redline | 89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe
Size

683KB
MD5

84f5fb9df449978d540e1bfb39df93ed
SHA1

3dc0d24b02920bd8ebccaea30d99029a47a50e4f
SHA256

89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6
SHA512

163bc41995e60a761d2c2b9149057e6e23d262a5dd6a5f69477a5e84ded7a199aa8e33e831560fa76353a2330a149bc6959d7710abeac938e06442d67a4696ec
SSDEEP

12288:5Mr5y90AqqAjVN2kYpdeudvQNr+vCb1YIpB1+qbwiS0n2UqEWntm6x:QybqquN2kYacvQt+v6b1BbM0n2UqEWnX

Score

10^/10

redline dent sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

dent

193.233.20.33:4125

Attributes

auth_value
e795368557f02e28e8aef6bcb279a3b0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5125.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2772-194-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-195-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-197-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-199-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-201-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-203-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-205-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-207-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-209-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-211-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-215-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-217-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-213-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-219-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-221-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-223-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-225-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/2772-227-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3144	un351668.exe
2528	pro5125.exe
2772	qu8768.exe
2552	si342873.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5125.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un351668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un351668.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2528	pro5125.exe
2528	pro5125.exe
2772	qu8768.exe
2772	qu8768.exe
2552	si342873.exe
2552	si342873.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	pro5125.exe
Token: SeDebugPrivilege	2772	qu8768.exe
Token: SeDebugPrivilege	2552	si342873.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3144	4348	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe	84
PID 4348 wrote to memory of 3144	4348	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe	84
PID 4348 wrote to memory of 3144	4348	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe	84
PID 3144 wrote to memory of 2528	3144	un351668.exe	85
PID 3144 wrote to memory of 2528	3144	un351668.exe	85
PID 3144 wrote to memory of 2528	3144	un351668.exe	85
PID 3144 wrote to memory of 2772	3144	un351668.exe	90
PID 3144 wrote to memory of 2772	3144	un351668.exe	90
PID 3144 wrote to memory of 2772	3144	un351668.exe	90
PID 4348 wrote to memory of 2552	4348	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe	93
PID 4348 wrote to memory of 2552	4348	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe	93
PID 4348 wrote to memory of 2552	4348	89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe	93

C:\Users\Admin\AppData\Local\Temp\89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe
"C:\Users\Admin\AppData\Local\Temp\89942c3e51397072722225283650250c1244ac0201db45c795685b3bb2bc52e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un351668.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un351668.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5125.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5125.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8768.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8768.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si342873.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si342873.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si342873.exe

Filesize
175KB

MD5
6984f95cd1e18c84c1d6dab5d8f522c2

SHA1
965a2904ff2b86c8f361fee1a4bcb41b856b1f33

SHA256
06f6b9b66d14d494098fb0cddd4ffd4879391a06c93e45e5ab11bf7633467a94

SHA512
67994b0e57e051832ed58d489c9e577ddbb619ab627abc20da954d8bc0925302fa0772e6bf75309449c3a9c0518a44739954f32099a6c50d372f9d483d9e9cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si342873.exe

Filesize
175KB

MD5
6984f95cd1e18c84c1d6dab5d8f522c2

SHA1
965a2904ff2b86c8f361fee1a4bcb41b856b1f33

SHA256
06f6b9b66d14d494098fb0cddd4ffd4879391a06c93e45e5ab11bf7633467a94

SHA512
67994b0e57e051832ed58d489c9e577ddbb619ab627abc20da954d8bc0925302fa0772e6bf75309449c3a9c0518a44739954f32099a6c50d372f9d483d9e9cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un351668.exe

Filesize
541KB

MD5
017ea28841f5e2dc166e5bc357f97fdb

SHA1
2dc564ebe5753420c2277915201dda518f48f084

SHA256
47037c83ca89f4af58af9d2d64071452dd823fa125568261b81f7df562bef356

SHA512
db0879cf131b0956498afa5ce8266b6154faf16a8824f81fae958ee2f24166cf905a07b98124715215ac7b7ba643c1e8af588495d170ecd14c435359813444e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un351668.exe

Filesize
541KB

MD5
017ea28841f5e2dc166e5bc357f97fdb

SHA1
2dc564ebe5753420c2277915201dda518f48f084

SHA256
47037c83ca89f4af58af9d2d64071452dd823fa125568261b81f7df562bef356

SHA512
db0879cf131b0956498afa5ce8266b6154faf16a8824f81fae958ee2f24166cf905a07b98124715215ac7b7ba643c1e8af588495d170ecd14c435359813444e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5125.exe

Filesize
322KB

MD5
d31137371f6331322a440f5327b409be

SHA1
698f31de337f17bc4709c70096fa4b9b95a1901d

SHA256
f2f09e3fabfbea81ded189d3b739e8847b319db1f4e35e430f50e90bb4cbda50

SHA512
b1d24892c692b11e41bdc17521fbbdf5da89fcdd24214e4d8a3e446b37df586bc265cd6df8add15cdd851af00d78ab749d06f5178e5d5ae481f59261592c585c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5125.exe

Filesize
322KB

MD5
d31137371f6331322a440f5327b409be

SHA1
698f31de337f17bc4709c70096fa4b9b95a1901d

SHA256
f2f09e3fabfbea81ded189d3b739e8847b319db1f4e35e430f50e90bb4cbda50

SHA512
b1d24892c692b11e41bdc17521fbbdf5da89fcdd24214e4d8a3e446b37df586bc265cd6df8add15cdd851af00d78ab749d06f5178e5d5ae481f59261592c585c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8768.exe

Filesize
379KB

MD5
c43c376df234ad0187218afc03ce7a72

SHA1
d3d909d5c430dbe305650708ac4cd6e1f150afc8

SHA256
73e8f078b74f4b0a00bef4a00b35cda2ca0473789c786c2ccbd63d9f030358c4

SHA512
ae643e9ff1064b2d47fac78857635aadb923bb4be4dd5211e3745d2d51a9bf9093892a349aea40e4b75f181313215e6d2f8835eba4f665295f61c0cb815648ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8768.exe

Filesize
379KB

MD5
c43c376df234ad0187218afc03ce7a72

SHA1
d3d909d5c430dbe305650708ac4cd6e1f150afc8

SHA256
73e8f078b74f4b0a00bef4a00b35cda2ca0473789c786c2ccbd63d9f030358c4

SHA512
ae643e9ff1064b2d47fac78857635aadb923bb4be4dd5211e3745d2d51a9bf9093892a349aea40e4b75f181313215e6d2f8835eba4f665295f61c0cb815648ff

Download Submit
memory/2528-148-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/2528-149-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/2528-150-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-151-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-153-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-155-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-157-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-159-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-161-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-163-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-165-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-167-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-172-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2528-170-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2528-173-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-169-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-175-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-177-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-179-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/2528-180-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2528-183-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2528-184-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2528-185-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2528-182-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2552-1121-0x0000000000A00000-0x0000000000A32000-memory.dmp

Filesize
200KB

Download
memory/2552-1122-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2772-190-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/2772-225-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-192-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-194-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-195-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-197-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-199-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-201-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-203-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-205-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-207-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-209-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-211-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-215-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-217-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-213-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-219-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-221-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-223-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-193-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-227-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/2772-1100-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/2772-1101-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-1102-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2772-1103-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2772-1104-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-1106-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2772-1107-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2772-1108-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/2772-1109-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/2772-1110-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-1111-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-1112-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-191-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-1113-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2772-1114-0x0000000008EA0000-0x0000000009062000-memory.dmp

Filesize
1.8MB

Download
memory/2772-1115-0x0000000009090000-0x00000000095BC000-memory.dmp

Filesize
5.2MB

Download