redline | 7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796

Analysis

max time kernel
148s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe
Size

700KB
MD5

6bd3474d74cc15ee8439c043a4dccc31
SHA1

c4a2fa40275d7a83b8c2bfed9917bf30af0a70e3
SHA256

7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796
SHA512

76f74d03e742005c64e05b293940b3a2227bf61228705f83d571e7ac134065548b3bc08c42ebf4d7e18d703e3f316538fdd20bd5c9d7f09eed7d58dfa0ef562b
SSDEEP

12288:0Mrdy90KeJk7S6W6MHoCjpPA/qR6kIxMOymPbcbPBRvW4h5B67:Zy2JYW6I5pPCXk0y6sPKu5B67

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1368.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3916-178-0x0000000004BE0000-0x0000000004C26000-memory.dmp	family_redline
behavioral1/memory/3916-179-0x0000000004C80000-0x0000000004CC4000-memory.dmp	family_redline
behavioral1/memory/3916-180-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-183-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-181-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-185-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-187-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-189-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-191-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-193-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-195-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-197-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-199-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-201-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-203-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-205-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-207-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-209-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-211-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral1/memory/3916-213-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2252	un537963.exe
2516	pro1368.exe
3916	qu3481.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1368.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1368.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un537963.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un537963.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2516	pro1368.exe
2516	pro1368.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	pro1368.exe
Token: SeDebugPrivilege	3916	qu3481.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2252	1624	7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe	66
PID 1624 wrote to memory of 2252	1624	7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe	66
PID 1624 wrote to memory of 2252	1624	7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe	66
PID 2252 wrote to memory of 2516	2252	un537963.exe	67
PID 2252 wrote to memory of 2516	2252	un537963.exe	67
PID 2252 wrote to memory of 2516	2252	un537963.exe	67
PID 2252 wrote to memory of 3916	2252	un537963.exe	68
PID 2252 wrote to memory of 3916	2252	un537963.exe	68
PID 2252 wrote to memory of 3916	2252	un537963.exe	68

C:\Users\Admin\AppData\Local\Temp\7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe
"C:\Users\Admin\AppData\Local\Temp\7398fba9c05738e6830443a55be15e290091d590136bd5b001989a5446f9f796.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un537963.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un537963.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1368.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1368.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3481.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3481.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un537963.exe

Filesize
558KB

MD5
88a93186ef14cc16e07cb0a07f6edb5a

SHA1
a33f4af357e00a3e2c90bdf89895fb52939c7d52

SHA256
780cfae8bdfbd22bea35827ce73cb48e74a895e84e80d7086061ceff3bb19f65

SHA512
0edee50ef5202c84fa2b5a8f45169b9a8474a074190284c72a75e7b8ef767317fa071661d01c5fc1884ce33296a568edf8bd091fae21df65838e2236158f2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un537963.exe

Filesize
558KB

MD5
88a93186ef14cc16e07cb0a07f6edb5a

SHA1
a33f4af357e00a3e2c90bdf89895fb52939c7d52

SHA256
780cfae8bdfbd22bea35827ce73cb48e74a895e84e80d7086061ceff3bb19f65

SHA512
0edee50ef5202c84fa2b5a8f45169b9a8474a074190284c72a75e7b8ef767317fa071661d01c5fc1884ce33296a568edf8bd091fae21df65838e2236158f2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1368.exe

Filesize
308KB

MD5
d28416bfac9716c7eb1eea42f114d3c8

SHA1
1b87a5fc18976c9b9fe9152acf58ae9985168dd6

SHA256
0a816a443ff49be398ec52c896d34ac53ee9f4ce06c55bf5e1408dc4089edcd2

SHA512
a12a2854f4ef922661a558c79fbc9fac7669e7066f9408437f452452882f92732fd416ec22944c1a652580a08da8c17ed3945b396aef5eb855e413ca2e2cd506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1368.exe

Filesize
308KB

MD5
d28416bfac9716c7eb1eea42f114d3c8

SHA1
1b87a5fc18976c9b9fe9152acf58ae9985168dd6

SHA256
0a816a443ff49be398ec52c896d34ac53ee9f4ce06c55bf5e1408dc4089edcd2

SHA512
a12a2854f4ef922661a558c79fbc9fac7669e7066f9408437f452452882f92732fd416ec22944c1a652580a08da8c17ed3945b396aef5eb855e413ca2e2cd506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3481.exe

Filesize
366KB

MD5
20ea85df096fef86b81ae29ed4d5d562

SHA1
2d665f08cf59a770d2393ebb8119649db324a26e

SHA256
6ececa3d894fec0447d58bf7f49f33ef39f1d22bdd1cc09f02580060c4b916db

SHA512
aa513b94832181c026b021ebdd50388dc9a66b8a25401fc6e2d52fe8cff22225abe6f526cb5a86c6b76b11645d38641ebd554fa6943fa2bfe4f5ae29ba6476d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3481.exe

Filesize
366KB

MD5
20ea85df096fef86b81ae29ed4d5d562

SHA1
2d665f08cf59a770d2393ebb8119649db324a26e

SHA256
6ececa3d894fec0447d58bf7f49f33ef39f1d22bdd1cc09f02580060c4b916db

SHA512
aa513b94832181c026b021ebdd50388dc9a66b8a25401fc6e2d52fe8cff22225abe6f526cb5a86c6b76b11645d38641ebd554fa6943fa2bfe4f5ae29ba6476d6

Download Submit
memory/2516-136-0x0000000004BD0000-0x0000000004BEA000-memory.dmp

Filesize
104KB

Download
memory/2516-137-0x0000000004D40000-0x000000000523E000-memory.dmp

Filesize
5.0MB

Download
memory/2516-138-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/2516-139-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-140-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-142-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-144-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-148-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-152-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-150-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-146-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2516-167-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2516-168-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2516-169-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2516-170-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2516-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2516-173-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3916-178-0x0000000004BE0000-0x0000000004C26000-memory.dmp

Filesize
280KB

Download
memory/3916-179-0x0000000004C80000-0x0000000004CC4000-memory.dmp

Filesize
272KB

Download
memory/3916-180-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-183-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-181-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-185-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-187-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-189-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-191-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-193-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-195-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-197-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-199-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-201-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-203-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-205-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-207-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-209-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-211-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-213-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/3916-251-0x0000000000930000-0x000000000097B000-memory.dmp

Filesize
300KB

Download
memory/3916-252-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-257-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-255-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-1090-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/3916-1091-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/3916-1092-0x0000000005A00000-0x0000000005A12000-memory.dmp

Filesize
72KB

Download
memory/3916-1094-0x0000000005A20000-0x0000000005A5E000-memory.dmp

Filesize
248KB

Download
memory/3916-1093-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-1095-0x0000000005B70000-0x0000000005BBB000-memory.dmp

Filesize
300KB

Download
memory/3916-1097-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-1098-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-1099-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3916-1100-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download