID 4236 wrote to memory of 952	4236	un098761.exe	68
PID 2760 wrote to memory of 4916	2760	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe	70
PID 2760 wrote to memory of 4916	2760	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe	70
PID 2760 wrote to memory of 4916	2760	2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe	70

C:\Users\Admin\AppData\Local\Temp\2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe
"C:\Users\Admin\AppData\Local\Temp\2514a75e9c3cf3e3bb9806654b1d563d7a8d88b7e03419a5cedd44ef8bdc3b16.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un098761.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un098761.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4363.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4191.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4191.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si527760.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si527760.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si527760.exe

Filesize
175KB

MD5
4098a78292caaa13eeed5d294ed06bb2

SHA1
094f0619c6990335103211bf875b16146c1c05bc

SHA256
546f8dc365aacdf2cd313002009ad7c4255d9f368b54053c7deffdedb1fe9b67

SHA512
1881e2c44e0706669ac3b9b9980e5b1d27d743cd5371909a2fa161d75cff934e0d8356a495cd48e356f85424db927c87d5e09febf38bd859693c5b91154e54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si527760.exe

Filesize
175KB

MD5
4098a78292caaa13eeed5d294ed06bb2

SHA1
094f0619c6990335103211bf875b16146c1c05bc

SHA256
546f8dc365aacdf2cd313002009ad7c4255d9f368b54053c7deffdedb1fe9b67

SHA512
1881e2c44e0706669ac3b9b9980e5b1d27d743cd5371909a2fa161d75cff934e0d8356a495cd48e356f85424db927c87d5e09febf38bd859693c5b91154e54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un098761.exe

Filesize
524KB

MD5
8ff381df292286b90f9fe37327856bc2

SHA1
602907934c131859ebab833add2dd4d929ca5cad

SHA256
e8bd2eefa50d5b589473a1b9e054ddf96a1ba88eabb70b494a1229d68d36ae15

SHA512
33ef448aff080007d26d345f3dba92511a8142debd4231ad0953744eed58d9fe415743480535c06a3049d8a3c638d39e19df62738b6088facf2f1af512efa40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un098761.exe

Filesize
524KB

MD5
8ff381df292286b90f9fe37327856bc2

SHA1
602907934c131859ebab833add2dd4d929ca5cad

SHA256
e8bd2eefa50d5b589473a1b9e054ddf96a1ba88eabb70b494a1229d68d36ae15

SHA512
33ef448aff080007d26d345f3dba92511a8142debd4231ad0953744eed58d9fe415743480535c06a3049d8a3c638d39e19df62738b6088facf2f1af512efa40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4363.exe

Filesize
295KB

MD5
9368334eec95a9eb00fae7454509eb16

SHA1
b532802fb18afa7c5ecc72c13e2acc8757556b0d

SHA256
5cf8dba30abbf92fe7170f71d9b3bd5f5c2f4430872238dae2efe84a1af793a3

SHA512
b346b5c3b7f6426ccb0142471b4931d7a77c302270167af27dba44577d23bea51b8459b143e305e3591d7a378bd3cce4f4c01aabb571a9ce2a242d980036679c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4363.exe

Filesize
295KB

MD5
9368334eec95a9eb00fae7454509eb16

SHA1
b532802fb18afa7c5ecc72c13e2acc8757556b0d

SHA256
5cf8dba30abbf92fe7170f71d9b3bd5f5c2f4430872238dae2efe84a1af793a3

SHA512
b346b5c3b7f6426ccb0142471b4931d7a77c302270167af27dba44577d23bea51b8459b143e305e3591d7a378bd3cce4f4c01aabb571a9ce2a242d980036679c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4191.exe

Filesize
353KB

MD5
c49f7392ba59cbe30d8610f09a863a03

SHA1
7df8ac3b916baf364777b794c98fecef3c9db582

SHA256
6b56c76d572b383573ff108058ee5cafe6f077499c7177b4acb46d5425415493

SHA512
784b03b341394502b308e129c13b91780257ad509ade1d139f14522f1783a86a7d06a2a1121ef21e331eab3d0ae01519796576a4821e7708dc8f2d961a0b86b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4191.exe

Filesize
353KB

MD5
c49f7392ba59cbe30d8610f09a863a03

SHA1
7df8ac3b916baf364777b794c98fecef3c9db582

SHA256
6b56c76d572b383573ff108058ee5cafe6f077499c7177b4acb46d5425415493

SHA512
784b03b341394502b308e129c13b91780257ad509ade1d139f14522f1783a86a7d06a2a1121ef21e331eab3d0ae01519796576a4821e7708dc8f2d961a0b86b6

Download Submit
memory/952-218-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-196-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-1107-0x0000000006E50000-0x0000000006EA0000-memory.dmp

Filesize
320KB

Download
memory/952-1106-0x0000000006DC0000-0x0000000006E36000-memory.dmp

Filesize
472KB

Download
memory/952-1105-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-1104-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/952-1103-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/952-1102-0x0000000006390000-0x0000000006422000-memory.dmp

Filesize
584KB

Download
memory/952-1101-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/952-1100-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-1099-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-1098-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-1096-0x0000000004F30000-0x0000000004F7B000-memory.dmp

Filesize
300KB

Download
memory/952-1095-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-1094-0x0000000004EF0000-0x0000000004F2E000-memory.dmp

Filesize
248KB

Download
memory/952-1093-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/952-1092-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/952-1091-0x0000000005AF0000-0x00000000060F6000-memory.dmp

Filesize
6.0MB

Download
memory/952-192-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-204-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-214-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-216-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-215-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-213-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/952-210-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-211-0x0000000000810000-0x000000000085B000-memory.dmp

Filesize
300KB

Download
memory/952-179-0x00000000024D0000-0x0000000002516000-memory.dmp

Filesize
280KB

Download
memory/952-180-0x0000000002720000-0x0000000002764000-memory.dmp

Filesize
272KB

Download
memory/952-181-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-184-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-182-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-186-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-194-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-190-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-208-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-188-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-206-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-198-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-200-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/952-202-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4208-168-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4208-135-0x0000000002840000-0x000000000285A000-memory.dmp

Filesize
104KB

Download
memory/4208-138-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4208-136-0x0000000004DD0000-0x00000000052CE000-memory.dmp

Filesize
5.0MB

Download
memory/4208-137-0x00000000029D0000-0x00000000029E8000-memory.dmp

Filesize
96KB

Download
memory/4208-174-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4208-172-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4208-171-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4208-170-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4208-169-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4208-167-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-165-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-163-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-161-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-159-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-157-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-155-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-153-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-151-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-149-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-147-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-145-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-143-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-141-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-140-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4208-139-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4208-134-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4208-133-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4916-1113-0x0000000000810000-0x0000000000842000-memory.dmp

Filesize
200KB

Download
memory/4916-1114-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4916-1115-0x0000000005250000-0x000000000529B000-memory.dmp

Filesize
300KB

Download