redline | 31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e

Analysis

max time kernel
112s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe
Size

659KB
MD5

0da5a0fc4ad00a860e777bb73770cee9
SHA1

b57540efb160aa5d37699cdf0bb919147036381d
SHA256

31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e
SHA512

1f275b5f0552805c4656853a3c6245708eba025c365ae9b6efcc1b5d3a4f8baa7e23241f68b8364754e4d25b0e98c814141bfb5e3278b021f7947a9e8c9f649b
SSDEEP

12288:IMr2y90FfPPzt6/40pbY/oj7y8T4ere3JlNt59/rwZZiCXa7ft/ju2MJ:eyKfPbUDO87y3TlNt5RqZjXgBE

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5294.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5294.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 16 IoCs

resource	yara_rule
behavioral1/memory/2016-199-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-200-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-202-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-204-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-206-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-208-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-210-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-212-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-214-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-216-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-218-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-220-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-222-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-224-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-226-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2016-228-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3568	un408399.exe
4780	pro5294.exe
2016	qu3116.exe
2552	si487329.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5294.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un408399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un408399.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3952	4780	WerFault.exe	87
3096	2016	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4780	pro5294.exe
4780	pro5294.exe
2016	qu3116.exe
2016	qu3116.exe
2552	si487329.exe
2552	si487329.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	pro5294.exe
Token: SeDebugPrivilege	2016	qu3116.exe
Token: SeDebugPrivilege	2552	si487329.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3568	4272	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe	86
PID 4272 wrote to memory of 3568	4272	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe	86
PID 4272 wrote to memory of 3568	4272	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe	86
PID 3568 wrote to memory of 4780	3568	un408399.exe	87
PID 3568 wrote to memory of 4780	3568	un408399.exe	87
PID 3568 wrote to memory of 4780	3568	un408399.exe	87
PID 3568 wrote to memory of 2016	3568	un408399.exe	91
PID 3568 wrote to memory of 2016	3568	un408399.exe	91
PID 3568 wrote to memory of 2016	3568	un408399.exe	91
PID 4272 wrote to memory of 2552	4272	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe	94
PID 4272 wrote to memory of 2552	4272	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe	94
PID 4272 wrote to memory of 2552	4272	31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe	94

C:\Users\Admin\AppData\Local\Temp\31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe
"C:\Users\Admin\AppData\Local\Temp\31ad382e213e5d66b9ccdcd5b457763990af065ab7141f0d9e8e4952b0d1da6e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un408399.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un408399.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5294.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5294.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1080
      4⤵
      Program crash
      PID:3952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3116.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3116.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1864
      4⤵
      Program crash
      PID:3096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487329.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487329.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4780 -ip 4780
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2016 -ip 2016
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487329.exe

Filesize
175KB

MD5
8ea8fbd3361ac12fc0a1325198de2c4c

SHA1
793bd1ed426027f2806ad9c83425c1be5200fc8e

SHA256
9f9e624b1252940cc16fb96d70ac8cfb7a56d47494c073a995548912385015aa

SHA512
786cf752b22d922bea3e0765256ebfe20ec9106b3321a9e30e3d1ab9ff6fa8ef2966ccdbe4bc397c011064639cbecfd6c2d658762f217a8e18b6e00c1e40156b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si487329.exe

Filesize
175KB

MD5
8ea8fbd3361ac12fc0a1325198de2c4c

SHA1
793bd1ed426027f2806ad9c83425c1be5200fc8e

SHA256
9f9e624b1252940cc16fb96d70ac8cfb7a56d47494c073a995548912385015aa

SHA512
786cf752b22d922bea3e0765256ebfe20ec9106b3321a9e30e3d1ab9ff6fa8ef2966ccdbe4bc397c011064639cbecfd6c2d658762f217a8e18b6e00c1e40156b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un408399.exe

Filesize
517KB

MD5
e34f28dce574df4497846150840b5f87

SHA1
7ea23dce83591ed2f5393db7aeb4c0f1ba18e22f

SHA256
11437fec59964b7d35f06393d1345c5a860a34904b00bb4f1a55fa8cef21af5d

SHA512
43fd9542b85a18892fb9b4cd7d69b8d1d0fad8609d7a84e10598d2330a4c6b19446c269576fa114d40c82eecdb2c4e15b503a57ddaa5f721af380feabab9afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un408399.exe

Filesize
517KB

MD5
e34f28dce574df4497846150840b5f87

SHA1
7ea23dce83591ed2f5393db7aeb4c0f1ba18e22f

SHA256
11437fec59964b7d35f06393d1345c5a860a34904b00bb4f1a55fa8cef21af5d

SHA512
43fd9542b85a18892fb9b4cd7d69b8d1d0fad8609d7a84e10598d2330a4c6b19446c269576fa114d40c82eecdb2c4e15b503a57ddaa5f721af380feabab9afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5294.exe

Filesize
237KB

MD5
b31bc9102c58ed1ea6772e3256172f31

SHA1
790dd26472b3ab6d64ca9d879fc9cb680e06602e

SHA256
a7b333242bbe35f81b756fafd286a422601fd50efd7ef7bb3bb697ae81ff75ec

SHA512
259401e5b28ddefd08fa207b3a1512033573aecd117539ec332fe86f21b03ab8b2bb44e699af17d09b6f0f2414686f68a6bfbe539b315b6f3b669179bb4532fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5294.exe

Filesize
237KB

MD5
b31bc9102c58ed1ea6772e3256172f31

SHA1
790dd26472b3ab6d64ca9d879fc9cb680e06602e

SHA256
a7b333242bbe35f81b756fafd286a422601fd50efd7ef7bb3bb697ae81ff75ec

SHA512
259401e5b28ddefd08fa207b3a1512033573aecd117539ec332fe86f21b03ab8b2bb44e699af17d09b6f0f2414686f68a6bfbe539b315b6f3b669179bb4532fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3116.exe

Filesize
295KB

MD5
f10c7fa9223ed8e0e2b503c1418e54aa

SHA1
9ed4d29665b67fbae28c716acd244c9ed08ad013

SHA256
486498f8adbc7e9baef7b8735ea9f3ef1340ea214ad493ea79255996b91207aa

SHA512
e2f00eaefad22904df361de942edcc99fc2454db39afd3074ee2398f398b2deca2bba865c6237eefc3f412b80138b8ce6ea0a5fe6a123e443197e87f157d616d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3116.exe

Filesize
295KB

MD5
f10c7fa9223ed8e0e2b503c1418e54aa

SHA1
9ed4d29665b67fbae28c716acd244c9ed08ad013

SHA256
486498f8adbc7e9baef7b8735ea9f3ef1340ea214ad493ea79255996b91207aa

SHA512
e2f00eaefad22904df361de942edcc99fc2454db39afd3074ee2398f398b2deca2bba865c6237eefc3f412b80138b8ce6ea0a5fe6a123e443197e87f157d616d

Download Submit
memory/2016-228-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-1108-0x0000000005150000-0x0000000005768000-memory.dmp

Filesize
6.1MB

Download
memory/2016-1121-0x0000000006870000-0x0000000006D9C000-memory.dmp

Filesize
5.2MB

Download
memory/2016-1120-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/2016-1119-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/2016-1118-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/2016-1117-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/2016-1116-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/2016-1114-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-1112-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/2016-1111-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/2016-1110-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-1109-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/2016-1107-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-1106-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-226-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-224-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-222-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-220-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-218-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-216-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-214-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-212-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-210-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-195-0x0000000000740000-0x000000000078B000-memory.dmp

Filesize
300KB

Download
memory/2016-196-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-197-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-198-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2016-199-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-200-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-202-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-204-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-206-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2016-208-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2552-1128-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2552-1130-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/2552-1129-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4780-172-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-168-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-183-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4780-182-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/4780-181-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4780-180-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-150-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/4780-178-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-176-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-153-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-174-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-151-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4780-170-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-184-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4780-166-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-164-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-162-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-160-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-158-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-156-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-154-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/4780-149-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4780-148-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/4780-185-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4780-187-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4780-152-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download