redline | 761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b

Analysis

max time kernel
56s
max time network
58s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe
Size

699KB
MD5

8be8d6b4583fb12a535068972991d37a
SHA1

c2e87bc0be81eaa75e7d536d5bffae5cd73f09ec
SHA256

761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b
SHA512

8cf020bb99d54ad11226e59c3985017342be17511ff08554a64c843ee59444b30dafde4b885f3398bdb7f6f77ac4694562ad1886e568f53a97e44d3ed17837ec
SSDEEP

12288:mMrny90zIO194yhRSNANqCN9OuSCuxGcosBCBRvnam10z/1Cn4+Zx:hyU94yheozN9afosBCP0DX+Zx

Score

10^/10

redline nice sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

193.233.20.33:4125

Attributes

auth_value
a7371b75699e8bc7c51fb960e8ac9e81

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0884.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/4424-179-0x00000000023F0000-0x0000000002436000-memory.dmp	family_redline
behavioral1/memory/4424-180-0x00000000026D0000-0x0000000002714000-memory.dmp	family_redline
behavioral1/memory/4424-181-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-182-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-184-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-186-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-188-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-190-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-192-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-194-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-196-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-198-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-200-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-202-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-204-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-206-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-208-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-210-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-212-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-214-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/4424-303-0x0000000002230000-0x0000000002240000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4128	un316757.exe
4136	pro0884.exe
4424	qu9581.exe
4580	si155129.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0884.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un316757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un316757.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4136	pro0884.exe
4136	pro0884.exe
4424	qu9581.exe
4424	qu9581.exe
4580	si155129.exe
4580	si155129.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	pro0884.exe
Token: SeDebugPrivilege	4424	qu9581.exe
Token: SeDebugPrivilege	4580	si155129.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4128	4208	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe	66
PID 4208 wrote to memory of 4128	4208	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe	66
PID 4208 wrote to memory of 4128	4208	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe	66
PID 4128 wrote to memory of 4136	4128	un316757.exe	67
PID 4128 wrote to memory of 4136	4128	un316757.exe	67
PID 4128 wrote to memory of 4136	4128	un316757.exe	67
PID 4128 wrote to memory of 4424	4128	un316757.exe	68
PID 4128 wrote to memory of 4424	4128	un316757.exe	68
PID 4128 wrote to memory of 4424	4128	un316757.exe	68
PID 4208 wrote to memory of 4580	4208	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe	70
PID 4208 wrote to memory of 4580	4208	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe	70
PID 4208 wrote to memory of 4580	4208	761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe	70

C:\Users\Admin\AppData\Local\Temp\761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe
"C:\Users\Admin\AppData\Local\Temp\761840df61b6f21ef5b6bd52502be69f49572713baf4a5a1abe79e2c40cad42b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316757.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316757.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0884.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0884.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9581.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9581.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si155129.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si155129.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si155129.exe

Filesize
175KB

MD5
5b948e9bf9ca550302529c648e5b8089

SHA1
c1d8344c85f6465659c21fecb8c05dced1f7b778

SHA256
df3b995fec9203f4d27e4db2d9218268e84c4d59868403b888144b843b599eff

SHA512
295dfd0d602740203900978ec2eeef212f14e72451d08f7bd93f8374d5927ab1dc32eeb2014d8921c54713ac96c28e7ae526e5a7f7463b92f65c5b844217ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si155129.exe

Filesize
175KB

MD5
5b948e9bf9ca550302529c648e5b8089

SHA1
c1d8344c85f6465659c21fecb8c05dced1f7b778

SHA256
df3b995fec9203f4d27e4db2d9218268e84c4d59868403b888144b843b599eff

SHA512
295dfd0d602740203900978ec2eeef212f14e72451d08f7bd93f8374d5927ab1dc32eeb2014d8921c54713ac96c28e7ae526e5a7f7463b92f65c5b844217ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316757.exe

Filesize
557KB

MD5
06c86ae3757e591f449f41e180d82923

SHA1
c9b4bcc0a3ed3d809e97c1e6978101f8b7a10371

SHA256
d34a3cc9a5daeda4eccdb81f5887d8569117d4599ed7bc7623a88a7eda703a67

SHA512
47991f8b30f72f64840f07c4369c867fe350434578302694878765bdc8921e8045dc26f7ab4eec901b151935566db72e1f8f422605088b060bcf373846288300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316757.exe

Filesize
557KB

MD5
06c86ae3757e591f449f41e180d82923

SHA1
c9b4bcc0a3ed3d809e97c1e6978101f8b7a10371

SHA256
d34a3cc9a5daeda4eccdb81f5887d8569117d4599ed7bc7623a88a7eda703a67

SHA512
47991f8b30f72f64840f07c4369c867fe350434578302694878765bdc8921e8045dc26f7ab4eec901b151935566db72e1f8f422605088b060bcf373846288300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0884.exe

Filesize
308KB

MD5
fe1445828faf529b589d7771e6c45d3a

SHA1
5470320fde6f56c269bf53f24faf9a72af67272b

SHA256
69e3de75dc8fb1933b8bf2bc87b11537b67020ed1026d6bff4a47cce5db852d2

SHA512
79902c2ed6ac2585f92e53c515ad66fad76a86780e18192db27e4ce96ccc90bbfdf591873c79e1e4b262e8be034a5807bf5c5bb79cf15ec43f0de39af23c0b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0884.exe

Filesize
308KB

MD5
fe1445828faf529b589d7771e6c45d3a

SHA1
5470320fde6f56c269bf53f24faf9a72af67272b

SHA256
69e3de75dc8fb1933b8bf2bc87b11537b67020ed1026d6bff4a47cce5db852d2

SHA512
79902c2ed6ac2585f92e53c515ad66fad76a86780e18192db27e4ce96ccc90bbfdf591873c79e1e4b262e8be034a5807bf5c5bb79cf15ec43f0de39af23c0b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9581.exe

Filesize
366KB

MD5
4f141fe28365e997439ce8dc968a3e06

SHA1
fc9d2c47a0d949ca0e580202ee09a9cca717294f

SHA256
cb3a127b1b10571323956a668a3f5b48ac752766bd3a190bc0bd9549cb25171b

SHA512
f78f21b1b5aea06498f17facf0e5142fbad39230dccb4e0240d98b57038576851c815780357ccb701a670307b69e2c53d88dbf7e5841ae15fb7e4c7bd7e8d669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9581.exe

Filesize
366KB

MD5
4f141fe28365e997439ce8dc968a3e06

SHA1
fc9d2c47a0d949ca0e580202ee09a9cca717294f

SHA256
cb3a127b1b10571323956a668a3f5b48ac752766bd3a190bc0bd9549cb25171b

SHA512
f78f21b1b5aea06498f17facf0e5142fbad39230dccb4e0240d98b57038576851c815780357ccb701a670307b69e2c53d88dbf7e5841ae15fb7e4c7bd7e8d669

Download Submit
memory/4136-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4136-137-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/4136-138-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/4136-139-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/4136-140-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/4136-141-0x0000000004CB0000-0x00000000051AE000-memory.dmp

Filesize
5.0MB

Download
memory/4136-142-0x00000000027A0000-0x00000000027B8000-memory.dmp

Filesize
96KB

Download
memory/4136-143-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-144-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-146-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-148-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-150-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-152-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-154-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-156-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-158-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-160-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-162-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-164-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-166-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-168-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-170-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/4136-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4136-172-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/4136-174-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4424-179-0x00000000023F0000-0x0000000002436000-memory.dmp

Filesize
280KB

Download
memory/4424-180-0x00000000026D0000-0x0000000002714000-memory.dmp

Filesize
272KB

Download
memory/4424-181-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-182-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-184-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-186-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-188-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-190-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-192-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-194-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-196-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-198-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-200-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-202-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-204-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-206-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-208-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-210-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-212-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-214-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4424-299-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-298-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/4424-301-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-303-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-1091-0x0000000005840000-0x0000000005E46000-memory.dmp

Filesize
6.0MB

Download
memory/4424-1092-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4424-1093-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/4424-1094-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-1095-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/4424-1096-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/4424-1098-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4424-1099-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4424-1100-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-1101-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-1102-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-1103-0x0000000006580000-0x00000000065F6000-memory.dmp

Filesize
472KB

Download
memory/4424-1104-0x0000000006610000-0x0000000006660000-memory.dmp

Filesize
320KB

Download
memory/4424-1105-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4424-1106-0x0000000006870000-0x0000000006A32000-memory.dmp

Filesize
1.8MB

Download
memory/4424-1107-0x0000000006A40000-0x0000000006F6C000-memory.dmp

Filesize
5.2MB

Download
memory/4580-1113-0x00000000000B0000-0x00000000000E2000-memory.dmp

Filesize
200KB

Download
memory/4580-1114-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4580-1115-0x00000000049B0000-0x00000000049FB000-memory.dmp

Filesize
300KB

Download