redline | e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96

General

Target

e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe
Size

708KB
MD5

66ba1ecd2f68a65a2fe5204d48967cd3
SHA1

34bb218ff4ad2ef317ad130849a6848af4479b56
SHA256

e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96
SHA512

9c8ec2a613182c79d224ab05523dc8c4be534f89ac2c4d61b64653af3d5c5c51080b99e3fea12486d0dbc8dba23397c724de9b20e2a860a30a2626a98bebe132
SSDEEP

12288:3Mrkay90D0TW3T1xA1yefJchDYvKuTULm/tRixa24jc+J3z7OUqpdU1U6:eyKxmy42BY8SRyabjVQPI

Score

10^/10

redline rosn evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

it403567.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it403567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it403567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it403567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it403567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it403567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it403567.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/116-161-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-162-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-164-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-166-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-171-0x0000000004BA0000-0x0000000004BB0000-memory.dmp	family_redline
behavioral1/memory/116-174-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-170-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-176-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-178-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-180-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-182-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-184-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-186-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-188-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-190-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-192-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-194-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-196-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-198-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-200-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-202-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-204-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-206-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-208-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-210-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-212-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-214-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-216-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-218-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-220-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-222-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-224-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-226-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/116-228-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

ziMw2988.exezioI3122.exeit403567.exejr368666.exe

pid process

1816 ziMw2988.exe
3740 zioI3122.exe
1684 it403567.exe
116 jr368666.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

it403567.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it403567.exe

pid	process
1816	ziMw2988.exe
3740	zioI3122.exe
1684	it403567.exe
116	jr368666.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it403567.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zioI3122.exee5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exeziMw2988.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zioI3122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zioI3122.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziMw2988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziMw2988.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

it403567.exe

pid process

1684 it403567.exe
1684 it403567.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

it403567.exejr368666.exe

description pid process

Token: SeDebugPrivilege 1684 it403567.exe
Token: SeDebugPrivilege 116 jr368666.exe

pid	process
1684	it403567.exe
1684	it403567.exe

description	pid	process
Token: SeDebugPrivilege	1684	it403567.exe
Token: SeDebugPrivilege	116	jr368666.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exeziMw2988.exezioI3122.exe

description	pid	process	target process
PID 1500 wrote to memory of 1816	1500	e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe	ziMw2988.exe
PID 1500 wrote to memory of 1816	1500	e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe	ziMw2988.exe
PID 1500 wrote to memory of 1816	1500	e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe	ziMw2988.exe
PID 1816 wrote to memory of 3740	1816	ziMw2988.exe	zioI3122.exe
PID 1816 wrote to memory of 3740	1816	ziMw2988.exe	zioI3122.exe
PID 1816 wrote to memory of 3740	1816	ziMw2988.exe	zioI3122.exe
PID 3740 wrote to memory of 1684	3740	zioI3122.exe	it403567.exe
PID 3740 wrote to memory of 1684	3740	zioI3122.exe	it403567.exe
PID 3740 wrote to memory of 116	3740	zioI3122.exe	jr368666.exe
PID 3740 wrote to memory of 116	3740	zioI3122.exe	jr368666.exe
PID 3740 wrote to memory of 116	3740	zioI3122.exe	jr368666.exe

C:\Users\Admin\AppData\Local\Temp\e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe
"C:\Users\Admin\AppData\Local\Temp\e5111c6533c0009b6277702edb5e569a22e7c9ff85d08c227a2ada62a5e73d96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMw2988.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMw2988.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zioI3122.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zioI3122.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it403567.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it403567.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368666.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368666.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMw2988.exe
Filesize
525KB

MD5
65c95d7711471cfb25f98a4969c92ee9

SHA1
706150eac2fd92c97dce567be7f58b7851cae04b

SHA256
8cd0f8cb48f7b9366e1eade9ab47c555969ba6c7f6ea26e4015c7cf3cb0e60c9

SHA512
b87d97d19e7902fd4652dc763f72fd27cdbf1e1a675ce65163650a6767ea37699977445406e7213f10af996a399a29037b3a67dbebfd53ed16622ba9a24ac75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMw2988.exe
Filesize
525KB

MD5
65c95d7711471cfb25f98a4969c92ee9

SHA1
706150eac2fd92c97dce567be7f58b7851cae04b

SHA256
8cd0f8cb48f7b9366e1eade9ab47c555969ba6c7f6ea26e4015c7cf3cb0e60c9

SHA512
b87d97d19e7902fd4652dc763f72fd27cdbf1e1a675ce65163650a6767ea37699977445406e7213f10af996a399a29037b3a67dbebfd53ed16622ba9a24ac75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zioI3122.exe
Filesize
382KB

MD5
4a96a04926ab9e61941a3033beee53cc

SHA1
52f1b2826fd853b47b880c00bbb6e616c42c9eae

SHA256
105ccceab9876bb47413e79b7d510ee119375326bf45336214adfcdbac05f690

SHA512
d444fe43a4e71b1c9257c2bcd0045e11d78bdc14d5b68509dc77044b301d7ce3a26b727069e38c0fb0760b5b082024828aa35606f382e24736b752aa9f12893d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zioI3122.exe
Filesize
382KB

MD5
4a96a04926ab9e61941a3033beee53cc

SHA1
52f1b2826fd853b47b880c00bbb6e616c42c9eae

SHA256
105ccceab9876bb47413e79b7d510ee119375326bf45336214adfcdbac05f690

SHA512
d444fe43a4e71b1c9257c2bcd0045e11d78bdc14d5b68509dc77044b301d7ce3a26b727069e38c0fb0760b5b082024828aa35606f382e24736b752aa9f12893d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it403567.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it403567.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368666.exe
Filesize
299KB

MD5
c5cd19a9bf2dae2bed8d970b5f3bb3e8

SHA1
688f6751bed7ef1cdf0535d1bf94dbca85df3731

SHA256
d38894ec2e29ce037c8998a3e39929838d77255622b7d34e70c7081217b6acaf

SHA512
c055acf545350a2294e8b28fe8db652a41b2b45fc426c21eb964d9d0d323dac930d68ff05c1254b1e3a65f0e629de26f924c9fb581dd8f005418fbf61d1ddaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368666.exe
Filesize
299KB

MD5
c5cd19a9bf2dae2bed8d970b5f3bb3e8

SHA1
688f6751bed7ef1cdf0535d1bf94dbca85df3731

SHA256
d38894ec2e29ce037c8998a3e39929838d77255622b7d34e70c7081217b6acaf

SHA512
c055acf545350a2294e8b28fe8db652a41b2b45fc426c21eb964d9d0d323dac930d68ff05c1254b1e3a65f0e629de26f924c9fb581dd8f005418fbf61d1ddaee

Download Submit
memory/116-160-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/116-161-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-162-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-164-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-166-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-167-0x0000000002010000-0x000000000205B000-memory.dmp

Filesize
300KB

Download
memory/116-168-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-171-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-172-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-174-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-170-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-176-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-178-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-180-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-182-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-184-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-186-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-188-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-190-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-192-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-194-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-196-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-198-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-200-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-202-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-204-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-206-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-208-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-210-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-212-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-214-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-216-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-218-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-220-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-222-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-224-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-226-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-228-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/116-1071-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/116-1072-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/116-1073-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/116-1074-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-1075-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/116-1077-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-1078-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-1079-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/116-1080-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1684-154-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads