redline | b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2

Analysis

max time kernel
87s
max time network
90s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe
Size

686KB
MD5

f7c0c65882bc4882472f910a9a868f7d
SHA1

60e9855e71230733192c6a0692405431fdc56000
SHA256

b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2
SHA512

9c8d7d0915f24606aae580b4c7b9c2145ec54adbb744b66c4aa6206ca3126682522b3da5520287cad03cecb8da46a1ca3dfb6a66233a5c4ee6b22f417fd3a7e9
SSDEEP

12288:dMrBy905hN1qSFu7pCCnXA+eWqTdDcfwFtqZObxmEMqRGXQs:kyeNkRCCnQ5zo9K2B

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4257.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

resource	yara_rule
behavioral1/memory/4724-178-0x00000000024D0000-0x0000000002516000-memory.dmp	family_redline
behavioral1/memory/4724-179-0x0000000002840000-0x0000000002884000-memory.dmp	family_redline
behavioral1/memory/4724-180-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-181-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-183-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-185-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-187-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-189-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-191-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-193-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-195-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-197-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-199-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-201-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-203-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-207-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-205-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-209-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-211-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-213-0x0000000002840000-0x000000000287E000-memory.dmp	family_redline
behavioral1/memory/4724-1099-0x0000000002820000-0x0000000002830000-memory.dmp	family_redline
behavioral1/memory/4724-1100-0x0000000002820000-0x0000000002830000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2512	un369699.exe
3172	pro4257.exe
4724	qu8994.exe
3868	si301408.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4257.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4257.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un369699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un369699.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3172	pro4257.exe
3172	pro4257.exe
4724	qu8994.exe
4724	qu8994.exe
3868	si301408.exe
3868	si301408.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	pro4257.exe
Token: SeDebugPrivilege	4724	qu8994.exe
Token: SeDebugPrivilege	3868	si301408.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2512	2456	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe	66
PID 2456 wrote to memory of 2512	2456	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe	66
PID 2456 wrote to memory of 2512	2456	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe	66
PID 2512 wrote to memory of 3172	2512	un369699.exe	67
PID 2512 wrote to memory of 3172	2512	un369699.exe	67
PID 2512 wrote to memory of 3172	2512	un369699.exe	67
PID 2512 wrote to memory of 4724	2512	un369699.exe	68
PID 2512 wrote to memory of 4724	2512	un369699.exe	68
PID 2512 wrote to memory of 4724	2512	un369699.exe	68
PID 2456 wrote to memory of 3868	2456	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe	70
PID 2456 wrote to memory of 3868	2456	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe	70
PID 2456 wrote to memory of 3868	2456	b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe	70

C:\Users\Admin\AppData\Local\Temp\b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe
"C:\Users\Admin\AppData\Local\Temp\b1b211f15932778da3d44e00936a2a55c87f0ed7f6444dc2a3cee3e6f84dd9a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un369699.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un369699.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4257.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4257.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8994.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8994.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si301408.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si301408.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si301408.exe

Filesize
175KB

MD5
f0cfe533c766893c50a7b5ea74711511

SHA1
c9bc7a745dd2cc14a721f23ad76215458a269fc8

SHA256
169c017e4f8eefdff10e99dd801cec27172b7ae05d13e94b669986e56f29de3f

SHA512
4d10a7d05ac0381a232a0383e5f0de4f048b0297db52ea36fa8a055abc5653649b0d62fb3eb9bc04466bd6f7cea04595288bf31fbfc55329b64907217b774fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si301408.exe

Filesize
175KB

MD5
f0cfe533c766893c50a7b5ea74711511

SHA1
c9bc7a745dd2cc14a721f23ad76215458a269fc8

SHA256
169c017e4f8eefdff10e99dd801cec27172b7ae05d13e94b669986e56f29de3f

SHA512
4d10a7d05ac0381a232a0383e5f0de4f048b0297db52ea36fa8a055abc5653649b0d62fb3eb9bc04466bd6f7cea04595288bf31fbfc55329b64907217b774fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un369699.exe

Filesize
545KB

MD5
7e1c04e7b892745c74621e2f413f6b75

SHA1
74cc442b1cd3fe7bfa3359b422a683440c87220c

SHA256
a7fcc63aff73bb45284ad628386fb8322aaa37e7c9611f0318a1001c6c966211

SHA512
8a622e4c2ab5a1972167ef558feb66b69d603c2cfbe69ebdadbd7854d2853a4693e104edbf7e683cb37d91ab0288b92a3a1b16f896ef2c1b2b8c19fae0ab68df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un369699.exe

Filesize
545KB

MD5
7e1c04e7b892745c74621e2f413f6b75

SHA1
74cc442b1cd3fe7bfa3359b422a683440c87220c

SHA256
a7fcc63aff73bb45284ad628386fb8322aaa37e7c9611f0318a1001c6c966211

SHA512
8a622e4c2ab5a1972167ef558feb66b69d603c2cfbe69ebdadbd7854d2853a4693e104edbf7e683cb37d91ab0288b92a3a1b16f896ef2c1b2b8c19fae0ab68df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4257.exe

Filesize
300KB

MD5
9468092f72e7514dc5e8da193a0a2eab

SHA1
4b5c8f358f817b3c2f782b58aa6f55952e728812

SHA256
7807259e71b054c6f876e47643aae92e125297d3fded54253748db465ab59017

SHA512
a133fd9c7d41c037e68f8e3bcd6670c5739f9a142fb0673d2a915a8d234708c55c605f047fefc26f055989aec98faf7d1979861a110c9eea24de999d451e6fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4257.exe

Filesize
300KB

MD5
9468092f72e7514dc5e8da193a0a2eab

SHA1
4b5c8f358f817b3c2f782b58aa6f55952e728812

SHA256
7807259e71b054c6f876e47643aae92e125297d3fded54253748db465ab59017

SHA512
a133fd9c7d41c037e68f8e3bcd6670c5739f9a142fb0673d2a915a8d234708c55c605f047fefc26f055989aec98faf7d1979861a110c9eea24de999d451e6fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8994.exe

Filesize
359KB

MD5
29ba0d5060a36a7a5211f47537bdeed3

SHA1
66f014bdd3c1ff5cb97a0ce8d0f652f3cfd7295e

SHA256
f416c9a807d12fa742b75ba4680fcc51bbb1b9573c23604d533163696e3f92b1

SHA512
559261256be849ecd67f60254b645c945d655f2c6c71bba429d07bac71799717c7c84be1e58a111577cc32bf29758cb714f0c93305438bf5eb4613d6fcb45627

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8994.exe

Filesize
359KB

MD5
29ba0d5060a36a7a5211f47537bdeed3

SHA1
66f014bdd3c1ff5cb97a0ce8d0f652f3cfd7295e

SHA256
f416c9a807d12fa742b75ba4680fcc51bbb1b9573c23604d533163696e3f92b1

SHA512
559261256be849ecd67f60254b645c945d655f2c6c71bba429d07bac71799717c7c84be1e58a111577cc32bf29758cb714f0c93305438bf5eb4613d6fcb45627

Download Submit
memory/3172-136-0x0000000002510000-0x000000000252A000-memory.dmp

Filesize
104KB

Download
memory/3172-137-0x0000000004C80000-0x000000000517E000-memory.dmp

Filesize
5.0MB

Download
memory/3172-138-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/3172-139-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-140-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-142-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-144-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-148-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-146-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-150-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-152-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3172-167-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/3172-168-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3172-169-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3172-170-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3172-171-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3172-173-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3868-1112-0x0000000000A10000-0x0000000000A42000-memory.dmp

Filesize
200KB

Download
memory/3868-1114-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/3868-1113-0x0000000005450000-0x000000000549B000-memory.dmp

Filesize
300KB

Download
memory/4724-181-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-298-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-183-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-185-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-187-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-189-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-191-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-193-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-195-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-197-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-199-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-201-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-203-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-207-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-205-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-209-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-211-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-213-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-296-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/4724-180-0x0000000002840000-0x000000000287E000-memory.dmp

Filesize
248KB

Download
memory/4724-301-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-299-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-1090-0x0000000005840000-0x0000000005E46000-memory.dmp

Filesize
6.0MB

Download
memory/4724-1091-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4724-1092-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/4724-1093-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/4724-1094-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/4724-1095-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-1096-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4724-1098-0x00000000062A0000-0x0000000006332000-memory.dmp

Filesize
584KB

Download
memory/4724-1099-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-1100-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-1101-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4724-1102-0x00000000065B0000-0x0000000006772000-memory.dmp

Filesize
1.8MB

Download
memory/4724-1103-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4724-179-0x0000000002840000-0x0000000002884000-memory.dmp

Filesize
272KB

Download
memory/4724-178-0x00000000024D0000-0x0000000002516000-memory.dmp

Filesize
280KB

Download
memory/4724-1104-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/4724-1105-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download
memory/4724-1106-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download