redline | ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2

Analysis

max time kernel
56s
max time network
73s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/03/2023, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe
Size

691KB
MD5

69e0e719a212dc8c8d2aadf6bdcb6c10
SHA1

488900b5909d66687fa6217560871855098581f1
SHA256

ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2
SHA512

81679183576c132544a886180e1e8855d3fb969acf03561895f41f0945f8284dce9d9f0b7381057e88abb449f6a78bacb7d1bc36dd3066423c32651a2670fb5f
SSDEEP

12288:HMrYy90lyNJunvjV1A3xknZHqCWP/f/UOO4+55wxlFxPHYUfPsaamLKh4+s2:bygQon5w/Pfex+xl4UfPKPKt2

Score

10^/10

redline dent sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

dent

193.233.20.33:4125

Attributes

auth_value
e795368557f02e28e8aef6bcb279a3b0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8650.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3928-177-0x0000000004920000-0x0000000004966000-memory.dmp	family_redline
behavioral1/memory/3928-180-0x0000000007650000-0x0000000007694000-memory.dmp	family_redline
behavioral1/memory/3928-181-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-182-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-184-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-186-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-188-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-190-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-192-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-194-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-196-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-198-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-200-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-202-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-204-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-206-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-209-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-211-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-213-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline
behavioral1/memory/3928-215-0x0000000007650000-0x000000000768E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4012	un212425.exe
2052	pro8650.exe
3928	qu7773.exe
4792	si958117.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8650.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un212425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un212425.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2052	pro8650.exe
2052	pro8650.exe
3928	qu7773.exe
3928	qu7773.exe
4792	si958117.exe
4792	si958117.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	pro8650.exe
Token: SeDebugPrivilege	3928	qu7773.exe
Token: SeDebugPrivilege	4792	si958117.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4012	2148	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe	66
PID 2148 wrote to memory of 4012	2148	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe	66
PID 2148 wrote to memory of 4012	2148	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe	66
PID 4012 wrote to memory of 2052	4012	un212425.exe	67
PID 4012 wrote to memory of 2052	4012	un212425.exe	67
PID 4012 wrote to memory of 2052	4012	un212425.exe	67
PID 4012 wrote to memory of 3928	4012	un212425.exe	68
PID 4012 wrote to memory of 3928	4012	un212425.exe	68
PID 4012 wrote to memory of 3928	4012	un212425.exe	68
PID 2148 wrote to memory of 4792	2148	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe	70
PID 2148 wrote to memory of 4792	2148	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe	70
PID 2148 wrote to memory of 4792	2148	ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe	70

C:\Users\Admin\AppData\Local\Temp\ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe
"C:\Users\Admin\AppData\Local\Temp\ba507e89b30b9cd9c3594e9dae31cf208c724fb79cee783423b5710fa8390dd2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212425.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212425.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8650.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8650.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7773.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7773.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si958117.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si958117.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si958117.exe

Filesize
175KB

MD5
67ce56e6273ab6833687f46187e5fb18

SHA1
26f7dabc4f8f69b9a5b7a2552d9a6ded70223968

SHA256
b321e8483cb95db26422e10210efc5ed5f593ae079aef39d9d68fcb15e22a40a

SHA512
fe705467544bf24addb81567e8114209954c16fb5ce321ee95222aaa9026194c2e7ed1f77d3054d3dc0c2769f84734004fa24238affa4868f3e6574b8f087ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si958117.exe

Filesize
175KB

MD5
67ce56e6273ab6833687f46187e5fb18

SHA1
26f7dabc4f8f69b9a5b7a2552d9a6ded70223968

SHA256
b321e8483cb95db26422e10210efc5ed5f593ae079aef39d9d68fcb15e22a40a

SHA512
fe705467544bf24addb81567e8114209954c16fb5ce321ee95222aaa9026194c2e7ed1f77d3054d3dc0c2769f84734004fa24238affa4868f3e6574b8f087ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212425.exe

Filesize
550KB

MD5
0f76c21adc69b60a99642584fff0f7b7

SHA1
a8b88c4fee0c245ea82cef503379e95e014251b1

SHA256
b5fa42df50dbe9dc5bd7d42e8a4ef9d01d1666ee6ba4363fc6cf97f6ddc12e15

SHA512
24c8463cd8b134cbb804f0c8f79759e91e92e26ce024116a0779abc8f8f013dce01dccbad53bdc8696a4008fa1b4259987f14f433a7c34fd556c36eb926a595b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un212425.exe

Filesize
550KB

MD5
0f76c21adc69b60a99642584fff0f7b7

SHA1
a8b88c4fee0c245ea82cef503379e95e014251b1

SHA256
b5fa42df50dbe9dc5bd7d42e8a4ef9d01d1666ee6ba4363fc6cf97f6ddc12e15

SHA512
24c8463cd8b134cbb804f0c8f79759e91e92e26ce024116a0779abc8f8f013dce01dccbad53bdc8696a4008fa1b4259987f14f433a7c34fd556c36eb926a595b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8650.exe

Filesize
325KB

MD5
9d889f25dc0882f0d1834cde8b67aae6

SHA1
5c2de63e9af45c35157c7412d2f5210bd2595331

SHA256
470224da7890334039a9aa7a00cdc0783463c75aa8c5306b2d9a584d29dfd3b3

SHA512
2a61e8fdbc6aba895756db16f76967debc3415d45c94644cbf428e31d59a7c0a9f1e377009c420e6a602780ed20ab121a4b2124340c636c0c6640a9b967dee87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8650.exe

Filesize
325KB

MD5
9d889f25dc0882f0d1834cde8b67aae6

SHA1
5c2de63e9af45c35157c7412d2f5210bd2595331

SHA256
470224da7890334039a9aa7a00cdc0783463c75aa8c5306b2d9a584d29dfd3b3

SHA512
2a61e8fdbc6aba895756db16f76967debc3415d45c94644cbf428e31d59a7c0a9f1e377009c420e6a602780ed20ab121a4b2124340c636c0c6640a9b967dee87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7773.exe

Filesize
384KB

MD5
222376e1ffa308ea3dd64ed43ab88ea0

SHA1
99c644559273d3a3546195365713f091be996091

SHA256
496062aa69a3ab7e93b3add0aa07412e608fbb71d60cadd62d5ff367b5f6d39a

SHA512
1cf24fd64028f55bcf44bd203611669119941b634e94644f364f3dfaf2d553548492f59595d01da61e9e946c1eda5670768187463fce29765f87ac3f77fc9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7773.exe

Filesize
384KB

MD5
222376e1ffa308ea3dd64ed43ab88ea0

SHA1
99c644559273d3a3546195365713f091be996091

SHA256
496062aa69a3ab7e93b3add0aa07412e608fbb71d60cadd62d5ff367b5f6d39a

SHA512
1cf24fd64028f55bcf44bd203611669119941b634e94644f364f3dfaf2d553548492f59595d01da61e9e946c1eda5670768187463fce29765f87ac3f77fc9215

Download Submit
memory/2052-132-0x0000000004680000-0x000000000469A000-memory.dmp

Filesize
104KB

Download
memory/2052-134-0x00000000072B0000-0x00000000077AE000-memory.dmp

Filesize
5.0MB

Download
memory/2052-133-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2052-135-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2052-137-0x0000000004C50000-0x0000000004C68000-memory.dmp

Filesize
96KB

Download
memory/2052-136-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2052-138-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2052-139-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-140-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-142-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-144-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-146-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-148-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-150-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-152-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-154-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-156-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-158-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-160-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-162-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-164-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-166-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2052-167-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/2052-168-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2052-169-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2052-170-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2052-172-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/3928-177-0x0000000004920000-0x0000000004966000-memory.dmp

Filesize
280KB

Download
memory/3928-178-0x0000000002CB0000-0x0000000002CFB000-memory.dmp

Filesize
300KB

Download
memory/3928-179-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3928-180-0x0000000007650000-0x0000000007694000-memory.dmp

Filesize
272KB

Download
memory/3928-181-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-182-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-184-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-186-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-188-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-190-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-192-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-194-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-196-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-198-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-200-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-202-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-204-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-206-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-209-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-207-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3928-211-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-213-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-215-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/3928-1088-0x0000000007DF0000-0x00000000083F6000-memory.dmp

Filesize
6.0MB

Download
memory/3928-1089-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/3928-1090-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/3928-1091-0x00000000079C0000-0x00000000079FE000-memory.dmp

Filesize
248KB

Download
memory/3928-1092-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/3928-1093-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3928-1095-0x0000000007CA0000-0x0000000007D06000-memory.dmp

Filesize
408KB

Download
memory/3928-1096-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/3928-1097-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3928-1098-0x0000000008C90000-0x0000000008D06000-memory.dmp

Filesize
472KB

Download
memory/3928-1099-0x0000000008D20000-0x0000000008D70000-memory.dmp

Filesize
320KB

Download
memory/3928-1100-0x0000000008D90000-0x0000000008F52000-memory.dmp

Filesize
1.8MB

Download
memory/3928-1101-0x0000000008F60000-0x000000000948C000-memory.dmp

Filesize
5.2MB

Download
memory/3928-1102-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/4792-1108-0x00000000009E0000-0x0000000000A12000-memory.dmp

Filesize
200KB

Download
memory/4792-1109-0x0000000005420000-0x000000000546B000-memory.dmp

Filesize
300KB

Download
memory/4792-1110-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download