redline | 7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe
Size

700KB
MD5

4556d41e49cc3d6872d2b98e83966aec
SHA1

2d4daa02654f8acb9b42f465ea07b304d9c7d96c
SHA256

7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe
SHA512

d3192d00f4e54afb48cf9e9a512f7f60aa755bc4d8462dbef69ece72b741c66bdff04f471a175aa616e6441e7384124d401b72f6720d9bb63e65b0e70c9d1dbb
SSDEEP

12288:xMr0y90mqPqTkTx87o+cE+yC538GGc8LZuVWu+McU+d4uKwBRv3G+u+aHN8kBAp6:dy7O+cfhxG7ZM5S4uKwfayKW6

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9165.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9165.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2172-192-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-191-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-194-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-196-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-198-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-200-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-202-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-204-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-206-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-208-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-210-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-212-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-214-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-216-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-218-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-220-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-223-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2172-227-0x0000000004D80000-0x0000000004D90000-memory.dmp	family_redline
behavioral1/memory/2172-226-0x0000000004D80000-0x0000000004D90000-memory.dmp	family_redline
behavioral1/memory/2172-228-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4656	un358485.exe
3352	pro9165.exe
2172	qu5251.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9165.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9165.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un358485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un358485.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	3352	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3352	pro9165.exe
3352	pro9165.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	pro9165.exe
Token: SeDebugPrivilege	2172	qu5251.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4656	2080	7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe	85
PID 2080 wrote to memory of 4656	2080	7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe	85
PID 2080 wrote to memory of 4656	2080	7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe	85
PID 4656 wrote to memory of 3352	4656	un358485.exe	86
PID 4656 wrote to memory of 3352	4656	un358485.exe	86
PID 4656 wrote to memory of 3352	4656	un358485.exe	86
PID 4656 wrote to memory of 2172	4656	un358485.exe	95
PID 4656 wrote to memory of 2172	4656	un358485.exe	95
PID 4656 wrote to memory of 2172	4656	un358485.exe	95

C:\Users\Admin\AppData\Local\Temp\7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe
"C:\Users\Admin\AppData\Local\Temp\7b401e0b65ae467342b6f6056b028c1e0d74913319bc9e4b89c054136e309afe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358485.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358485.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9165.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9165.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1084
      4⤵
      Program crash
      PID:1676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5251.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5251.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3352 -ip 3352
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358485.exe

Filesize
558KB

MD5
525fe3821d91aa131abd5b23a9f83c29

SHA1
4503616409e16354e338000927f3d9292e63785a

SHA256
db73ff28c514afb354b9030ccb7b2cf6169d330e075d21f9e9b57fd75e06920e

SHA512
a122aef94813221ecc9d78381e3d3665a6d4e277b85431e867f693feda4eefd15796039a7c79c9a14622a29fca7c5d587dbc1855a60b4e52f903d3646d5fcdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358485.exe

Filesize
558KB

MD5
525fe3821d91aa131abd5b23a9f83c29

SHA1
4503616409e16354e338000927f3d9292e63785a

SHA256
db73ff28c514afb354b9030ccb7b2cf6169d330e075d21f9e9b57fd75e06920e

SHA512
a122aef94813221ecc9d78381e3d3665a6d4e277b85431e867f693feda4eefd15796039a7c79c9a14622a29fca7c5d587dbc1855a60b4e52f903d3646d5fcdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9165.exe

Filesize
308KB

MD5
47aef1aa869f36ed5089bcb6f795d2b3

SHA1
80ccf14599622ea75b46d5ab8dc57b9f3bb3f89e

SHA256
a702ad8120c0d1ead04ca15ba9b5437c31248322264123691f7e21eaae0d5f45

SHA512
57d4982e4b13d06e282916dcc8731a538277ad977cd8ef584b95a4d7354b4f9ac440c1b8fbb00bee61e1fad31469e830b78a6f2328e26f275acbb4b677fec46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9165.exe

Filesize
308KB

MD5
47aef1aa869f36ed5089bcb6f795d2b3

SHA1
80ccf14599622ea75b46d5ab8dc57b9f3bb3f89e

SHA256
a702ad8120c0d1ead04ca15ba9b5437c31248322264123691f7e21eaae0d5f45

SHA512
57d4982e4b13d06e282916dcc8731a538277ad977cd8ef584b95a4d7354b4f9ac440c1b8fbb00bee61e1fad31469e830b78a6f2328e26f275acbb4b677fec46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5251.exe

Filesize
366KB

MD5
a5906a6b62472813950ee31633367df4

SHA1
528b28c93a3deb49ff45e30646173b3cb4c1b741

SHA256
ae738ae814b9d47af23bcf5b36ed8517adaf32016cf2a4b2be81b8218951c231

SHA512
902e12b0d207460c41113703ae4828bff99e0d0c97ab3b9a613f525256375bb0ab96355df85963c8dbd45f16452b2e498a85432f0ede11f9462660cd9f9c6c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5251.exe

Filesize
366KB

MD5
a5906a6b62472813950ee31633367df4

SHA1
528b28c93a3deb49ff45e30646173b3cb4c1b741

SHA256
ae738ae814b9d47af23bcf5b36ed8517adaf32016cf2a4b2be81b8218951c231

SHA512
902e12b0d207460c41113703ae4828bff99e0d0c97ab3b9a613f525256375bb0ab96355df85963c8dbd45f16452b2e498a85432f0ede11f9462660cd9f9c6c4e

Download Submit
memory/2172-218-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-222-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/2172-1110-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-1109-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-191-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-1107-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-194-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-1104-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/2172-1103-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/2172-1102-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2172-1101-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/2172-228-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-226-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-227-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-223-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-224-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-220-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-216-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-214-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-212-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-210-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-196-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-206-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-204-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-202-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-192-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-1108-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-1105-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2172-208-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-198-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2172-200-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/3352-150-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3352-183-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3352-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3352-184-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3352-186-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3352-182-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3352-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3352-170-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-148-0x0000000004E70000-0x0000000005414000-memory.dmp

Filesize
5.6MB

Download
memory/3352-178-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-151-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3352-152-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3352-172-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-174-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-180-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-168-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-166-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-164-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-162-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-160-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-158-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-156-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-154-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-153-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/3352-176-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download