redline | 2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e

Analysis

max time kernel
55s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe
Size

685KB
MD5

3615bc16e4cbf04eff35a8930f4c412d
SHA1

5048b1473a47c84d6e304fc838f4abce916f21d5
SHA256

2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e
SHA512

8cf8f1f02e23c45296c9866317fb1d8f7f03ec329a0273d1939ec2498a90809645aaf332a44989764139014fd86b777913cf14dd1c5841340bc924d15af331b8
SSDEEP

12288:PMrgy90hz5KYdr1uAU9JIkbitz/8ROZ2w4a7f4PnBLlVEGQQAuW9N:7y+TfY949Ia7f4/BlVEYC

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4657.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4657.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/404-188-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-187-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-190-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-192-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-194-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-196-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-198-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-200-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-202-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-204-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-206-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-208-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-210-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-212-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-214-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-216-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-218-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-220-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/404-360-0x0000000004D30000-0x0000000004D40000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2392	un122123.exe
1188	pro4657.exe
404	qu1436.exe
588	si223805.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4657.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un122123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un122123.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2108	1188	WerFault.exe	85
1272	404	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1188	pro4657.exe
1188	pro4657.exe
404	qu1436.exe
404	qu1436.exe
588	si223805.exe
588	si223805.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	pro4657.exe
Token: SeDebugPrivilege	404	qu1436.exe
Token: SeDebugPrivilege	588	si223805.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 2392	3736	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe	84
PID 3736 wrote to memory of 2392	3736	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe	84
PID 3736 wrote to memory of 2392	3736	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe	84
PID 2392 wrote to memory of 1188	2392	un122123.exe	85
PID 2392 wrote to memory of 1188	2392	un122123.exe	85
PID 2392 wrote to memory of 1188	2392	un122123.exe	85
PID 2392 wrote to memory of 404	2392	un122123.exe	94
PID 2392 wrote to memory of 404	2392	un122123.exe	94
PID 2392 wrote to memory of 404	2392	un122123.exe	94
PID 3736 wrote to memory of 588	3736	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe	99
PID 3736 wrote to memory of 588	3736	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe	99
PID 3736 wrote to memory of 588	3736	2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe	99

C:\Users\Admin\AppData\Local\Temp\2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe
"C:\Users\Admin\AppData\Local\Temp\2b52947e907101d5380de55afc9135603d1fe292c683d89f56f606715784844e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un122123.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un122123.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4657.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4657.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1084
      4⤵
      Program crash
      PID:2108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1436.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1436.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1612
      4⤵
      Program crash
      PID:1272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si223805.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si223805.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1188 -ip 1188
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 404 -ip 404
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si223805.exe

Filesize
175KB

MD5
e29d3fcd2af10a9e550d3203118aab2c

SHA1
0e44ca2d89a385749327268468d117566f0b3ccc

SHA256
4857d45e47b77d927cd6d6419ab6178402b4963023edef4d50d00561fc568fa9

SHA512
d8d0b12159a74c2f01900bf694d54d7f3b8881b54479ac4b6400dc7d53e39e9a712d0abc2c602ef263bfff4a3d96732ee58aace23478b24323180f1380e16f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si223805.exe

Filesize
175KB

MD5
e29d3fcd2af10a9e550d3203118aab2c

SHA1
0e44ca2d89a385749327268468d117566f0b3ccc

SHA256
4857d45e47b77d927cd6d6419ab6178402b4963023edef4d50d00561fc568fa9

SHA512
d8d0b12159a74c2f01900bf694d54d7f3b8881b54479ac4b6400dc7d53e39e9a712d0abc2c602ef263bfff4a3d96732ee58aace23478b24323180f1380e16f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un122123.exe

Filesize
543KB

MD5
4e34b0269c5ee61c111d69e147fc3b06

SHA1
419585e3634ddf9ca9d95ead308fa3f86ea95d04

SHA256
d2fca7ebeb4560001264eafa0939cb61fd0db54a0da80f82050f57b7e742fe01

SHA512
a4ce41ca525d1e6c92cb03a95fdea70b9e90dbd5423381420215fece9f6b1a5bea62dc5456ab05d89d08a7936f5e187fbb5a2a81a1ae4ead3440501416c3d935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un122123.exe

Filesize
543KB

MD5
4e34b0269c5ee61c111d69e147fc3b06

SHA1
419585e3634ddf9ca9d95ead308fa3f86ea95d04

SHA256
d2fca7ebeb4560001264eafa0939cb61fd0db54a0da80f82050f57b7e742fe01

SHA512
a4ce41ca525d1e6c92cb03a95fdea70b9e90dbd5423381420215fece9f6b1a5bea62dc5456ab05d89d08a7936f5e187fbb5a2a81a1ae4ead3440501416c3d935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4657.exe

Filesize
292KB

MD5
1d010c837f2e715872a53e41223e3979

SHA1
b708c41220775e7ee1ac30a1510a78ca997ba640

SHA256
df26882453109844ee26700532883ec3bcc42c168fede93f09dc068ff0768112

SHA512
8362f8045ef6e5eec7185443c116dfb0ce7dc8399ed5df5c6ab4d737d05faa3ff70fb7a39986e4b98e3bb2c34f2274bf80615670dc6d90fa5b142c4ffcc0fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4657.exe

Filesize
292KB

MD5
1d010c837f2e715872a53e41223e3979

SHA1
b708c41220775e7ee1ac30a1510a78ca997ba640

SHA256
df26882453109844ee26700532883ec3bcc42c168fede93f09dc068ff0768112

SHA512
8362f8045ef6e5eec7185443c116dfb0ce7dc8399ed5df5c6ab4d737d05faa3ff70fb7a39986e4b98e3bb2c34f2274bf80615670dc6d90fa5b142c4ffcc0fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1436.exe

Filesize
350KB

MD5
deb296c30c61cdc552294ee67dddc3b0

SHA1
ad07c4f61c56c99f5782879280fd9613f4867176

SHA256
48cc1c09f6bfb0aa36a3c120b607f6c23ff9cc049809ac3c00288bd872d3cae3

SHA512
9817807b6f8d50e148f11ad622de1b3cd5e6aae344de851d8c0946209cd53243d239226af50036050197eda9989c604bd70c0beefaca8c8afebf12cf4702ade7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1436.exe

Filesize
350KB

MD5
deb296c30c61cdc552294ee67dddc3b0

SHA1
ad07c4f61c56c99f5782879280fd9613f4867176

SHA256
48cc1c09f6bfb0aa36a3c120b607f6c23ff9cc049809ac3c00288bd872d3cae3

SHA512
9817807b6f8d50e148f11ad622de1b3cd5e6aae344de851d8c0946209cd53243d239226af50036050197eda9989c604bd70c0beefaca8c8afebf12cf4702ade7

Download Submit
memory/404-1099-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/404-1100-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-1112-0x0000000006AE0000-0x000000000700C000-memory.dmp

Filesize
5.2MB

Download
memory/404-1111-0x0000000006910000-0x0000000006AD2000-memory.dmp

Filesize
1.8MB

Download
memory/404-1110-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-1109-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/404-1108-0x0000000006810000-0x0000000006886000-memory.dmp

Filesize
472KB

Download
memory/404-1107-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-1106-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-1105-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-1103-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/404-1102-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/404-1101-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/404-1098-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/404-1097-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/404-360-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-357-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-358-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/404-355-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/404-188-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-187-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-190-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-192-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-194-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-196-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-198-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-200-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-202-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-204-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-206-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-208-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-210-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-212-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-214-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-216-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-218-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/404-220-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/588-1118-0x0000000000980000-0x00000000009B2000-memory.dmp

Filesize
200KB

Download
memory/588-1119-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/1188-171-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-165-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-179-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-177-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-150-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1188-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-173-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-175-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-151-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/1188-169-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-167-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-180-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1188-163-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1188-149-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1188-148-0x00000000007F0000-0x000000000081D000-memory.dmp

Filesize
180KB

Download
memory/1188-182-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1188-152-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download