redline | dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe
Size

700KB
MD5

8543c0aac5a524ea3bf50e9c79f139e6
SHA1

e6f0401d292fa024230932005ca81ed671e2312d
SHA256

dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01
SHA512

8cbf903872817763397789f0360a35b4cdbe00b3f7c751d357380cebb0676a85e256bcdea374436ca5d0f6d7a3bec93dc250903a911bbca6945598759149e411
SSDEEP

12288:+Mr7y90VUqRCdtyzwft90RJWAA9qWjSF7FhKx5iQ3QyFcewYBRvLQ6GS6x:tyAUqRDzwVaXkXSBiLi6QHYXRux

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1767.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1767.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/5052-189-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-190-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-192-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-194-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-196-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-198-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-200-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-202-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-204-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-206-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-208-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-210-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-212-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-214-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-216-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-218-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-220-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-222-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/5052-508-0x0000000004CE0000-0x0000000004CF0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3712	un699498.exe
1044	pro1767.exe
5052	qu2257.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1767.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un699498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un699498.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4312	1044	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	pro1767.exe
1044	pro1767.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	pro1767.exe
Token: SeDebugPrivilege	5052	qu2257.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3712	1512	dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe	84
PID 1512 wrote to memory of 3712	1512	dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe	84
PID 1512 wrote to memory of 3712	1512	dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe	84
PID 3712 wrote to memory of 1044	3712	un699498.exe	85
PID 3712 wrote to memory of 1044	3712	un699498.exe	85
PID 3712 wrote to memory of 1044	3712	un699498.exe	85
PID 3712 wrote to memory of 5052	3712	un699498.exe	91
PID 3712 wrote to memory of 5052	3712	un699498.exe	91
PID 3712 wrote to memory of 5052	3712	un699498.exe	91

C:\Users\Admin\AppData\Local\Temp\dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe
"C:\Users\Admin\AppData\Local\Temp\dfb36492cbed8accfd567723420fee4e8c9cdf55de5fa5c32dafb32612cadd01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699498.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699498.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1767.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1767.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1084
      4⤵
      Program crash
      PID:4312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2257.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2257.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1044 -ip 1044
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699498.exe

Filesize
558KB

MD5
0412b619575d45a7e0e2d81fd29b30eb

SHA1
b9dbbc9853bc8c49dfc88508cd53a58a19d3fed3

SHA256
0de915e54f3c2ba74fce69df08748f7b5672a6ddac44634905ca533d683c1743

SHA512
e6fd385ace0737b130f728d44aa5ac6164cf500edb6088af43892ed0dae0ea8d00514de9f51574d6a79e0b40e8b9c50a884cea42f531344dc182ebc4568030e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un699498.exe

Filesize
558KB

MD5
0412b619575d45a7e0e2d81fd29b30eb

SHA1
b9dbbc9853bc8c49dfc88508cd53a58a19d3fed3

SHA256
0de915e54f3c2ba74fce69df08748f7b5672a6ddac44634905ca533d683c1743

SHA512
e6fd385ace0737b130f728d44aa5ac6164cf500edb6088af43892ed0dae0ea8d00514de9f51574d6a79e0b40e8b9c50a884cea42f531344dc182ebc4568030e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1767.exe

Filesize
308KB

MD5
af9c809a6b551560848688e1cae35d61

SHA1
b3f80cf07eab93a13a83559343b9b9fc79e595a8

SHA256
751886292823442b6f326fb74f129613f8b5e91e6aaa2a990fde4332c758e225

SHA512
1c99c990bfbd7818ed728d2cb2346037a72713e745172582d7006a9047768e85eff9a2750a50febd1f16c73fde21b0e272aead63bdd1fb731bc2de862ca9e18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1767.exe

Filesize
308KB

MD5
af9c809a6b551560848688e1cae35d61

SHA1
b3f80cf07eab93a13a83559343b9b9fc79e595a8

SHA256
751886292823442b6f326fb74f129613f8b5e91e6aaa2a990fde4332c758e225

SHA512
1c99c990bfbd7818ed728d2cb2346037a72713e745172582d7006a9047768e85eff9a2750a50febd1f16c73fde21b0e272aead63bdd1fb731bc2de862ca9e18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2257.exe

Filesize
366KB

MD5
d5239d7dc6e90961cabaf46fe967d368

SHA1
8e91da7d706158424d8a6c057bd7fdd10301dce5

SHA256
43541fe3fcd0e34c2ea14274b39add09404b5121c4e878685c74eaf029b0ce93

SHA512
6588c2370c92c18004ee766e380ec3f8457abf15bc85231bbb33f18b7f968f577a76b7976ac10942ed2ad3e11d29d3953f1d4248e1100cf363b738b3de0f3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2257.exe

Filesize
366KB

MD5
d5239d7dc6e90961cabaf46fe967d368

SHA1
8e91da7d706158424d8a6c057bd7fdd10301dce5

SHA256
43541fe3fcd0e34c2ea14274b39add09404b5121c4e878685c74eaf029b0ce93

SHA512
6588c2370c92c18004ee766e380ec3f8457abf15bc85231bbb33f18b7f968f577a76b7976ac10942ed2ad3e11d29d3953f1d4248e1100cf363b738b3de0f3487

Download Submit
memory/1044-162-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-150-0x0000000004DA0000-0x0000000005344000-memory.dmp

Filesize
5.6MB

Download
memory/1044-152-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1044-154-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-156-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-160-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-151-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1044-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-166-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1044-181-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1044-182-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1044-184-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1044-148-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/1044-149-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5052-1104-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5052-196-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-189-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-194-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-218-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-198-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-200-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-202-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-204-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-206-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-208-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-220-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-212-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-1106-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5052-192-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-216-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-210-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-222-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-507-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/5052-508-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5052-510-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5052-1098-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/5052-1099-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/5052-1100-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/5052-1101-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/5052-1102-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5052-190-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/5052-1105-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5052-214-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download