redline | 2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995

Analysis

max time kernel
161s
max time network
166s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe
Size

700KB
MD5

7afcc543ad932d8c7935c16c7b37e446
SHA1

ed8679160a7560bf664df51f878d08e3667792db
SHA256

2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995
SHA512

3fbd0e699f9ebd6dcfd05427d23e0a461ab852ada54205bc7fc234a84100ad580f1f958621f74cc15ec893f822b7ac5a870eecc375b777a229d4776b19d743fc
SSDEEP

12288:4Mr/y90d9fhF1F4UcVwzfwMZaKiA4Flu/bFZ0ymJ7NTBRvnivlHydu8Cr:XyYh3FPcwbXZa64FE/buT2SdCr

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5394.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/3500-177-0x0000000002430000-0x0000000002476000-memory.dmp	family_redline
behavioral1/memory/3500-178-0x0000000002670000-0x00000000026B4000-memory.dmp	family_redline
behavioral1/memory/3500-180-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-179-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-182-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-184-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-186-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-188-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-190-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-192-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-194-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-196-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-198-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-200-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-202-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-204-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-206-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-208-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-210-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-212-0x0000000002670000-0x00000000026AE000-memory.dmp	family_redline
behavioral1/memory/3500-1096-0x00000000026D0000-0x00000000026E0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4260	un391506.exe
4616	pro5394.exe
3500	qu1131.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5394.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un391506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un391506.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4616	pro5394.exe
4616	pro5394.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	pro5394.exe
Token: SeDebugPrivilege	3500	qu1131.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4260	4192	2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe	66
PID 4192 wrote to memory of 4260	4192	2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe	66
PID 4192 wrote to memory of 4260	4192	2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe	66
PID 4260 wrote to memory of 4616	4260	un391506.exe	67
PID 4260 wrote to memory of 4616	4260	un391506.exe	67
PID 4260 wrote to memory of 4616	4260	un391506.exe	67
PID 4260 wrote to memory of 3500	4260	un391506.exe	68
PID 4260 wrote to memory of 3500	4260	un391506.exe	68
PID 4260 wrote to memory of 3500	4260	un391506.exe	68

C:\Users\Admin\AppData\Local\Temp\2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe
"C:\Users\Admin\AppData\Local\Temp\2788548f8966354dfd4fd4d3f0fb01ee2d424586823a2bb6cc153453bc873995.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un391506.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un391506.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5394.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5394.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1131.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1131.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un391506.exe

Filesize
558KB

MD5
27a15f3b0e12910514973ed7c3962a2a

SHA1
917983a091a055059c389f9147c31e86bf3fafc4

SHA256
41182b55d61f41e7e45f74a0587147e010c512dbc063586abd13e3e97ee1c58a

SHA512
6c5f235f39c861464552854df5c1691e4ee9fae7f9d4b4abe1523b801626f78019ce87830417d45e8adeaa3e49e8ef81d829a888feeb9952a129516da39aba56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un391506.exe

Filesize
558KB

MD5
27a15f3b0e12910514973ed7c3962a2a

SHA1
917983a091a055059c389f9147c31e86bf3fafc4

SHA256
41182b55d61f41e7e45f74a0587147e010c512dbc063586abd13e3e97ee1c58a

SHA512
6c5f235f39c861464552854df5c1691e4ee9fae7f9d4b4abe1523b801626f78019ce87830417d45e8adeaa3e49e8ef81d829a888feeb9952a129516da39aba56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5394.exe

Filesize
308KB

MD5
d5314d0b661befdfafe401dcd8b9d404

SHA1
d88ab3a0a1343a2bdd69e3fbcd917593eca43e4e

SHA256
ab1625492cda4e7551d976c5d558fd1694eca528ad83895d623193f05815e804

SHA512
7fb0e77b0db45e8b2881136705160a0e8149ea49e93e7d2b608019b4f44151dbd618b93b9475cb52b29b8be61d1aabf6ba57af3ffd2c61adc31e8ecfa33c66d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5394.exe

Filesize
308KB

MD5
d5314d0b661befdfafe401dcd8b9d404

SHA1
d88ab3a0a1343a2bdd69e3fbcd917593eca43e4e

SHA256
ab1625492cda4e7551d976c5d558fd1694eca528ad83895d623193f05815e804

SHA512
7fb0e77b0db45e8b2881136705160a0e8149ea49e93e7d2b608019b4f44151dbd618b93b9475cb52b29b8be61d1aabf6ba57af3ffd2c61adc31e8ecfa33c66d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1131.exe

Filesize
366KB

MD5
b2fa1cb5ad81dcb224fe45df93c1c9f5

SHA1
492a603eefcedda4f61d7787c4da7dab19230494

SHA256
7e2711ee9e3975c9079d5ef67f343b649982760f89c6b06ef3ca4c86e95b5320

SHA512
cc8e38ed236aedd4b034721b3d85e39f590e4989c25999ab4bdcfcd23031c131c0f98b0638ad6797238101832cb51ee8f93ae2f0bf580b32675613c9ebd9e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1131.exe

Filesize
366KB

MD5
b2fa1cb5ad81dcb224fe45df93c1c9f5

SHA1
492a603eefcedda4f61d7787c4da7dab19230494

SHA256
7e2711ee9e3975c9079d5ef67f343b649982760f89c6b06ef3ca4c86e95b5320

SHA512
cc8e38ed236aedd4b034721b3d85e39f590e4989c25999ab4bdcfcd23031c131c0f98b0638ad6797238101832cb51ee8f93ae2f0bf580b32675613c9ebd9e70f

Download Submit
memory/3500-210-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-458-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-182-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-1099-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-184-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-1098-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-1097-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-1096-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-1094-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-1093-0x00000000056E0000-0x000000000572B000-memory.dmp

Filesize
300KB

Download
memory/3500-1092-0x00000000027F0000-0x000000000282E000-memory.dmp

Filesize
248KB

Download
memory/3500-1091-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/3500-1090-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/3500-1089-0x0000000005AE0000-0x00000000060E6000-memory.dmp

Filesize
6.0MB

Download
memory/3500-462-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-460-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3500-456-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/3500-194-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-212-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-208-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-206-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-204-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-202-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-200-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-186-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-178-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/3500-180-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-179-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-198-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-196-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-177-0x0000000002430000-0x0000000002476000-memory.dmp

Filesize
280KB

Download
memory/3500-188-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-190-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/3500-192-0x0000000002670000-0x00000000026AE000-memory.dmp

Filesize
248KB

Download
memory/4616-164-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-142-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-139-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-136-0x0000000002310000-0x000000000232A000-memory.dmp

Filesize
104KB

Download
memory/4616-137-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/4616-172-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4616-170-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4616-169-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4616-135-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4616-168-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4616-167-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4616-166-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-138-0x00000000024B0000-0x00000000024C8000-memory.dmp

Filesize
96KB

Download
memory/4616-162-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-160-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-158-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-156-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-154-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-152-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-150-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-148-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-146-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-144-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4616-140-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download