redline | 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd

Analysis

max time kernel
56s
max time network
60s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03/04/2023, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe
Size

659KB
MD5

4a57123379235a285862c40bb2510ad8
SHA1

c9d33ed48bc066c5d1c330d360bbae5ff5558e21
SHA256

7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd
SHA512

f9b690f929fbf96717a381f78fe6caee2397c154cfd31839eb78ddb573f2e1d3093ef2f7d21d50c5b24c544d4a0c0e9e7c9d9948e868eaba9a71239500aaa182
SSDEEP

12288:nMray90k8DruS8ge7WHHzysgq5Hc2bfYJxxjfthh+dT:Jyc8gkWTysr582zYZfthh+dT

Score

10^/10

redline rosn spora discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

176.113.115.145:4125

Attributes

auth_value
441b39ab37774b2ca9931c31e1bc6071

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3881.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3881.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3881.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3881.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3881.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4176-174-0x00000000021F0000-0x0000000002236000-memory.dmp	family_redline
behavioral1/memory/4176-175-0x0000000002410000-0x0000000002454000-memory.dmp	family_redline
behavioral1/memory/4176-177-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-176-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-179-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-181-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-183-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-185-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-187-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-189-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-191-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-193-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-195-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-197-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-199-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-201-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-203-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-205-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-207-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline
behavioral1/memory/4176-209-0x0000000002410000-0x000000000244F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3988	un820182.exe
4056	pro3881.exe
4176	qu1464.exe
1812	si294065.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3881.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3881.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un820182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un820182.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4056	pro3881.exe
4056	pro3881.exe
4176	qu1464.exe
4176	qu1464.exe
1812	si294065.exe
1812	si294065.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	pro3881.exe
Token: SeDebugPrivilege	4176	qu1464.exe
Token: SeDebugPrivilege	1812	si294065.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 3988	3236	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe	66
PID 3236 wrote to memory of 3988	3236	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe	66
PID 3236 wrote to memory of 3988	3236	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe	66
PID 3988 wrote to memory of 4056	3988	un820182.exe	67
PID 3988 wrote to memory of 4056	3988	un820182.exe	67
PID 3988 wrote to memory of 4056	3988	un820182.exe	67
PID 3988 wrote to memory of 4176	3988	un820182.exe	68
PID 3988 wrote to memory of 4176	3988	un820182.exe	68
PID 3988 wrote to memory of 4176	3988	un820182.exe	68
PID 3236 wrote to memory of 1812	3236	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe	70
PID 3236 wrote to memory of 1812	3236	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe	70
PID 3236 wrote to memory of 1812	3236	7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe	70

C:\Users\Admin\AppData\Local\Temp\7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe
"C:\Users\Admin\AppData\Local\Temp\7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un820182.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un820182.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3881.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3881.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1464.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1464.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si294065.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si294065.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si294065.exe

Filesize
176KB

MD5
cd21a8c80d1b8997a67ee5b0a46f002a

SHA1
25afbf5390d8089c9dfea56c5dc73e1907852792

SHA256
c1a2a86dc9f65b6ad928c81b16af66d3cc88827331ca8b205df27d52412bf884

SHA512
470d6c6900a1b37f1c037cdcc38e058c057d21745fd9ba5a0eaa527cfb390295eb23400fa0769b5c9b7047f2cacb16b8786edfc7410f7d1c6ae9e73aa8564ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si294065.exe

Filesize
176KB

MD5
cd21a8c80d1b8997a67ee5b0a46f002a

SHA1
25afbf5390d8089c9dfea56c5dc73e1907852792

SHA256
c1a2a86dc9f65b6ad928c81b16af66d3cc88827331ca8b205df27d52412bf884

SHA512
470d6c6900a1b37f1c037cdcc38e058c057d21745fd9ba5a0eaa527cfb390295eb23400fa0769b5c9b7047f2cacb16b8786edfc7410f7d1c6ae9e73aa8564ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un820182.exe

Filesize
518KB

MD5
f948bf6ee1281ea8d9dddde6c4d45093

SHA1
1172389d7d831a13d559808d99a158044d1dedf5

SHA256
e08b6ae24e825de6ca88da5b08045c37259142739e5855361aa1d5a97eb6196d

SHA512
2c24cfe8bf00e29710d0aa90de1059f1ad29239341064b5e6afc5bd1362ce597578db1852c57a89199d86e63f1039f824d3b65302b3b96d81d3b25d6835b6fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un820182.exe

Filesize
518KB

MD5
f948bf6ee1281ea8d9dddde6c4d45093

SHA1
1172389d7d831a13d559808d99a158044d1dedf5

SHA256
e08b6ae24e825de6ca88da5b08045c37259142739e5855361aa1d5a97eb6196d

SHA512
2c24cfe8bf00e29710d0aa90de1059f1ad29239341064b5e6afc5bd1362ce597578db1852c57a89199d86e63f1039f824d3b65302b3b96d81d3b25d6835b6fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3881.exe

Filesize
237KB

MD5
b55902ecec5b6fbe46cb98d920aefc59

SHA1
64c6d0aea24bf22b0982881e6ac65004dc631565

SHA256
bb0cb27a3f96a728b31454b401d91905a06cbfa66d643085a714f2d4c1f7e24c

SHA512
c9dec264d2ab69a63eee6fb9a114a6a4d655df74cd21f7e54cfb6bcbed05f41b557b092d9697586d0684ec3b2b46d46a5b54f76891c52d92434b57b1ff89245b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3881.exe

Filesize
237KB

MD5
b55902ecec5b6fbe46cb98d920aefc59

SHA1
64c6d0aea24bf22b0982881e6ac65004dc631565

SHA256
bb0cb27a3f96a728b31454b401d91905a06cbfa66d643085a714f2d4c1f7e24c

SHA512
c9dec264d2ab69a63eee6fb9a114a6a4d655df74cd21f7e54cfb6bcbed05f41b557b092d9697586d0684ec3b2b46d46a5b54f76891c52d92434b57b1ff89245b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1464.exe

Filesize
295KB

MD5
e70f9e20784f308a0e4d29b4726c35fe

SHA1
06cac0ece0e41694649f544e785f6dd75b69cfd4

SHA256
3058ea366bc4cfedc4287f7d42cb4cbaf52555bcac03c2b44c9d5529a15c19e7

SHA512
b563435aa73ab010a23ca0f0cae28df8837b7039952c8d79f1d59cef253bfbeb76cf0d8fa00f75893519936f5ddee4600e870096b6984225403a6667c1cbd3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1464.exe

Filesize
295KB

MD5
e70f9e20784f308a0e4d29b4726c35fe

SHA1
06cac0ece0e41694649f544e785f6dd75b69cfd4

SHA256
3058ea366bc4cfedc4287f7d42cb4cbaf52555bcac03c2b44c9d5529a15c19e7

SHA512
b563435aa73ab010a23ca0f0cae28df8837b7039952c8d79f1d59cef253bfbeb76cf0d8fa00f75893519936f5ddee4600e870096b6984225403a6667c1cbd3df

Download Submit
memory/1812-1108-0x0000000000530000-0x0000000000562000-memory.dmp

Filesize
200KB

Download
memory/1812-1109-0x0000000004DB0000-0x0000000004DFB000-memory.dmp

Filesize
300KB

Download
memory/1812-1110-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4056-140-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-154-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-136-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-138-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-142-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-134-0x00000000049D0000-0x00000000049E8000-memory.dmp

Filesize
96KB

Download
memory/4056-144-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-146-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-148-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-150-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-152-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-135-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-156-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-158-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-160-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-162-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/4056-163-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/4056-164-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4056-165-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4056-166-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4056-167-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4056-169-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4056-133-0x0000000004B20000-0x000000000501E000-memory.dmp

Filesize
5.0MB

Download
memory/4056-132-0x0000000002090000-0x00000000020AA000-memory.dmp

Filesize
104KB

Download
memory/4176-176-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-270-0x0000000000600000-0x000000000064B000-memory.dmp

Filesize
300KB

Download
memory/4176-179-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-181-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-183-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-185-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-187-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-189-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-191-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-193-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-195-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-197-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-199-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-201-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-203-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-205-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-207-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-209-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-272-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-177-0x0000000002410000-0x000000000244F000-memory.dmp

Filesize
252KB

Download
memory/4176-276-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-274-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-1086-0x0000000005770000-0x0000000005D76000-memory.dmp

Filesize
6.0MB

Download
memory/4176-1087-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/4176-1088-0x0000000002620000-0x0000000002632000-memory.dmp

Filesize
72KB

Download
memory/4176-1089-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4176-1090-0x0000000004BE0000-0x0000000004C2B000-memory.dmp

Filesize
300KB

Download
memory/4176-1091-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-1092-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/4176-1093-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/4176-1094-0x0000000006230000-0x00000000062A6000-memory.dmp

Filesize
472KB

Download
memory/4176-1095-0x00000000062B0000-0x0000000006300000-memory.dmp

Filesize
320KB

Download
memory/4176-1097-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-1098-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-1099-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4176-175-0x0000000002410000-0x0000000002454000-memory.dmp

Filesize
272KB

Download
memory/4176-174-0x00000000021F0000-0x0000000002236000-memory.dmp

Filesize
280KB

Download
memory/4176-1100-0x0000000006440000-0x0000000006602000-memory.dmp

Filesize
1.8MB

Download
memory/4176-1101-0x0000000006610000-0x0000000006B3C000-memory.dmp

Filesize
5.2MB

Download
memory/4176-1102-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download