redline | d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6

Analysis

max time kernel
105s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe
Size

700KB
MD5

d202a361df49f361f3830a8048e026d9
SHA1

0ab53ab6f7782852e80becb175293710d1e3d14c
SHA256

d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6
SHA512

891b49172f5ce7003732eb879dfecd97e0ca467997d0bd3ab39a5bd0d3461ed4ccf0e5f87c3a224df7bdd8b276fce18b1279038a6424ffc222ce5ded85876f2f
SSDEEP

12288:tMr0y90t+1Yn7eF+/PZYFXFjfyJkfK2gWuo2fSXjxBRvqCgvl1e9:Ry+pn6QOfby4iYjxB089

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7041.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7041.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7041.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7041.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7041.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7041.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/696-190-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-195-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-191-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-197-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-199-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-201-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-203-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-205-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-207-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-209-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-211-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-213-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-215-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-217-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-219-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-221-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-223-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/696-225-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1900	un081158.exe
3252	pro7041.exe
696	qu8767.exe
2544	si433743.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7041.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7041.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un081158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un081158.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3048	3252	WerFault.exe	86
3364	696	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3252	pro7041.exe
3252	pro7041.exe
696	qu8767.exe
696	qu8767.exe
2544	si433743.exe
2544	si433743.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	pro7041.exe
Token: SeDebugPrivilege	696	qu8767.exe
Token: SeDebugPrivilege	2544	si433743.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1900	1876	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe	85
PID 1876 wrote to memory of 1900	1876	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe	85
PID 1876 wrote to memory of 1900	1876	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe	85
PID 1900 wrote to memory of 3252	1900	un081158.exe	86
PID 1900 wrote to memory of 3252	1900	un081158.exe	86
PID 1900 wrote to memory of 3252	1900	un081158.exe	86
PID 1900 wrote to memory of 696	1900	un081158.exe	95
PID 1900 wrote to memory of 696	1900	un081158.exe	95
PID 1900 wrote to memory of 696	1900	un081158.exe	95
PID 1876 wrote to memory of 2544	1876	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe	99
PID 1876 wrote to memory of 2544	1876	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe	99
PID 1876 wrote to memory of 2544	1876	d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe	99

C:\Users\Admin\AppData\Local\Temp\d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe
"C:\Users\Admin\AppData\Local\Temp\d026236c3502a695d6d3275f30cc598db1e08bef2d2ce354ea06fd760d9331e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un081158.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un081158.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7041.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7041.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1084
      4⤵
      Program crash
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8767.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8767.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1768
      4⤵
      Program crash
      PID:3364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433743.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433743.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3252 -ip 3252
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 696 -ip 696
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433743.exe

Filesize
175KB

MD5
3fb49cfe2cb049894651902bb5593727

SHA1
03934dba9e940d0bd3c75d2de4fd0ef9e086e14b

SHA256
90ed12c4b1d88180a0809e7428b896d6b11231b0792fb5e6f0aa589670ca90c4

SHA512
628ec9442e6d7b24b3b7d8c9d7fa8ad5f3b675dd020088269b2dee561d8c96b43e1fc9513504145ffb83a839804140a594e3882fa0e723bb3de594efb407f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433743.exe

Filesize
175KB

MD5
3fb49cfe2cb049894651902bb5593727

SHA1
03934dba9e940d0bd3c75d2de4fd0ef9e086e14b

SHA256
90ed12c4b1d88180a0809e7428b896d6b11231b0792fb5e6f0aa589670ca90c4

SHA512
628ec9442e6d7b24b3b7d8c9d7fa8ad5f3b675dd020088269b2dee561d8c96b43e1fc9513504145ffb83a839804140a594e3882fa0e723bb3de594efb407f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un081158.exe

Filesize
558KB

MD5
d39c96bf431fa669585e88337cf894f0

SHA1
4700fe188ef876b7d279cc1a77cc200bb0b08f90

SHA256
f2b638e3eacdb360d0492cb58b0da28a277f00af7d0a51fb5dc2517baa0f68d4

SHA512
b354b3657a33e4c9ea648543ae6dfde1829426f5e482251a9ff377e91332578e26cdbe67c596a17731de6351f9aec2c78771ed44227782230fea829a78976a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un081158.exe

Filesize
558KB

MD5
d39c96bf431fa669585e88337cf894f0

SHA1
4700fe188ef876b7d279cc1a77cc200bb0b08f90

SHA256
f2b638e3eacdb360d0492cb58b0da28a277f00af7d0a51fb5dc2517baa0f68d4

SHA512
b354b3657a33e4c9ea648543ae6dfde1829426f5e482251a9ff377e91332578e26cdbe67c596a17731de6351f9aec2c78771ed44227782230fea829a78976a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7041.exe

Filesize
308KB

MD5
f9220de627e8d1985b1cf05b2046042a

SHA1
fb515d5547ca8e237a2d0509df54ae68431be217

SHA256
163bd2e6d3c0a0a8e4093e62ca4b82521d2d3741e2eda35b9e74d695ebf4c863

SHA512
55f3563a8d4dbbfcc08ed20615aed3684d79b3f9cf9b90b9d79f8198480351e137fc2ed53efcd3f517329b3ac5a40f7e154e32018bb778bbf0e699f4f2dca6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7041.exe

Filesize
308KB

MD5
f9220de627e8d1985b1cf05b2046042a

SHA1
fb515d5547ca8e237a2d0509df54ae68431be217

SHA256
163bd2e6d3c0a0a8e4093e62ca4b82521d2d3741e2eda35b9e74d695ebf4c863

SHA512
55f3563a8d4dbbfcc08ed20615aed3684d79b3f9cf9b90b9d79f8198480351e137fc2ed53efcd3f517329b3ac5a40f7e154e32018bb778bbf0e699f4f2dca6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8767.exe

Filesize
366KB

MD5
a3e207efbee7bf49d0dc9be6138d14f4

SHA1
de68a69d4971b83fd219d738b9e17e0a2864e063

SHA256
4598464ce947b98ad00dd827071c1b2976cf2129a7ca54bda981bab78d21217d

SHA512
6be1a4a3c37d1f07aecacf6dcb0d71e18505e3d189442467ab9fcec8e8c25f8b1fd04d514ecf567a5508173441f2ea769498264ce1b300b4b8918f78ae397389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8767.exe

Filesize
366KB

MD5
a3e207efbee7bf49d0dc9be6138d14f4

SHA1
de68a69d4971b83fd219d738b9e17e0a2864e063

SHA256
4598464ce947b98ad00dd827071c1b2976cf2129a7ca54bda981bab78d21217d

SHA512
6be1a4a3c37d1f07aecacf6dcb0d71e18505e3d189442467ab9fcec8e8c25f8b1fd04d514ecf567a5508173441f2ea769498264ce1b300b4b8918f78ae397389

Download Submit
memory/696-1099-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/696-1102-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-1113-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-1112-0x0000000006D60000-0x000000000728C000-memory.dmp

Filesize
5.2MB

Download
memory/696-1111-0x0000000006B80000-0x0000000006D42000-memory.dmp

Filesize
1.8MB

Download
memory/696-1110-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-1109-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-1108-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-1106-0x00000000069C0000-0x0000000006A10000-memory.dmp

Filesize
320KB

Download
memory/696-1105-0x0000000006930000-0x00000000069A6000-memory.dmp

Filesize
472KB

Download
memory/696-1104-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/696-1103-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/696-1101-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/696-1100-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/696-1098-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/696-225-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-223-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-221-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-219-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-217-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-188-0x0000000000900000-0x000000000094B000-memory.dmp

Filesize
300KB

Download
memory/696-190-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-192-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-195-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-194-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-191-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-189-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/696-197-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-199-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-201-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-203-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-205-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-207-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-209-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-211-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-213-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/696-215-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2544-1119-0x00000000001D0000-0x0000000000202000-memory.dmp

Filesize
200KB

Download
memory/2544-1120-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3252-168-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-180-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-166-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-178-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-151-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/3252-176-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-174-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-153-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-164-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-170-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-149-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3252-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3252-172-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-162-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-160-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-158-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-156-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-154-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3252-150-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3252-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3252-183-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3252-152-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download