redline | 81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf

General

Target

81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe
Size

844KB
MD5

76f2e30577cfe1aa87819f82a638fc8d
SHA1

8f1818e149b9792e6642b22aae1491aef7df3489
SHA256

81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf
SHA512

d23e368ff240c8ead2656744160465a28e98a28c9dc9dcc8947d5d99cc4dbb6e04fd102ff11510cd4a9d797a1d106523e922e6ad9f814d2e00f8db588f5bae13
SSDEEP

24576:SyIZCebd3Z5SrMSgDYKRRrmXefL2QKB86DzEOX4UX79K+uH:5IAeNZTDtzrmuu86DzzVu

Score

10^/10

redline rosn evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pr364639.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr364639.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr364639.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr364639.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr364639.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr364639.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4532-184-0x0000000002150000-0x0000000002196000-memory.dmp	family_redline
behavioral1/memory/4532-185-0x0000000004F70000-0x0000000004FB4000-memory.dmp	family_redline
behavioral1/memory/4532-186-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-187-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-189-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-191-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-193-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-195-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-197-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-199-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-201-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-203-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-205-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-209-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-207-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-211-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-213-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-215-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-217-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-219-0x0000000004F70000-0x0000000004FAF000-memory.dmp	family_redline
behavioral1/memory/4532-1104-0x00000000021B0000-0x00000000021C0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

un729159.exeun871294.exepr364639.exequ534457.exe

pid process

5116 un729159.exe
2140 un871294.exe
4700 pr364639.exe
4532 qu534457.exe

pid	process
5116	un729159.exe
2140	un871294.exe
4700	pr364639.exe
4532	qu534457.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pr364639.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr364639.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr364639.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exeun729159.exeun871294.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un729159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un729159.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un871294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un871294.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pr364639.exe

pid process

4700 pr364639.exe
4700 pr364639.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pr364639.exequ534457.exe

description pid process

Token: SeDebugPrivilege 4700 pr364639.exe
Token: SeDebugPrivilege 4532 qu534457.exe

pid	process
4700	pr364639.exe
4700	pr364639.exe

description	pid	process
Token: SeDebugPrivilege	4700	pr364639.exe
Token: SeDebugPrivilege	4532	qu534457.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exeun729159.exeun871294.exe

description	pid	process	target process
PID 4604 wrote to memory of 5116	4604	81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe	un729159.exe
PID 4604 wrote to memory of 5116	4604	81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe	un729159.exe
PID 4604 wrote to memory of 5116	4604	81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe	un729159.exe
PID 5116 wrote to memory of 2140	5116	un729159.exe	un871294.exe
PID 5116 wrote to memory of 2140	5116	un729159.exe	un871294.exe
PID 5116 wrote to memory of 2140	5116	un729159.exe	un871294.exe
PID 2140 wrote to memory of 4700	2140	un871294.exe	pr364639.exe
PID 2140 wrote to memory of 4700	2140	un871294.exe	pr364639.exe
PID 2140 wrote to memory of 4700	2140	un871294.exe	pr364639.exe
PID 2140 wrote to memory of 4532	2140	un871294.exe	qu534457.exe
PID 2140 wrote to memory of 4532	2140	un871294.exe	qu534457.exe
PID 2140 wrote to memory of 4532	2140	un871294.exe	qu534457.exe

C:\Users\Admin\AppData\Local\Temp\81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe
"C:\Users\Admin\AppData\Local\Temp\81548f7373960e31cdd8d30de11cf2d1372ee5495dbcfafdfe9a7c33e8186cdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729159.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729159.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un871294.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un871294.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr364639.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr364639.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534457.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534457.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729159.exe
Filesize
661KB

MD5
f05a42dd5d337b3482cec3eee15ecefe

SHA1
a332a47f422b7f19e548adb2244ddac1da7bf014

SHA256
5516c54bd0890541cada2aee7a109015db82cb1cedca4309246f50f03765e7e7

SHA512
a8d711e867dbf7cf3b70c6c40c33925231855d3f773bb45bf3b0a2bd03e159e01a60b3bbc6a23c186d40404729b45356b3d23f2d8875f0dc7021d19428644737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729159.exe
Filesize
661KB

MD5
f05a42dd5d337b3482cec3eee15ecefe

SHA1
a332a47f422b7f19e548adb2244ddac1da7bf014

SHA256
5516c54bd0890541cada2aee7a109015db82cb1cedca4309246f50f03765e7e7

SHA512
a8d711e867dbf7cf3b70c6c40c33925231855d3f773bb45bf3b0a2bd03e159e01a60b3bbc6a23c186d40404729b45356b3d23f2d8875f0dc7021d19428644737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un871294.exe
Filesize
518KB

MD5
28cf37fa1e79daf4a4802f26dcb06abe

SHA1
47bc0db1ac5a6938ca0f01f7ba1a5e16df1f02c6

SHA256
cd0936c5f9fcadfb3ef41e86447586d259c20a0cb2da2c783eb8f659512b8350

SHA512
d4dd9a6c1e290afdf0349591ba71c0e0c403a8a4d6a016ca57019c035b3ecd40b321314a25198501e2e307ba31883d81f4f7a18961110b75ba85e13fff746f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un871294.exe
Filesize
518KB

MD5
28cf37fa1e79daf4a4802f26dcb06abe

SHA1
47bc0db1ac5a6938ca0f01f7ba1a5e16df1f02c6

SHA256
cd0936c5f9fcadfb3ef41e86447586d259c20a0cb2da2c783eb8f659512b8350

SHA512
d4dd9a6c1e290afdf0349591ba71c0e0c403a8a4d6a016ca57019c035b3ecd40b321314a25198501e2e307ba31883d81f4f7a18961110b75ba85e13fff746f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr364639.exe
Filesize
239KB

MD5
b55476eb14534967008a3a0f6b744b04

SHA1
b6e27087aab4a940ee7fd6e8e252c962660a5fcc

SHA256
e680ff09132a8f3acbfe4645a93ee24341c896c86f194d4238c915f0e047ca77

SHA512
5dcff8f47df38194f70fb988a21c21b5a689bf5b0caffa73d0884f0f2a0cb76068891f9b50209e551e6c1466387a57b8586e495d34ccd637c1cd6bcf079d571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr364639.exe
Filesize
239KB

MD5
b55476eb14534967008a3a0f6b744b04

SHA1
b6e27087aab4a940ee7fd6e8e252c962660a5fcc

SHA256
e680ff09132a8f3acbfe4645a93ee24341c896c86f194d4238c915f0e047ca77

SHA512
5dcff8f47df38194f70fb988a21c21b5a689bf5b0caffa73d0884f0f2a0cb76068891f9b50209e551e6c1466387a57b8586e495d34ccd637c1cd6bcf079d571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534457.exe
Filesize
299KB

MD5
8ad110c9e359d0f0b1d5a122bf72b5d2

SHA1
835c9aaf0ba3b046420ae4d8860eaff5378deb70

SHA256
c062178ed1b2f0582f859cb34a8e7ab73fa8da71a4a510326146022b16d7d85e

SHA512
d3ed044d917bde7de7134304bff3b7a190353c8741cc5ddda97e5ec3b180291898a19b12fb044484e714e2f47947145aed75672705d3daf25203dc7daaaef7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534457.exe
Filesize
299KB

MD5
8ad110c9e359d0f0b1d5a122bf72b5d2

SHA1
835c9aaf0ba3b046420ae4d8860eaff5378deb70

SHA256
c062178ed1b2f0582f859cb34a8e7ab73fa8da71a4a510326146022b16d7d85e

SHA512
d3ed044d917bde7de7134304bff3b7a190353c8741cc5ddda97e5ec3b180291898a19b12fb044484e714e2f47947145aed75672705d3daf25203dc7daaaef7cf

Download Submit
memory/4532-211-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-217-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-1106-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-1105-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-1104-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-1103-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-1101-0x0000000005910000-0x000000000595B000-memory.dmp

Filesize
300KB

Download
memory/4532-1100-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-1099-0x00000000057C0000-0x00000000057FE000-memory.dmp

Filesize
248KB

Download
memory/4532-1098-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/4532-1097-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/4532-1096-0x0000000004FD0000-0x00000000055D6000-memory.dmp

Filesize
6.0MB

Download
memory/4532-496-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-498-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-492-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/4532-494-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4532-219-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-215-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-213-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-207-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-209-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-205-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-203-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-201-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-199-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-184-0x0000000002150000-0x0000000002196000-memory.dmp

Filesize
280KB

Download
memory/4532-185-0x0000000004F70000-0x0000000004FB4000-memory.dmp

Filesize
272KB

Download
memory/4532-186-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-187-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-189-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-191-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-193-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-195-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4532-197-0x0000000004F70000-0x0000000004FAF000-memory.dmp

Filesize
252KB

Download
memory/4700-166-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-176-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4700-142-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4700-177-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4700-164-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-175-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4700-141-0x0000000001F90000-0x0000000001FAA000-memory.dmp

Filesize
104KB

Download
memory/4700-162-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-172-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-144-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4700-170-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-168-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-179-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4700-143-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4700-174-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-160-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-158-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-156-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-154-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-152-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-150-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-148-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-147-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/4700-146-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/4700-145-0x00000000049C0000-0x0000000004EBE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads