redline | cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe
Size

700KB
MD5

a71b3f40e6af3642ae2095897248e533
SHA1

940b6a420eabe26341dbc0fbae075b55f6880f30
SHA256

cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339
SHA512

73b1030aed8e57598b95df8ba4a7b6e34e36160525a1fc09cd23ece1ac4b96bde895b012aad27ebb8020c9536f89ae126b2bd7e26dc7017d70dcaa92b4ebadb7
SSDEEP

12288:nMr3y90X4OM+7csJOd2/8h+/uAzq8bjxuAtoicuBRvtzUuV59pAYIYbnC:UygIiOd2Mz23jZuRuhv5MYw

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5232.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/4764-181-0x00000000025D0000-0x0000000002616000-memory.dmp	family_redline
behavioral1/memory/4764-182-0x00000000051D0000-0x0000000005214000-memory.dmp	family_redline
behavioral1/memory/4764-183-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-186-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-184-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-188-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-190-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-193-0x0000000002210000-0x0000000002220000-memory.dmp	family_redline
behavioral1/memory/4764-194-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-198-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-200-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-202-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-204-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-206-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-208-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-210-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-212-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-214-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-216-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-218-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline
behavioral1/memory/4764-220-0x00000000051D0000-0x000000000520E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3512	un611502.exe
2696	pro5232.exe
4764	qu6868.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5232.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un611502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un611502.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	pro5232.exe
2696	pro5232.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	pro5232.exe
Token: SeDebugPrivilege	4764	qu6868.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 3512	4180	cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe	66
PID 4180 wrote to memory of 3512	4180	cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe	66
PID 4180 wrote to memory of 3512	4180	cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe	66
PID 3512 wrote to memory of 2696	3512	un611502.exe	67
PID 3512 wrote to memory of 2696	3512	un611502.exe	67
PID 3512 wrote to memory of 2696	3512	un611502.exe	67
PID 3512 wrote to memory of 4764	3512	un611502.exe	68
PID 3512 wrote to memory of 4764	3512	un611502.exe	68
PID 3512 wrote to memory of 4764	3512	un611502.exe	68

C:\Users\Admin\AppData\Local\Temp\cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe
"C:\Users\Admin\AppData\Local\Temp\cb6a51b3cd2bb6faff938a73d11394312a29439899e08823444762137b82b339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611502.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611502.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5232.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5232.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6868.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6868.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611502.exe

Filesize
558KB

MD5
77da9168403e94bfbd69d9b7790db942

SHA1
6c06f7a9538627511d49340adc841bd580cc6486

SHA256
40e216579dd814dd8872e1b976967a5bb46ee403fcdd81fbf56c638c2e53768b

SHA512
e56d7d2efb8dc9f3296df0f0dd0e34e6ceff22d74cb946ead6189fc769d601f32d38835630b3cc82eee5acb3a3ac7ea7f4d9571910267fd8d874972585c26b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611502.exe

Filesize
558KB

MD5
77da9168403e94bfbd69d9b7790db942

SHA1
6c06f7a9538627511d49340adc841bd580cc6486

SHA256
40e216579dd814dd8872e1b976967a5bb46ee403fcdd81fbf56c638c2e53768b

SHA512
e56d7d2efb8dc9f3296df0f0dd0e34e6ceff22d74cb946ead6189fc769d601f32d38835630b3cc82eee5acb3a3ac7ea7f4d9571910267fd8d874972585c26b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5232.exe

Filesize
308KB

MD5
1f478246d7793a6bf8ed552df2ea5a85

SHA1
db9b07fe158f3bbd8c3cacb47cd4085663ef46c0

SHA256
ab5e31e4552f89804bdae0131472486d87ef9a3a5c190f779764c574722b1b15

SHA512
911474cae4b0d467a671cbf8313c80124601c6efa1aaa6d2bd92633d114db47dabb3d27c8ac3fcb38e1628046afc3952d0b7d1ee621c0a44a5384ae3f817e458

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5232.exe

Filesize
308KB

MD5
1f478246d7793a6bf8ed552df2ea5a85

SHA1
db9b07fe158f3bbd8c3cacb47cd4085663ef46c0

SHA256
ab5e31e4552f89804bdae0131472486d87ef9a3a5c190f779764c574722b1b15

SHA512
911474cae4b0d467a671cbf8313c80124601c6efa1aaa6d2bd92633d114db47dabb3d27c8ac3fcb38e1628046afc3952d0b7d1ee621c0a44a5384ae3f817e458

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6868.exe

Filesize
366KB

MD5
e204aecdea90ae8999ece07aa73ce12d

SHA1
49ebd9e05df623e8a21161619f9b338e6aa09a9c

SHA256
46981fdd51a9551b0980cedf06bb82d7b33067972a593c6f41f397aa3b8b4a0c

SHA512
e45eb02acc20796e766e5dc4d60440acc7cc8274c221e0e2355d37455a7645bf11d05cde7e7ab66df634cd352d7ec2e452bcdd0d752d074cbd28072ff510dc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6868.exe

Filesize
366KB

MD5
e204aecdea90ae8999ece07aa73ce12d

SHA1
49ebd9e05df623e8a21161619f9b338e6aa09a9c

SHA256
46981fdd51a9551b0980cedf06bb82d7b33067972a593c6f41f397aa3b8b4a0c

SHA512
e45eb02acc20796e766e5dc4d60440acc7cc8274c221e0e2355d37455a7645bf11d05cde7e7ab66df634cd352d7ec2e452bcdd0d752d074cbd28072ff510dc53

Download Submit
memory/2696-152-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2696-140-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2696-141-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2696-142-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2696-143-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-144-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-146-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-148-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-150-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-138-0x00000000027E0000-0x00000000027F8000-memory.dmp

Filesize
96KB

Download
memory/2696-154-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-156-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-158-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-160-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-162-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-164-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-166-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-168-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-170-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2696-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2696-172-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2696-173-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2696-174-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2696-176-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2696-137-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
5.0MB

Download
memory/2696-136-0x0000000002740000-0x000000000275A000-memory.dmp

Filesize
104KB

Download
memory/4764-188-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-208-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-183-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-181-0x00000000025D0000-0x0000000002616000-memory.dmp

Filesize
280KB

Download
memory/4764-1101-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-186-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-190-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-191-0x0000000000B10000-0x0000000000B5B000-memory.dmp

Filesize
300KB

Download
memory/4764-193-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-195-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-194-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-196-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-198-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-200-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-202-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-204-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-206-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-182-0x00000000051D0000-0x0000000005214000-memory.dmp

Filesize
272KB

Download
memory/4764-210-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-212-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-214-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-216-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-218-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-220-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-1093-0x0000000005840000-0x0000000005E46000-memory.dmp

Filesize
6.0MB

Download
memory/4764-1094-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4764-1095-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/4764-1096-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-1097-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/4764-1098-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/4764-1100-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-184-0x00000000051D0000-0x000000000520E000-memory.dmp

Filesize
248KB

Download
memory/4764-1102-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4764-1103-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download