redline | 9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3

Analysis

max time kernel
105s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe
Size

685KB
MD5

4aed380323be39efa99cf0031a23ee8f
SHA1

382e85ab3d1cc20029b3a9c83ce6a411141b3588
SHA256

9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3
SHA512

d638229563809109ad789f33e6c233de3640b3d6c08c5c33b6c2b02040c3418a66eca301e484523c5e4001e094f6d5f25af64d3bac7208e92926580a3db58b43
SSDEEP

12288:/Mrhy90sS/qD7X6TprZxtkOXrX4eXHhXE435qAebCld+lnMt:6yNEZE8rDXNEMqnSdl

Score

10^/10

redline dent sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

dent

193.233.20.33:4125

Attributes

auth_value
e795368557f02e28e8aef6bcb279a3b0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5028.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5028.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/4104-192-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-194-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-196-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-198-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-204-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-214-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-216-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-218-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-220-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-222-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-224-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/4104-336-0x0000000004EA0000-0x0000000004EB0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1364	un442313.exe
4060	pro5028.exe
4104	qu8924.exe
3300	si300859.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5028.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5028.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un442313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un442313.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4060	pro5028.exe
4060	pro5028.exe
4104	qu8924.exe
4104	qu8924.exe
3300	si300859.exe
3300	si300859.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	pro5028.exe
Token: SeDebugPrivilege	4104	qu8924.exe
Token: SeDebugPrivilege	3300	si300859.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1364	1244	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe	86
PID 1244 wrote to memory of 1364	1244	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe	86
PID 1244 wrote to memory of 1364	1244	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe	86
PID 1364 wrote to memory of 4060	1364	un442313.exe	87
PID 1364 wrote to memory of 4060	1364	un442313.exe	87
PID 1364 wrote to memory of 4060	1364	un442313.exe	87
PID 1364 wrote to memory of 4104	1364	un442313.exe	93
PID 1364 wrote to memory of 4104	1364	un442313.exe	93
PID 1364 wrote to memory of 4104	1364	un442313.exe	93
PID 1244 wrote to memory of 3300	1244	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe	94
PID 1244 wrote to memory of 3300	1244	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe	94
PID 1244 wrote to memory of 3300	1244	9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe	94

C:\Users\Admin\AppData\Local\Temp\9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe
"C:\Users\Admin\AppData\Local\Temp\9286a51986f01ddc51ae9a22faf44fd9cae9ac51729128eebaf6bc88aa61b9d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un442313.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un442313.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5028.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5028.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8924.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8924.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si300859.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si300859.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si300859.exe

Filesize
175KB

MD5
51ce9ee19e4e4423084b3a96b6bf84ed

SHA1
8f2de3f147e3f35e9d9e8ce9f48333f2e2e15255

SHA256
635f58ace49ab5963e58bd88300a208c118304ac42beb2c061bb2cab5b045d03

SHA512
da430eb3f960348a9d5f142cc464818d726eed9fb2125574ec77e8829d46a021cc460b9eaeabc2211bb3e0f5e0beba481e2be76587a20c76a5c1f09e729a5e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si300859.exe

Filesize
175KB

MD5
51ce9ee19e4e4423084b3a96b6bf84ed

SHA1
8f2de3f147e3f35e9d9e8ce9f48333f2e2e15255

SHA256
635f58ace49ab5963e58bd88300a208c118304ac42beb2c061bb2cab5b045d03

SHA512
da430eb3f960348a9d5f142cc464818d726eed9fb2125574ec77e8829d46a021cc460b9eaeabc2211bb3e0f5e0beba481e2be76587a20c76a5c1f09e729a5e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un442313.exe

Filesize
544KB

MD5
9036e34b5c55b8f10387a1b66d3832a2

SHA1
aaeb27d2aa96b855261710a4634630c6d5d27ecd

SHA256
08f940e67a0b88cc98afa35319b90089f7b28f643211a24d860d13f250d7370d

SHA512
25999eb4aca431b9ff8e6518fd1b39c9e096c76fd9259018cf7c062913a4204f8f4b9b1b39181b9c3a87f8567cf6d80430d23b5f7323c97037e13e542e02aa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un442313.exe

Filesize
544KB

MD5
9036e34b5c55b8f10387a1b66d3832a2

SHA1
aaeb27d2aa96b855261710a4634630c6d5d27ecd

SHA256
08f940e67a0b88cc98afa35319b90089f7b28f643211a24d860d13f250d7370d

SHA512
25999eb4aca431b9ff8e6518fd1b39c9e096c76fd9259018cf7c062913a4204f8f4b9b1b39181b9c3a87f8567cf6d80430d23b5f7323c97037e13e542e02aa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5028.exe

Filesize
300KB

MD5
2b3d34e6e2ed758e5dddbadf0fb7f179

SHA1
24697e392b81e1af84dfaaa1da2a870dce2f3eb2

SHA256
c98344d2802ea100279c5e49ea7d98f9292543536c6e5154be6a8a541fbcd719

SHA512
cea577fe9a23d9e6aad45605b2d07ce5467b7cc36257876cbae2984ef99434df92a4fb926f37d92c20f117a1a0fdd5f8dc44b2c07987746644d00fec02d524eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5028.exe

Filesize
300KB

MD5
2b3d34e6e2ed758e5dddbadf0fb7f179

SHA1
24697e392b81e1af84dfaaa1da2a870dce2f3eb2

SHA256
c98344d2802ea100279c5e49ea7d98f9292543536c6e5154be6a8a541fbcd719

SHA512
cea577fe9a23d9e6aad45605b2d07ce5467b7cc36257876cbae2984ef99434df92a4fb926f37d92c20f117a1a0fdd5f8dc44b2c07987746644d00fec02d524eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8924.exe

Filesize
359KB

MD5
e56795b91375f868e5223a6e841008f5

SHA1
e777495f92409dfe90ae7732a24a87e4b3fc5c7f

SHA256
5f2df13b743a7c843d8aec052eedaa848912cb14259f229aae841208c15723a6

SHA512
f73d16690f66b5da16680196deb9ffda804ae4c925c3b20e90d8e273627e87ff52e18f3c609edd02d075565fe94dcaa59984309d2899f6f407243a667d19e4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8924.exe

Filesize
359KB

MD5
e56795b91375f868e5223a6e841008f5

SHA1
e777495f92409dfe90ae7732a24a87e4b3fc5c7f

SHA256
5f2df13b743a7c843d8aec052eedaa848912cb14259f229aae841208c15723a6

SHA512
f73d16690f66b5da16680196deb9ffda804ae4c925c3b20e90d8e273627e87ff52e18f3c609edd02d075565fe94dcaa59984309d2899f6f407243a667d19e4df

Download Submit
memory/3300-1122-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/3300-1123-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4060-156-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-170-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-150-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4060-152-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/4060-153-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-154-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-149-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4060-158-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-160-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-162-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-164-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-166-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-168-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-151-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4060-172-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-174-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-176-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-178-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-180-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/4060-181-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4060-182-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4060-183-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4060-184-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4060-186-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4060-148-0x0000000000790000-0x00000000007BD000-memory.dmp

Filesize
180KB

Download
memory/4104-194-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-338-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-196-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-198-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-200-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-202-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-204-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-206-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-208-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-210-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-212-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-214-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-216-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-218-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-220-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-222-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-224-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-336-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-334-0x0000000002250000-0x000000000229B000-memory.dmp

Filesize
300KB

Download
memory/4104-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-339-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-1101-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/4104-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4104-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4104-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4104-1105-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4104-1107-0x0000000006620000-0x00000000066B2000-memory.dmp

Filesize
584KB

Download
memory/4104-1109-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-1110-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-1111-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-1112-0x0000000006950000-0x0000000006B12000-memory.dmp

Filesize
1.8MB

Download
memory/4104-1113-0x0000000006B30000-0x000000000705C000-memory.dmp

Filesize
5.2MB

Download
memory/4104-192-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/4104-1114-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4104-1115-0x0000000007190000-0x0000000007206000-memory.dmp

Filesize
472KB

Download
memory/4104-1116-0x0000000007220000-0x0000000007270000-memory.dmp

Filesize
320KB

Download