redline | b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2

Analysis

max time kernel
50s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe
Size

685KB
MD5

7e2b34aadb9fd130f3f8a7ba7baf5156
SHA1

6e951d942dd81108c2899b5d2ca81df5b6b33487
SHA256

b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2
SHA512

9d66c1b02d3ce56f0f587c62f734d80bad1b5a3d122b766a90a1dbc7b714b29c8c938cd34f0c9cf5892c4666beb9cb05a1f5dfb75492c5e66750bc243edf2202
SSDEEP

12288:hMr6y90GPZ7+MKWyHRCkHsflpvCXrHdIcz1bdJk8U7BNQhEzrdxRUHwUit:jyZ7+MW7HsflYXrHGG1pJktDQhEzX/9t

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7961.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4876-178-0x00000000023B0000-0x00000000023F6000-memory.dmp	family_redline
behavioral1/memory/4876-179-0x0000000002930000-0x0000000002974000-memory.dmp	family_redline
behavioral1/memory/4876-180-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-181-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-183-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-185-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-187-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-189-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-191-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-193-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-195-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-197-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-199-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-201-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-203-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-205-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-207-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-209-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-213-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-211-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4268	un202531.exe
2396	pro7961.exe
4876	qu4815.exe
4272	si247051.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7961.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un202531.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un202531.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2396	pro7961.exe
2396	pro7961.exe
4876	qu4815.exe
4876	qu4815.exe
4272	si247051.exe
4272	si247051.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	pro7961.exe
Token: SeDebugPrivilege	4876	qu4815.exe
Token: SeDebugPrivilege	4272	si247051.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4268	400	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe	66
PID 400 wrote to memory of 4268	400	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe	66
PID 400 wrote to memory of 4268	400	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe	66
PID 4268 wrote to memory of 2396	4268	un202531.exe	67
PID 4268 wrote to memory of 2396	4268	un202531.exe	67
PID 4268 wrote to memory of 2396	4268	un202531.exe	67
PID 4268 wrote to memory of 4876	4268	un202531.exe	68
PID 4268 wrote to memory of 4876	4268	un202531.exe	68
PID 4268 wrote to memory of 4876	4268	un202531.exe	68
PID 400 wrote to memory of 4272	400	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe	70
PID 400 wrote to memory of 4272	400	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe	70
PID 400 wrote to memory of 4272	400	b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe	70

C:\Users\Admin\AppData\Local\Temp\b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe
"C:\Users\Admin\AppData\Local\Temp\b1e853811e9b4dd2ae3d19346b9d7ffbdd7d96fa531a231f6942e24480fb1eb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un202531.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un202531.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7961.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7961.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4815.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4815.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247051.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247051.exe

Filesize
175KB

MD5
2f3c577e2064c8cf015fd297c9549805

SHA1
c862f01f616aef2d0be1dab14b378b144710f15c

SHA256
ec8fe623530b129a94ddd4c8eadc1480ea63a274434b49b7cc5479ca3cf8af67

SHA512
6256875474b06a9592a7d6bd463ce04501becda5a776a7a81c4b6afd95ecb80f84467d6c36a4c83fd2a7b4d2c9a24fee4e89bb1356d49cef9025fc68edcae896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247051.exe

Filesize
175KB

MD5
2f3c577e2064c8cf015fd297c9549805

SHA1
c862f01f616aef2d0be1dab14b378b144710f15c

SHA256
ec8fe623530b129a94ddd4c8eadc1480ea63a274434b49b7cc5479ca3cf8af67

SHA512
6256875474b06a9592a7d6bd463ce04501becda5a776a7a81c4b6afd95ecb80f84467d6c36a4c83fd2a7b4d2c9a24fee4e89bb1356d49cef9025fc68edcae896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un202531.exe

Filesize
543KB

MD5
e580f4896df0a3f5cc84dcab955164c1

SHA1
e1567b1a6787af6ae91679bbb2ffe74dc9714fba

SHA256
487a88a800d919e7f5ab37610cc4dafa1a9ae4a3846b3bf985d0714865ccdc06

SHA512
cfebf1e263054b1b2962550843bc5cb3b5e3f7618252543b08be52985c805834f389104ebe00bada99a0a939b06c742ab8ee457d36a47d60dfdc45dd0297051d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un202531.exe

Filesize
543KB

MD5
e580f4896df0a3f5cc84dcab955164c1

SHA1
e1567b1a6787af6ae91679bbb2ffe74dc9714fba

SHA256
487a88a800d919e7f5ab37610cc4dafa1a9ae4a3846b3bf985d0714865ccdc06

SHA512
cfebf1e263054b1b2962550843bc5cb3b5e3f7618252543b08be52985c805834f389104ebe00bada99a0a939b06c742ab8ee457d36a47d60dfdc45dd0297051d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7961.exe

Filesize
292KB

MD5
5381aea605144f11376e2a670aa1fe68

SHA1
135f6d4e46701dc425086f0c188f28e246214678

SHA256
44ad3f22651840453180cc605dc7e51556309da2e4abb754022b8bd83b9dbc87

SHA512
d1d73e95b0ef396f7927351e38fd059831eba70123e0420298ebbc4225adf49021a575b78b204fcb87f3dd55f8426ae7b9f9b5b849ad5b2290db9babe23998aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7961.exe

Filesize
292KB

MD5
5381aea605144f11376e2a670aa1fe68

SHA1
135f6d4e46701dc425086f0c188f28e246214678

SHA256
44ad3f22651840453180cc605dc7e51556309da2e4abb754022b8bd83b9dbc87

SHA512
d1d73e95b0ef396f7927351e38fd059831eba70123e0420298ebbc4225adf49021a575b78b204fcb87f3dd55f8426ae7b9f9b5b849ad5b2290db9babe23998aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4815.exe

Filesize
350KB

MD5
a0f1ed83998b8b34813fbe55ee55b47f

SHA1
9023b633299fa5493e7b178542b15e74766fadc7

SHA256
36797c00280f77d26154f07d9e2433a9a38d630864180cd234f11a4bbfd91703

SHA512
5e45e8aed4a430fef5484a290b2045922f134e246843be1634523942bc96ce928a017b54a4a7f71539e0aafae1ec760df3508ca7fe5ba971d37540229c991bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4815.exe

Filesize
350KB

MD5
a0f1ed83998b8b34813fbe55ee55b47f

SHA1
9023b633299fa5493e7b178542b15e74766fadc7

SHA256
36797c00280f77d26154f07d9e2433a9a38d630864180cd234f11a4bbfd91703

SHA512
5e45e8aed4a430fef5484a290b2045922f134e246843be1634523942bc96ce928a017b54a4a7f71539e0aafae1ec760df3508ca7fe5ba971d37540229c991bc7

Download Submit
memory/2396-136-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download
memory/2396-137-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/2396-138-0x00000000023B0000-0x00000000023C8000-memory.dmp

Filesize
96KB

Download
memory/2396-139-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-140-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-142-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-144-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-146-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-148-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-150-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-152-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-154-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-156-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-166-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-164-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-162-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-160-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-158-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2396-167-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2396-168-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2396-169-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2396-170-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2396-171-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2396-173-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4272-1111-0x0000000000630000-0x0000000000662000-memory.dmp

Filesize
200KB

Download
memory/4272-1113-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4272-1112-0x0000000005070000-0x00000000050BB000-memory.dmp

Filesize
300KB

Download
memory/4876-181-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-312-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/4876-183-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-185-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-187-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-189-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-191-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-193-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-195-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-197-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-199-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-201-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-203-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-205-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-207-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-209-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-213-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-211-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-314-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-180-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-318-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-316-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-1090-0x00000000059B0000-0x0000000005FB6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-1091-0x00000000053A0000-0x00000000054AA000-memory.dmp

Filesize
1.0MB

Download
memory/4876-1092-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4876-1093-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4876-1094-0x0000000004E40000-0x0000000004E8B000-memory.dmp

Filesize
300KB

Download
memory/4876-1095-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-1096-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4876-1097-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4876-1099-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/4876-1100-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4876-1101-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-1102-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-179-0x0000000002930000-0x0000000002974000-memory.dmp

Filesize
272KB

Download
memory/4876-178-0x00000000023B0000-0x00000000023F6000-memory.dmp

Filesize
280KB

Download
memory/4876-1103-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4876-1104-0x00000000080B0000-0x0000000008126000-memory.dmp

Filesize
472KB

Download
memory/4876-1105-0x0000000008130000-0x0000000008180000-memory.dmp

Filesize
320KB

Download