redline | 4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe
Size

699KB
MD5

a36ff117a56188f9745a72c4d82a6e6e
SHA1

d9400285c5e6518829d7139f2dfa709276448f7c
SHA256

4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc
SHA512

441d1a8f40bd30049afe17c5f035d3c6bbb25a7d03f363a71ce77747607747c7fcac9618c82d735d247ed927dbc22746ca0331b397f96be33b93e7c1fba1881e
SSDEEP

12288:5MrKy90+ZkOD0uAVqB04TurKVGE3hpqBRvMKphSOdB8Fe:HyL4ucsjpVzRpqIKpjKE

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5921.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/4740-181-0x0000000004B10000-0x0000000004B56000-memory.dmp	family_redline
behavioral1/memory/4740-182-0x0000000004BD0000-0x0000000004C14000-memory.dmp	family_redline
behavioral1/memory/4740-183-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-184-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-186-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-188-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-190-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-192-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-194-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-196-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-198-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-200-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-202-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-204-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-206-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-208-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-210-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-212-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-214-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-216-0x0000000004BD0000-0x0000000004C0E000-memory.dmp	family_redline
behavioral1/memory/4740-1100-0x0000000004C10000-0x0000000004C20000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2500	un600729.exe
2988	pro5921.exe
4740	qu8191.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5921.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un600729.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un600729.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	pro5921.exe
2988	pro5921.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	pro5921.exe
Token: SeDebugPrivilege	4740	qu8191.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2500	2476	4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe	66
PID 2476 wrote to memory of 2500	2476	4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe	66
PID 2476 wrote to memory of 2500	2476	4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe	66
PID 2500 wrote to memory of 2988	2500	un600729.exe	67
PID 2500 wrote to memory of 2988	2500	un600729.exe	67
PID 2500 wrote to memory of 2988	2500	un600729.exe	67
PID 2500 wrote to memory of 4740	2500	un600729.exe	68
PID 2500 wrote to memory of 4740	2500	un600729.exe	68
PID 2500 wrote to memory of 4740	2500	un600729.exe	68

C:\Users\Admin\AppData\Local\Temp\4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe
"C:\Users\Admin\AppData\Local\Temp\4ab33171e879286a86e6f49c033eb5da40804f4367aab289001700e0b5e3d8fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600729.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600729.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5921.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5921.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8191.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8191.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600729.exe

Filesize
557KB

MD5
12462e759c831ab8da6e21f4f4d68cc6

SHA1
fc6502b342f301620fdabe17d5edf3b8826528ab

SHA256
af6bc296faa2227a697db763d3c8f9175a7093e5ab1006c0643c2bb72261971e

SHA512
fa52acc544ae08dddf0842d0b28de2161cb7baf237404f28d96b0aceb8b8b2bff5d0247a0217bb8e14aa4ccb4be3598b4d15b276fbad968bda24487785546cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600729.exe

Filesize
557KB

MD5
12462e759c831ab8da6e21f4f4d68cc6

SHA1
fc6502b342f301620fdabe17d5edf3b8826528ab

SHA256
af6bc296faa2227a697db763d3c8f9175a7093e5ab1006c0643c2bb72261971e

SHA512
fa52acc544ae08dddf0842d0b28de2161cb7baf237404f28d96b0aceb8b8b2bff5d0247a0217bb8e14aa4ccb4be3598b4d15b276fbad968bda24487785546cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5921.exe

Filesize
308KB

MD5
b1220e17ef042098e395713c615c3720

SHA1
29b90965e5fa0376cc0f7ee0b81b2a40a89054f2

SHA256
697a44c1d5fcc7ccd523e161e699d66535d6faf4e15730e5a79712359f8bea4d

SHA512
63713f206e8f1b36afe5d0ded7d0a82e8defe98245aeb1e8334d1b863d1a1efd247a4a0e4835169f60e3526ac46483ba61ea951f404bc3faa880c3bac0053faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5921.exe

Filesize
308KB

MD5
b1220e17ef042098e395713c615c3720

SHA1
29b90965e5fa0376cc0f7ee0b81b2a40a89054f2

SHA256
697a44c1d5fcc7ccd523e161e699d66535d6faf4e15730e5a79712359f8bea4d

SHA512
63713f206e8f1b36afe5d0ded7d0a82e8defe98245aeb1e8334d1b863d1a1efd247a4a0e4835169f60e3526ac46483ba61ea951f404bc3faa880c3bac0053faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8191.exe

Filesize
366KB

MD5
e393eb3413f4866505036e9d5e1741b3

SHA1
5f1352e20bfd9dd81353569826fbae987e3bbc54

SHA256
a552b74e4854b38f473aeeac35f8e21b95459dbf322ae2efd2ad3dd01438cfc6

SHA512
da06f39ea9974468f9fdeec59e1bb3cf1c3c542c5f4cadcf81a71d23e5b9d5adccfc523f3dd6c5f20b6a33d007d4de579a53870520587da05428a395a429e1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8191.exe

Filesize
366KB

MD5
e393eb3413f4866505036e9d5e1741b3

SHA1
5f1352e20bfd9dd81353569826fbae987e3bbc54

SHA256
a552b74e4854b38f473aeeac35f8e21b95459dbf322ae2efd2ad3dd01438cfc6

SHA512
da06f39ea9974468f9fdeec59e1bb3cf1c3c542c5f4cadcf81a71d23e5b9d5adccfc523f3dd6c5f20b6a33d007d4de579a53870520587da05428a395a429e1df

Download Submit
memory/2988-156-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-139-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-140-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-142-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-144-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-146-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-148-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-150-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-152-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-154-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-138-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/2988-158-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-160-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-163-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2988-164-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2988-166-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2988-168-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-170-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-167-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2988-162-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2988-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2988-172-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2988-175-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2988-173-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2988-176-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2988-137-0x0000000004ED0000-0x00000000053CE000-memory.dmp

Filesize
5.0MB

Download
memory/2988-136-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/4740-188-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-212-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-183-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-181-0x0000000004B10000-0x0000000004B56000-memory.dmp

Filesize
280KB

Download
memory/4740-1101-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-184-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-190-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-192-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-194-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-196-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-198-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-200-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-202-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-204-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-206-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-208-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-210-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-182-0x0000000004BD0000-0x0000000004C14000-memory.dmp

Filesize
272KB

Download
memory/4740-214-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-216-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-217-0x0000000000A90000-0x0000000000ADB000-memory.dmp

Filesize
300KB

Download
memory/4740-219-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-223-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-221-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-1093-0x0000000005840000-0x0000000005E46000-memory.dmp

Filesize
6.0MB

Download
memory/4740-1094-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4740-1095-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/4740-1096-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-1097-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/4740-1098-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/4740-1100-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-186-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

Filesize
248KB

Download
memory/4740-1102-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4740-1103-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download