redline | b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe
Size

700KB
MD5

d8022a82d5faa46514db9db85967e05f
SHA1

bc7c1e94e9a152f3f12c7165c59028bc3b9af033
SHA256

b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2
SHA512

2f27b9a76e5705ca222faf7006a0eb0074903e3f73d28fa8f47f302a39a987353278acb2f1e846a6d5742c69659a699fa291b6c20414c3f2bf943b1f002fe70e
SSDEEP

12288:dMrBy90Kk1SnzA8X5LV7g6VxhDSfjk0NANbfNBRvINllOvrGH3bx5:kyC1uzAkZZGfjklfNUjlOvrGrz

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro2737.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/404-190-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-193-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-191-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-195-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-197-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-199-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-201-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-205-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-207-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-203-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-209-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-211-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-213-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-215-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-217-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-219-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-221-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-223-0x00000000027E0000-0x000000000281E000-memory.dmp	family_redline
behavioral1/memory/404-1107-0x0000000004DD0000-0x0000000004DE0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1744	un473447.exe
640	pro2737.exe
404	qu2758.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2737.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un473447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un473447.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4480	640	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
640	pro2737.exe
640	pro2737.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	pro2737.exe
Token: SeDebugPrivilege	404	qu2758.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 1744	516	b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe	82
PID 516 wrote to memory of 1744	516	b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe	82
PID 516 wrote to memory of 1744	516	b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe	82
PID 1744 wrote to memory of 640	1744	un473447.exe	83
PID 1744 wrote to memory of 640	1744	un473447.exe	83
PID 1744 wrote to memory of 640	1744	un473447.exe	83
PID 1744 wrote to memory of 404	1744	un473447.exe	89
PID 1744 wrote to memory of 404	1744	un473447.exe	89
PID 1744 wrote to memory of 404	1744	un473447.exe	89

C:\Users\Admin\AppData\Local\Temp\b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe
"C:\Users\Admin\AppData\Local\Temp\b96a83fe60adb91d1721e515fdb7a5ab6aad4a97796b63fc07ef562b96428ac2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un473447.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un473447.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2737.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2737.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1092
      4⤵
      Program crash
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2758.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 640 -ip 640
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un473447.exe

Filesize
558KB

MD5
2ff0e368dad342e53666bc2323bb103e

SHA1
fcde10d57761e518468256e4215bdfaac23a2970

SHA256
d45a5a27ed0954a761290fec579d3ad95f58398ae082984d8170c05b68e6e36a

SHA512
7aab9a588b2b1fb587adf35435921427fd9cd9e9bce47a03b53534390fc7267b396672f0e24d936ed05c35448593dffe2c4e1198b91a63a4ed1239f2d343a637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un473447.exe

Filesize
558KB

MD5
2ff0e368dad342e53666bc2323bb103e

SHA1
fcde10d57761e518468256e4215bdfaac23a2970

SHA256
d45a5a27ed0954a761290fec579d3ad95f58398ae082984d8170c05b68e6e36a

SHA512
7aab9a588b2b1fb587adf35435921427fd9cd9e9bce47a03b53534390fc7267b396672f0e24d936ed05c35448593dffe2c4e1198b91a63a4ed1239f2d343a637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2737.exe

Filesize
308KB

MD5
33f7a7e3adae20b4536cdd4c3f8f26ae

SHA1
c8b9baa10cb436b093e32cc7274e6c79c1d5b600

SHA256
a4c2a834703913dd6b025312b0374e880502e07115d00ea28d800a3cdd00f649

SHA512
a3aa3695f38096356a99d6f76802effee324c839e6482a648fbb6abdadb5124edcdbfc23a28cfa0723aaa9843f12e0d03255f94ae2a99f5f3b0f2dde27a94705

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2737.exe

Filesize
308KB

MD5
33f7a7e3adae20b4536cdd4c3f8f26ae

SHA1
c8b9baa10cb436b093e32cc7274e6c79c1d5b600

SHA256
a4c2a834703913dd6b025312b0374e880502e07115d00ea28d800a3cdd00f649

SHA512
a3aa3695f38096356a99d6f76802effee324c839e6482a648fbb6abdadb5124edcdbfc23a28cfa0723aaa9843f12e0d03255f94ae2a99f5f3b0f2dde27a94705

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2758.exe

Filesize
366KB

MD5
78ed0bba93969abff9d43362aa675213

SHA1
b4580677a80c342da43eab14a832159c20eac958

SHA256
7f9fae3d62f4731e8b2bb4e47bd6dd64c7b25cf9d1beb2e31ddcc25d8c81c988

SHA512
a034c478c6538fea2ea016bddd45e1203f3890508153650cf29dd19d0a4a8fbcb3453c6998c38bd4b4727deae9383bbf8a67090c264b9faff98cac357797f6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2758.exe

Filesize
366KB

MD5
78ed0bba93969abff9d43362aa675213

SHA1
b4580677a80c342da43eab14a832159c20eac958

SHA256
7f9fae3d62f4731e8b2bb4e47bd6dd64c7b25cf9d1beb2e31ddcc25d8c81c988

SHA512
a034c478c6538fea2ea016bddd45e1203f3890508153650cf29dd19d0a4a8fbcb3453c6998c38bd4b4727deae9383bbf8a67090c264b9faff98cac357797f6de

Download Submit
memory/404-219-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-223-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-1109-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-1108-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-195-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-1106-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-1104-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-1103-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/404-1102-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/404-1101-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/404-1100-0x0000000005390000-0x00000000059A8000-memory.dmp

Filesize
6.1MB

Download
memory/404-444-0x0000000000830000-0x000000000087B000-memory.dmp

Filesize
300KB

Download
memory/404-450-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-448-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-446-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-221-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-217-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-197-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-213-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-211-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-209-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-203-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-191-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-207-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-190-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-193-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-205-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-1107-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/404-215-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-199-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/404-201-0x00000000027E0000-0x000000000281E000-memory.dmp

Filesize
248KB

Download
memory/640-183-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/640-154-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-185-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/640-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-182-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/640-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/640-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-148-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/640-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-152-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/640-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-150-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/640-166-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-162-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-160-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-156-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/640-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/640-151-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download