redline | e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe
Size

701KB
MD5

95317174f79d9763d85a42482e2e5dde
SHA1

bb521d2cde9f4467d322d26ecc4098b87497438f
SHA256

e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d
SHA512

a470386bff66cacc6acf9f543c273fcfc29ff7a4a43924257ed785406bc68eaf362703aa3455a179304b48413855b3803dcd6cee37998ded43f64bdd2c77968e
SSDEEP

12288:mMrLy90hJfkB34RqhO16MiFD0Ljst09PbkxSDqBRvouEEVgh:NyMJf2Nhw6rwLjfjqbEEVgh

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2290.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3520-177-0x0000000002520000-0x0000000002566000-memory.dmp	family_redline
behavioral1/memory/3520-178-0x0000000002730000-0x0000000002774000-memory.dmp	family_redline
behavioral1/memory/3520-179-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-180-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-182-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-184-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-186-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-188-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-190-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-192-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-194-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-196-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-198-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-200-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-202-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-204-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-206-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-208-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-210-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3520-212-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4172	un943658.exe
4196	pro2290.exe
3520	qu5225.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2290.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un943658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un943658.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4196	pro2290.exe
4196	pro2290.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	pro2290.exe
Token: SeDebugPrivilege	3520	qu5225.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4172	3664	e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe	66
PID 3664 wrote to memory of 4172	3664	e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe	66
PID 3664 wrote to memory of 4172	3664	e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe	66
PID 4172 wrote to memory of 4196	4172	un943658.exe	67
PID 4172 wrote to memory of 4196	4172	un943658.exe	67
PID 4172 wrote to memory of 4196	4172	un943658.exe	67
PID 4172 wrote to memory of 3520	4172	un943658.exe	68
PID 4172 wrote to memory of 3520	4172	un943658.exe	68
PID 4172 wrote to memory of 3520	4172	un943658.exe	68

C:\Users\Admin\AppData\Local\Temp\e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe
"C:\Users\Admin\AppData\Local\Temp\e48e2b63852f1c9912c9020430b69a8af4e972a36772a75f4b4072882a45009d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943658.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943658.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2290.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2290.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5225.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5225.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943658.exe

Filesize
558KB

MD5
904c1cb3fbfc724563c544a1dd74048c

SHA1
30286ab2d8ec688c9c6906437b763cc67b709a2b

SHA256
89828997286bb0cdf8fc4824ad0f14f5fe23ad1357d9428b7e28bd5538ce2997

SHA512
251b29333d7d81f401e3456681b5c1d28a9d74ad8fc4bf3dbe0726998c1afa4df30e6798360955fbd8c2ff83c6babfb393ef35036c8fdbc7cca909606d39bb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943658.exe

Filesize
558KB

MD5
904c1cb3fbfc724563c544a1dd74048c

SHA1
30286ab2d8ec688c9c6906437b763cc67b709a2b

SHA256
89828997286bb0cdf8fc4824ad0f14f5fe23ad1357d9428b7e28bd5538ce2997

SHA512
251b29333d7d81f401e3456681b5c1d28a9d74ad8fc4bf3dbe0726998c1afa4df30e6798360955fbd8c2ff83c6babfb393ef35036c8fdbc7cca909606d39bb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2290.exe

Filesize
308KB

MD5
a12ad0875b8d329b86e912257676fcdf

SHA1
9733b25d047417a953ee807b6c5740613431c0d5

SHA256
5fc3c707bf068b20c093ab4ee4579b259bbb0abc6c960118bf03f8b035b45ff3

SHA512
d4b35119f6936dcd8c488b2a6dc62fedb87856301cc5ce2006fa4631cd41f1ea4b67e8bdbeb171fbfdbf4621d3b7722e80ce238bfc310f8cb65b38e5ef283a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2290.exe

Filesize
308KB

MD5
a12ad0875b8d329b86e912257676fcdf

SHA1
9733b25d047417a953ee807b6c5740613431c0d5

SHA256
5fc3c707bf068b20c093ab4ee4579b259bbb0abc6c960118bf03f8b035b45ff3

SHA512
d4b35119f6936dcd8c488b2a6dc62fedb87856301cc5ce2006fa4631cd41f1ea4b67e8bdbeb171fbfdbf4621d3b7722e80ce238bfc310f8cb65b38e5ef283a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5225.exe

Filesize
366KB

MD5
678a0100ab532a400a8566dedea59381

SHA1
9c7d1f1992a03a72fa422097a80a97b5b7b29f57

SHA256
9922fae4d9bd07200a70dd22f5e5620e2fd36debcb01fab23dc00a038aa43b78

SHA512
d8eba318aa8d85398e9671ea6ec0e7aaa71cd033c0a3e0bf5154e6867c9d7202a00efbbb166c84e5ade0286474d78d34c2270f87e4e1e9a914dca67e035e1d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5225.exe

Filesize
366KB

MD5
678a0100ab532a400a8566dedea59381

SHA1
9c7d1f1992a03a72fa422097a80a97b5b7b29f57

SHA256
9922fae4d9bd07200a70dd22f5e5620e2fd36debcb01fab23dc00a038aa43b78

SHA512
d8eba318aa8d85398e9671ea6ec0e7aaa71cd033c0a3e0bf5154e6867c9d7202a00efbbb166c84e5ade0286474d78d34c2270f87e4e1e9a914dca67e035e1d25

Download Submit
memory/3520-208-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-212-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-1099-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-1098-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-1097-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-1096-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-182-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-1094-0x00000000056A0000-0x00000000056EB000-memory.dmp

Filesize
300KB

Download
memory/3520-1093-0x0000000005550000-0x000000000558E000-memory.dmp

Filesize
248KB

Download
memory/3520-1092-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-1091-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/3520-1090-0x00000000053F0000-0x00000000054FA000-memory.dmp

Filesize
1.0MB

Download
memory/3520-1089-0x00000000059F0000-0x0000000005FF6000-memory.dmp

Filesize
6.0MB

Download
memory/3520-272-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-269-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-267-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3520-266-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/3520-210-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-206-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-204-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-202-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-200-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-198-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-196-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-194-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-184-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-180-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-179-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-178-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/3520-192-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-177-0x0000000002520000-0x0000000002566000-memory.dmp

Filesize
280KB

Download
memory/3520-186-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-188-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3520-190-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/4196-135-0x0000000004DA0000-0x000000000529E000-memory.dmp

Filesize
5.0MB

Download
memory/4196-170-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4196-142-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-172-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4196-136-0x00000000026F0000-0x0000000002708000-memory.dmp

Filesize
96KB

Download
memory/4196-169-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4196-168-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-156-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-134-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/4196-164-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-137-0x00000000007F0000-0x000000000081D000-memory.dmp

Filesize
180KB

Download
memory/4196-138-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4196-158-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-160-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-166-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-154-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-152-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-150-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-144-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-146-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-148-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-141-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4196-140-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4196-139-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4196-162-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download