redline | 3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe
Size

700KB
MD5

8107275f79e602e8ec2d756bcfaa5ca0
SHA1

e9392d1e1de343c282445b8aa5741719407ba043
SHA256

3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e
SHA512

75372fc7271e68b7b2a166aef41fd82a36ee3a8f1137c581a368f5e59fb68a831324f95a8867bdf86d89a5585d9c606ef3e9501a2dfe624cf5640385295f84fb
SSDEEP

12288:pMrly90fJm7tpXDG7lOJyUvrSVB3yGQqu5OgYr9fxP3hP2jBRviDNGzSA7H:wyumTzG5IjKB3yGYv2PxP2j2GzLL

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6056.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/4056-188-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-191-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-189-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-193-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-195-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-197-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-199-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-201-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-203-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-205-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-207-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-210-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-212-0x00000000026C0000-0x00000000026D0000-memory.dmp	family_redline
behavioral1/memory/4056-215-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-217-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-219-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-221-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-223-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-225-0x0000000005290000-0x00000000052CE000-memory.dmp	family_redline
behavioral1/memory/4056-1104-0x00000000026C0000-0x00000000026D0000-memory.dmp	family_redline
behavioral1/memory/4056-1106-0x00000000026C0000-0x00000000026D0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2868	un250742.exe
3228	pro6056.exe
4056	qu5156.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6056.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un250742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un250742.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	3228	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3228	pro6056.exe
3228	pro6056.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	pro6056.exe
Token: SeDebugPrivilege	4056	qu5156.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2868	2240	3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe	86
PID 2240 wrote to memory of 2868	2240	3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe	86
PID 2240 wrote to memory of 2868	2240	3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe	86
PID 2868 wrote to memory of 3228	2868	un250742.exe	87
PID 2868 wrote to memory of 3228	2868	un250742.exe	87
PID 2868 wrote to memory of 3228	2868	un250742.exe	87
PID 2868 wrote to memory of 4056	2868	un250742.exe	96
PID 2868 wrote to memory of 4056	2868	un250742.exe	96
PID 2868 wrote to memory of 4056	2868	un250742.exe	96

C:\Users\Admin\AppData\Local\Temp\3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe
"C:\Users\Admin\AppData\Local\Temp\3eb159040dcf466924fa02081bc21c15440f430fee73420070679bfd4c00809e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un250742.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un250742.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6056.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6056.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1084
      4⤵
      Program crash
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5156.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5156.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3228 -ip 3228
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un250742.exe

Filesize
558KB

MD5
00a69cb30fc85f082bcef3003895fdfc

SHA1
e471db4fc6e0d8c934f23f0689d10b5836ce35ca

SHA256
feb583511c25395a9d77574b799a90852925b070ef4ae9538d665c0c116fe733

SHA512
16de99c138b97e092815b80ff9f30004ccd86ce35f329917a9289ac48d9d7dcde76e418be98a5be5d2a495baa4aaed870370ca9bc9dbcef745754a2ef3c43b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un250742.exe

Filesize
558KB

MD5
00a69cb30fc85f082bcef3003895fdfc

SHA1
e471db4fc6e0d8c934f23f0689d10b5836ce35ca

SHA256
feb583511c25395a9d77574b799a90852925b070ef4ae9538d665c0c116fe733

SHA512
16de99c138b97e092815b80ff9f30004ccd86ce35f329917a9289ac48d9d7dcde76e418be98a5be5d2a495baa4aaed870370ca9bc9dbcef745754a2ef3c43b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6056.exe

Filesize
308KB

MD5
f45bfa878f602b936f90b0123299a434

SHA1
c816b152c977eb133d75e6818e8189451de998ae

SHA256
9f89c0f38d78bd234cd597ba4d916db136f0789ed7798c024a0b8095e855ca9d

SHA512
8d5dbd7fa88942c9a5c13160fe02149dfdd1148172e253bdb55091f1bdd13d328000f7b96b403815e075783c46c0e47413524425bb0ed7a750b4a8677bd129cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6056.exe

Filesize
308KB

MD5
f45bfa878f602b936f90b0123299a434

SHA1
c816b152c977eb133d75e6818e8189451de998ae

SHA256
9f89c0f38d78bd234cd597ba4d916db136f0789ed7798c024a0b8095e855ca9d

SHA512
8d5dbd7fa88942c9a5c13160fe02149dfdd1148172e253bdb55091f1bdd13d328000f7b96b403815e075783c46c0e47413524425bb0ed7a750b4a8677bd129cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5156.exe

Filesize
366KB

MD5
b721c9b215559f7fcb3af4d6e83bfe3c

SHA1
a7f0cd621146a204f5b3b04593c8edc0cfcc4593

SHA256
a14a7a7531ca0b68602721ec4696cfd3b2a7de7fd7de8dc84962168b3fa2bdd1

SHA512
dfee9e9cc6f5fd3df79f9c28d52028829360996a7e17ef9254ff42ecfe502701458fe4ac5656c005eb2b75da69d0450f67c6c43bb953826e35e38a6d62c12195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5156.exe

Filesize
366KB

MD5
b721c9b215559f7fcb3af4d6e83bfe3c

SHA1
a7f0cd621146a204f5b3b04593c8edc0cfcc4593

SHA256
a14a7a7531ca0b68602721ec4696cfd3b2a7de7fd7de8dc84962168b3fa2bdd1

SHA512
dfee9e9cc6f5fd3df79f9c28d52028829360996a7e17ef9254ff42ecfe502701458fe4ac5656c005eb2b75da69d0450f67c6c43bb953826e35e38a6d62c12195

Download Submit
memory/3228-148-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/3228-149-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3228-150-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3228-151-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3228-152-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/3228-153-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-154-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-156-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-158-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-160-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-162-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-164-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-166-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-168-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-170-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-172-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-174-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-176-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-178-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-180-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3228-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3228-183-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4056-188-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-191-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-189-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-193-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-195-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-197-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-199-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-201-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-203-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-205-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-207-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-210-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-211-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4056-212-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4056-209-0x0000000000950000-0x000000000099B000-memory.dmp

Filesize
300KB

Download
memory/4056-215-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-214-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4056-217-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-219-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-221-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-223-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-225-0x0000000005290000-0x00000000052CE000-memory.dmp

Filesize
248KB

Download
memory/4056-1098-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/4056-1099-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/4056-1100-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/4056-1101-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4056-1102-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/4056-1104-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4056-1105-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4056-1106-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download