redline | 89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe
Size

700KB
MD5

716ecc15625bf929a3ecc59a7b826abe
SHA1

14f3339c24d3f2ea0f1eca9088a4439b5ab96135
SHA256

89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505
SHA512

973deadcbc4f2ff601166450e601cc627a69cac90699cf19211dee16d9972b242de0eb842b2f8174956eaed6069a814801fd99b7963e9356f4433349385498ad
SSDEEP

12288:iMrNy90m7pGlqZKaV6TopAdAQqpBqu9cD/5gHzBRvsVgjGDbTJcok09:HyT7pLZNTp4dGgD/2Hz9jYm09

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4799.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/2400-191-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-192-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-194-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-196-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-198-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-200-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-202-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-204-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-206-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-208-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-210-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-212-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-214-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-216-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-218-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-220-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-222-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-224-0x0000000004D50000-0x0000000004D8E000-memory.dmp	family_redline
behavioral1/memory/2400-1109-0x0000000004E60000-0x0000000004E70000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4488	un836049.exe
4292	pro4799.exe
2400	qu8445.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4799.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un836049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un836049.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5088	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	4292	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4292	pro4799.exe
4292	pro4799.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	pro4799.exe
Token: SeDebugPrivilege	2400	qu8445.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4488	4116	89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe	84
PID 4116 wrote to memory of 4488	4116	89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe	84
PID 4116 wrote to memory of 4488	4116	89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe	84
PID 4488 wrote to memory of 4292	4488	un836049.exe	85
PID 4488 wrote to memory of 4292	4488	un836049.exe	85
PID 4488 wrote to memory of 4292	4488	un836049.exe	85
PID 4488 wrote to memory of 2400	4488	un836049.exe	91
PID 4488 wrote to memory of 2400	4488	un836049.exe	91
PID 4488 wrote to memory of 2400	4488	un836049.exe	91

C:\Users\Admin\AppData\Local\Temp\89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe
"C:\Users\Admin\AppData\Local\Temp\89b53ab3b343a12be4bae3d3a18c0e127d4101e17c2db33bb0589f5b40fdb505.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un836049.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un836049.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4799.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4799.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1084
      4⤵
      Program crash
      PID:2168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8445.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8445.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4292 -ip 4292
1⤵
PID:2580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un836049.exe

Filesize
558KB

MD5
c0381411152c140bb0ad5250c0d3ff29

SHA1
f15439a7fb5649867ee6b893dbbdd7141648bd9e

SHA256
35cf02b7f3009e5f1c5174eaaa13f56fa8ffca8f4a47ea6f90d161833acbd0ab

SHA512
eb5430170f8403dcb2075908efe2a737259d418e5b9239325430031fdfe6034dbf07b9dcfa8e2b41c4fd9a4323f8a024bf4b276c84532cbbdb8d6a1e8d270f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un836049.exe

Filesize
558KB

MD5
c0381411152c140bb0ad5250c0d3ff29

SHA1
f15439a7fb5649867ee6b893dbbdd7141648bd9e

SHA256
35cf02b7f3009e5f1c5174eaaa13f56fa8ffca8f4a47ea6f90d161833acbd0ab

SHA512
eb5430170f8403dcb2075908efe2a737259d418e5b9239325430031fdfe6034dbf07b9dcfa8e2b41c4fd9a4323f8a024bf4b276c84532cbbdb8d6a1e8d270f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4799.exe

Filesize
308KB

MD5
0a579c30f5a630bf9537f186527300c4

SHA1
0d1d0b383667b7915cccea4d08c2e5c5dd45cccc

SHA256
b973bba24cb70547270582c2435545a3a1120a79242f24a9654c83fe12d00672

SHA512
c49d2498748848d6e9feca39d533434c3819dfcf9affe2710c73e8d32c1b21a00c271f35b54a187d04e4f0f501f35eb31de7410e79be0c86b517e5af8773cad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4799.exe

Filesize
308KB

MD5
0a579c30f5a630bf9537f186527300c4

SHA1
0d1d0b383667b7915cccea4d08c2e5c5dd45cccc

SHA256
b973bba24cb70547270582c2435545a3a1120a79242f24a9654c83fe12d00672

SHA512
c49d2498748848d6e9feca39d533434c3819dfcf9affe2710c73e8d32c1b21a00c271f35b54a187d04e4f0f501f35eb31de7410e79be0c86b517e5af8773cad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8445.exe

Filesize
366KB

MD5
570415bf7f25d4faec99f06174e2a730

SHA1
a9fa09262f72fb5f4c92df1cb064e6ba8d674b48

SHA256
37713609d6242a9a8f6db46fc4b91292a2186449a35bddb5334a68123b16ce5c

SHA512
710c182ce0e89ece28ee5a56981f773e250f2c80b2446324537b79287325ad6925efba05172f3943598ce014ec801af3dc7b1181c8cb62e44258f4456b1d7821

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8445.exe

Filesize
366KB

MD5
570415bf7f25d4faec99f06174e2a730

SHA1
a9fa09262f72fb5f4c92df1cb064e6ba8d674b48

SHA256
37713609d6242a9a8f6db46fc4b91292a2186449a35bddb5334a68123b16ce5c

SHA512
710c182ce0e89ece28ee5a56981f773e250f2c80b2446324537b79287325ad6925efba05172f3943598ce014ec801af3dc7b1181c8cb62e44258f4456b1d7821

Download Submit
memory/2400-218-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-222-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-1110-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-1109-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-192-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-1107-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-194-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-1104-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-1103-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/2400-1102-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/2400-1101-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/2400-423-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-419-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-422-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-418-0x0000000000750000-0x000000000079B000-memory.dmp

Filesize
300KB

Download
memory/2400-224-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-220-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-216-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-214-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-212-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-210-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-196-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-206-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-204-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-202-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-191-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-1108-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2400-1105-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/2400-208-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-198-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/2400-200-0x0000000004D50000-0x0000000004D8E000-memory.dmp

Filesize
248KB

Download
memory/4292-150-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-184-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4292-149-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/4292-185-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4292-186-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4292-183-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4292-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4292-173-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4292-179-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4292-151-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-153-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-175-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-177-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-180-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4292-171-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-169-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-167-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-165-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-163-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-161-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-159-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-157-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-155-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4292-178-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download