redline | f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe
Size

700KB
MD5

ebe1290b972cdfce648b71fa7d56ecea
SHA1

754e044666231396ff2f8ebff1036615cee49302
SHA256

f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93
SHA512

94f7d207568a7f523359b94598c704c8e411dff81a018cc16daf2df5a89fe5cfd5866ce6fc04191294c496db890ff7b3b6805c003dbcc2ec5c6e4b0a1b680d7c
SSDEEP

12288:5Mrxy90/m9hYn59sj7jQnUArqbXXJvI0vkywAyBRv1ZG8YExgWt0:IyW9aYUasv9cAyxA8YEdt0

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4666.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/3112-191-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-192-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-194-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-196-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-198-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-200-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-202-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-204-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-206-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-208-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-210-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-212-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-214-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-216-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-218-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-220-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-224-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline
behavioral1/memory/3112-222-0x0000000002880000-0x00000000028BE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2092	un390182.exe
1256	pro4666.exe
3112	qu3435.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4666.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un390182.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un390182.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	1256	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1256	pro4666.exe
1256	pro4666.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	pro4666.exe
Token: SeDebugPrivilege	3112	qu3435.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2092	2744	f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe	83
PID 2744 wrote to memory of 2092	2744	f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe	83
PID 2744 wrote to memory of 2092	2744	f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe	83
PID 2092 wrote to memory of 1256	2092	un390182.exe	84
PID 2092 wrote to memory of 1256	2092	un390182.exe	84
PID 2092 wrote to memory of 1256	2092	un390182.exe	84
PID 2092 wrote to memory of 3112	2092	un390182.exe	93
PID 2092 wrote to memory of 3112	2092	un390182.exe	93
PID 2092 wrote to memory of 3112	2092	un390182.exe	93

C:\Users\Admin\AppData\Local\Temp\f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe
"C:\Users\Admin\AppData\Local\Temp\f41eb2f53756358db0606910061cffa634948e46daff6e86d8b4f1c4ca248a93.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un390182.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un390182.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4666.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4666.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1084
      4⤵
      Program crash
      PID:3936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3435.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3435.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1256 -ip 1256
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un390182.exe

Filesize
558KB

MD5
4df3c6c978ed51e02c2ef83b9a7d5dce

SHA1
1979b6586ec59d80d2ecb65ccbac5941801b0c8e

SHA256
bf2fd251bff43b83adffcce2dc69dc10ee0756acb58c545138ef67a731f7c8f6

SHA512
6f36bd5eb113e427bfe84099026aa03791badc2f33ac043e6dd21376c7a37394cbf9dfe93d6434e0738fb912cc8f2a88488a04cc5a9a0833cf287e0c1015be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un390182.exe

Filesize
558KB

MD5
4df3c6c978ed51e02c2ef83b9a7d5dce

SHA1
1979b6586ec59d80d2ecb65ccbac5941801b0c8e

SHA256
bf2fd251bff43b83adffcce2dc69dc10ee0756acb58c545138ef67a731f7c8f6

SHA512
6f36bd5eb113e427bfe84099026aa03791badc2f33ac043e6dd21376c7a37394cbf9dfe93d6434e0738fb912cc8f2a88488a04cc5a9a0833cf287e0c1015be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4666.exe

Filesize
308KB

MD5
fbaa261c011cb29c811b219cb2d3441b

SHA1
e576124ea3a9ef6d80312711b5b5a38fef7661f7

SHA256
291637357abb1c073de3498e3df37d9f6f8893823fa02c39eeb08e280080233c

SHA512
8bc0179c080bf4774661df53282560ad22c712e71132a1ab9d8a71a49a27976286a99097b94dc35eb17ad604ed4d1fb95196ea3f9511770c9a4f33f838469264

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4666.exe

Filesize
308KB

MD5
fbaa261c011cb29c811b219cb2d3441b

SHA1
e576124ea3a9ef6d80312711b5b5a38fef7661f7

SHA256
291637357abb1c073de3498e3df37d9f6f8893823fa02c39eeb08e280080233c

SHA512
8bc0179c080bf4774661df53282560ad22c712e71132a1ab9d8a71a49a27976286a99097b94dc35eb17ad604ed4d1fb95196ea3f9511770c9a4f33f838469264

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3435.exe

Filesize
366KB

MD5
ab179a5ce07758099d97766c4f39a6eb

SHA1
23f432808db4dc3348f04df86b7c8c361f880c9b

SHA256
f66f1b76149b24213de8d7bf24ff88e1df9d3cc5e8a087c0d1076887ec07ead7

SHA512
80de17e28d965493b060fa0e11dda755096201211b3b7ee21ae8e462bada51f81594adc6d23c61ae8daa79b9c73f1999fc2039419b71ec7ec6c3d4d6b9d27d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3435.exe

Filesize
366KB

MD5
ab179a5ce07758099d97766c4f39a6eb

SHA1
23f432808db4dc3348f04df86b7c8c361f880c9b

SHA256
f66f1b76149b24213de8d7bf24ff88e1df9d3cc5e8a087c0d1076887ec07ead7

SHA512
80de17e28d965493b060fa0e11dda755096201211b3b7ee21ae8e462bada51f81594adc6d23c61ae8daa79b9c73f1999fc2039419b71ec7ec6c3d4d6b9d27d84

Download Submit
memory/1256-164-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-186-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1256-152-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1256-155-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-158-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-156-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1256-154-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1256-160-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-162-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-150-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-166-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-168-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-170-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-172-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-174-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-176-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-178-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-180-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1256-182-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1256-183-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1256-184-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/1256-149-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1256-151-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/1256-148-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/3112-1107-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3112-220-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-192-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-214-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-198-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-200-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-202-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-204-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-206-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-208-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-210-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-212-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-196-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-216-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-218-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-191-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-224-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-222-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-239-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/3112-240-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3112-242-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3112-1100-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/3112-1101-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/3112-1102-0x0000000005B10000-0x0000000005B22000-memory.dmp

Filesize
72KB

Download
memory/3112-1103-0x0000000005B30000-0x0000000005B6C000-memory.dmp

Filesize
240KB

Download
memory/3112-1104-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3112-1106-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3112-194-0x0000000002880000-0x00000000028BE000-memory.dmp

Filesize
248KB

Download
memory/3112-1108-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3112-1109-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download