redline | 2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe
Size

701KB
MD5

22581e2a6375324392b24f36993b57a7
SHA1

078b45eb00c5250da66304fc1ff2ca6fca7f481f
SHA256

2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3
SHA512

1499044d52b13edc8b17d89d664bdfc5a764c30a6798e149a572e7d074b52033cdca836d1ae3f2cd07f33642b62568ea81a69cc51e0de938da1549e129747306
SSDEEP

12288:OMrXy908sCwiUU1DeUN/yv+snuimeoWlBEzIOTpnSBRvGjyRgoUq+Oy657i:5yDmwegEoWOZRSayCoXFG

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1802.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1802.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/3932-188-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-191-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-189-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-193-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-195-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-197-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-199-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-201-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-203-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-205-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-207-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-211-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-217-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-214-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-219-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-221-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-223-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-225-0x0000000002550000-0x000000000258E000-memory.dmp	family_redline
behavioral1/memory/3932-1104-0x0000000004FE0000-0x0000000004FF0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1528	un773997.exe
2344	pro1802.exe
3932	qu6927.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1802.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1802.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un773997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un773997.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5108	2344	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	pro1802.exe
2344	pro1802.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	pro1802.exe
Token: SeDebugPrivilege	3932	qu6927.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1528	2736	2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe	83
PID 2736 wrote to memory of 1528	2736	2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe	83
PID 2736 wrote to memory of 1528	2736	2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe	83
PID 1528 wrote to memory of 2344	1528	un773997.exe	84
PID 1528 wrote to memory of 2344	1528	un773997.exe	84
PID 1528 wrote to memory of 2344	1528	un773997.exe	84
PID 1528 wrote to memory of 3932	1528	un773997.exe	90
PID 1528 wrote to memory of 3932	1528	un773997.exe	90
PID 1528 wrote to memory of 3932	1528	un773997.exe	90

C:\Users\Admin\AppData\Local\Temp\2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe
"C:\Users\Admin\AppData\Local\Temp\2829641f8e40f08bea48997b3f3c6f737ecfc5c3737f4ffdf7df8ba3667b40f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773997.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773997.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1802.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1802.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1084
      4⤵
      Program crash
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6927.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6927.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2344 -ip 2344
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773997.exe

Filesize
558KB

MD5
300cae281dbc0f5144ebb0a837331fb1

SHA1
3e5495f6a80e14abda0b4ec2b5222709a137237e

SHA256
da363b25b58919210a6629f63afcad8bcdcf5233a834d779fc05f9a236c09d72

SHA512
234257a6b04b021c25dc9569ac7e91d925198395f4d7e669e2c2f32a908735d7635a43853e0b2c9d86c449d8d867e893950792fd69ba2f77f71e5c31e9d9fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773997.exe

Filesize
558KB

MD5
300cae281dbc0f5144ebb0a837331fb1

SHA1
3e5495f6a80e14abda0b4ec2b5222709a137237e

SHA256
da363b25b58919210a6629f63afcad8bcdcf5233a834d779fc05f9a236c09d72

SHA512
234257a6b04b021c25dc9569ac7e91d925198395f4d7e669e2c2f32a908735d7635a43853e0b2c9d86c449d8d867e893950792fd69ba2f77f71e5c31e9d9fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1802.exe

Filesize
308KB

MD5
822c5c61c02f49c22b3271a788d636ad

SHA1
362b52f5fe6f57e10e1df465a830c28c0eba63a2

SHA256
12771a25d467178f51407f97b7fdb2867f6ba121d5436b7792c3b5677956d68a

SHA512
73aa66ff08ebdf7831d0e48926cf6ca4491579fb84ab9ab7dce8c7826177add967dadfcf5c0bcd3208f248d14ce48324dce068c10b501eb8b8acc3ae8f3a9c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1802.exe

Filesize
308KB

MD5
822c5c61c02f49c22b3271a788d636ad

SHA1
362b52f5fe6f57e10e1df465a830c28c0eba63a2

SHA256
12771a25d467178f51407f97b7fdb2867f6ba121d5436b7792c3b5677956d68a

SHA512
73aa66ff08ebdf7831d0e48926cf6ca4491579fb84ab9ab7dce8c7826177add967dadfcf5c0bcd3208f248d14ce48324dce068c10b501eb8b8acc3ae8f3a9c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6927.exe

Filesize
366KB

MD5
9ab79219891cac5c15011f36e5eea89e

SHA1
7dd7db97516ce7e0fa996a7dcde2c0a4ed036ba1

SHA256
d1066b516ddc0ef139f22d57d68e3fc9a7e25016eb763c7ec8e29272a6cc305a

SHA512
d3a9e739302ea529985554abe953e8727cc52bf93b7beff9865bdfef646f19beda43d3929a50f18b86d148682e2e2605f31b30bb25bf5ee0f418542b43af0674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6927.exe

Filesize
366KB

MD5
9ab79219891cac5c15011f36e5eea89e

SHA1
7dd7db97516ce7e0fa996a7dcde2c0a4ed036ba1

SHA256
d1066b516ddc0ef139f22d57d68e3fc9a7e25016eb763c7ec8e29272a6cc305a

SHA512
d3a9e739302ea529985554abe953e8727cc52bf93b7beff9865bdfef646f19beda43d3929a50f18b86d148682e2e2605f31b30bb25bf5ee0f418542b43af0674

Download Submit
memory/2344-148-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/2344-150-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2344-149-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2344-151-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2344-152-0x0000000004DD0000-0x0000000005374000-memory.dmp

Filesize
5.6MB

Download
memory/2344-153-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-156-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-154-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-158-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-160-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-162-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-164-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-166-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-168-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-170-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-172-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-174-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-176-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-178-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-180-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2344-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2344-183-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3932-188-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-191-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-189-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-193-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-195-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-197-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-199-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-201-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-203-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-205-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-207-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-208-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/3932-210-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-211-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-213-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-215-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-217-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-214-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-219-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-221-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-223-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-225-0x0000000002550000-0x000000000258E000-memory.dmp

Filesize
248KB

Download
memory/3932-1098-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/3932-1099-0x0000000005BC0000-0x0000000005CCA000-memory.dmp

Filesize
1.0MB

Download
memory/3932-1100-0x00000000029F0000-0x0000000002A02000-memory.dmp

Filesize
72KB

Download
memory/3932-1101-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-1102-0x0000000002A10000-0x0000000002A4C000-memory.dmp

Filesize
240KB

Download
memory/3932-1104-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-1105-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-1106-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3932-1107-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download