redline | 555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe
Size

700KB
MD5

96517a53b37d9729480eee29fd3c249c
SHA1

41841b3041ecdb69cc670c95ce23c2fb74cc6d3f
SHA256

555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17
SHA512

43fc99ffdb5991ead7ad3fabaff09a799b6a34029dfc814720c37bf1f346ab230384f967995b21fb871128251470b39a1a23f7dfc6e311869fdfc5a8a9f9ea62
SSDEEP

12288:LMrly90tx27GbrwPP64WtA8q6qlqufFdJvsxcIuBRvn0QYKFFvC:+y77swK4uJ5OnJUDuTF8

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3431.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/1788-190-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-193-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-195-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-197-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-199-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-201-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-203-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-205-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-207-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-209-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-211-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-213-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-219-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-221-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-223-0x0000000004CC0000-0x0000000004CFE000-memory.dmp	family_redline
behavioral1/memory/1788-332-0x0000000004D00000-0x0000000004D10000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1540	un412676.exe
3956	pro3431.exe
1788	qu3497.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3431.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un412676.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un412676.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1012	3956	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3956	pro3431.exe
3956	pro3431.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	pro3431.exe
Token: SeDebugPrivilege	1788	qu3497.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1540	2828	555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe	85
PID 2828 wrote to memory of 1540	2828	555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe	85
PID 2828 wrote to memory of 1540	2828	555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe	85
PID 1540 wrote to memory of 3956	1540	un412676.exe	86
PID 1540 wrote to memory of 3956	1540	un412676.exe	86
PID 1540 wrote to memory of 3956	1540	un412676.exe	86
PID 1540 wrote to memory of 1788	1540	un412676.exe	92
PID 1540 wrote to memory of 1788	1540	un412676.exe	92
PID 1540 wrote to memory of 1788	1540	un412676.exe	92

C:\Users\Admin\AppData\Local\Temp\555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe
"C:\Users\Admin\AppData\Local\Temp\555bf10092df0368b987fad59b226104ad225a5bd5ae95d60ee7bb92662c2a17.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412676.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412676.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3431.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3431.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1084
      4⤵
      Program crash
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3497.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3497.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3956 -ip 3956
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412676.exe

Filesize
558KB

MD5
cd91b0d087b8b92adbc38d738b5e6043

SHA1
6b3ffa543c9766a609ed229f3127db5fb558b83d

SHA256
8ed2dd51a5eb0224a77ad33dcb05d595c6870e11b8cbecd07ab5e7a1e83d392e

SHA512
17ea7ebcc929e3aa2287b77245bdfa1caf506e7451a216a24b088236074f78090d0bbb509c9d8323ea010767d44c47afe63c96de4dd72cc014f3dde179382ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412676.exe

Filesize
558KB

MD5
cd91b0d087b8b92adbc38d738b5e6043

SHA1
6b3ffa543c9766a609ed229f3127db5fb558b83d

SHA256
8ed2dd51a5eb0224a77ad33dcb05d595c6870e11b8cbecd07ab5e7a1e83d392e

SHA512
17ea7ebcc929e3aa2287b77245bdfa1caf506e7451a216a24b088236074f78090d0bbb509c9d8323ea010767d44c47afe63c96de4dd72cc014f3dde179382ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3431.exe

Filesize
308KB

MD5
36a962ebf7c2e2ee0db5da6a6933fc24

SHA1
6d2f46a83e1c81edc3bc3717feb9a612e12bef9d

SHA256
b8605b18b388f66cc0930ca4669685d370369b896e1a4e0c387b460e6351360b

SHA512
4cc2aa72ad03bb301971ea9637227fd0d86fb2f8665b4210212ea91755c1db1aac7e1f0ad6a353b7dc522506e190524eff17dc691bfef99fd75325ff3b0a2cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3431.exe

Filesize
308KB

MD5
36a962ebf7c2e2ee0db5da6a6933fc24

SHA1
6d2f46a83e1c81edc3bc3717feb9a612e12bef9d

SHA256
b8605b18b388f66cc0930ca4669685d370369b896e1a4e0c387b460e6351360b

SHA512
4cc2aa72ad03bb301971ea9637227fd0d86fb2f8665b4210212ea91755c1db1aac7e1f0ad6a353b7dc522506e190524eff17dc691bfef99fd75325ff3b0a2cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3497.exe

Filesize
366KB

MD5
791c8d2babea4f083ec61b1ec4403147

SHA1
3c7e595658d3fef056df3528968865ac89d05674

SHA256
124bb86bf2340ce35dd3246aa949d743b4117c1c3370eee221aa431ef3985fb1

SHA512
b202d1908a440f79f0415720c60670b185b9b8b5b39bceedce6d583d3b12cc31a7148ebb6af09892cb01656d9f6826023fc1a0324a31369dced7baac1d2cfea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3497.exe

Filesize
366KB

MD5
791c8d2babea4f083ec61b1ec4403147

SHA1
3c7e595658d3fef056df3528968865ac89d05674

SHA256
124bb86bf2340ce35dd3246aa949d743b4117c1c3370eee221aa431ef3985fb1

SHA512
b202d1908a440f79f0415720c60670b185b9b8b5b39bceedce6d583d3b12cc31a7148ebb6af09892cb01656d9f6826023fc1a0324a31369dced7baac1d2cfea0

Download Submit
memory/1788-213-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-221-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-1107-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1788-1106-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1788-195-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/1788-1102-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1788-197-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-1100-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/1788-1099-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/1788-334-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1788-332-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1788-330-0x00000000020A0000-0x00000000020EB000-memory.dmp

Filesize
300KB

Download
memory/1788-223-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-219-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-217-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-211-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-209-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-207-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-205-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-203-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-201-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-199-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-193-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-190-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

Filesize
248KB

Download
memory/1788-1105-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1788-1101-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3956-181-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3956-155-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-185-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3956-173-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-183-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3956-182-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3956-171-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3956-179-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-177-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-152-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-151-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3956-169-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-180-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3956-149-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3956-167-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-165-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-163-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-161-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-159-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-157-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-150-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3956-153-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3956-175-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download