redline | 3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe
Size

700KB
MD5

0357bd3a5161c1a7a9687d2ba13c5acd
SHA1

0989240e30aed118b0ae6cd8645d9d599e845622
SHA256

3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5
SHA512

de788e722b89f7e66da7a35b40c9ffd035cd9250216d29c75376b1b2b22e1e0d52b9adbbff2ce702a56a53a490d29e078a8fbc06302c676f3a2165b2e3b3e3b9
SSDEEP

12288:zMrcy90L2zfEYewYAI78Alq4IRG8ByvzJGOLkVf6FBRvnXbuUjgnHvLf/:/y4pYxYAs8E+GrtGOoZ6FdeHD3

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9133.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4044-192-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-193-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-195-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-197-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-199-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-201-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-203-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-205-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-207-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-209-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-211-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-213-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-215-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-217-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-219-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-221-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-223-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline
behavioral1/memory/4044-225-0x0000000002690000-0x00000000026CE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4624	un935666.exe
4996	pro9133.exe
4044	qu7867.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9133.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un935666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un935666.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4552	4996	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	pro9133.exe
4996	pro9133.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	pro9133.exe
Token: SeDebugPrivilege	4044	qu7867.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4624	3216	3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe	84
PID 3216 wrote to memory of 4624	3216	3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe	84
PID 3216 wrote to memory of 4624	3216	3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe	84
PID 4624 wrote to memory of 4996	4624	un935666.exe	85
PID 4624 wrote to memory of 4996	4624	un935666.exe	85
PID 4624 wrote to memory of 4996	4624	un935666.exe	85
PID 4624 wrote to memory of 4044	4624	un935666.exe	88
PID 4624 wrote to memory of 4044	4624	un935666.exe	88
PID 4624 wrote to memory of 4044	4624	un935666.exe	88

C:\Users\Admin\AppData\Local\Temp\3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe
"C:\Users\Admin\AppData\Local\Temp\3096a4e4556fbb5a916d81fcffc69a9d43cf4cf695ddf42b691493997c00f6e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un935666.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un935666.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9133.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9133.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1092
      4⤵
      Program crash
      PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7867.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7867.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 4996
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un935666.exe

Filesize
557KB

MD5
569b1280c4d8bb9284320b50448caa97

SHA1
1e50549ec29be34911bb1a6b34689b1231a1c54d

SHA256
21a0138fdf62a096f1e728d628a8ec5db70dc0a35e0388863bc20c3db57fd998

SHA512
08de6314cedbecbb7f62b859bfbdfc29104fc3c9e49ee70b5ab3aabc313d04493054ea92a83157f0294e5beae2b3d0533f55a1833c45c30d66865452c4c5a78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un935666.exe

Filesize
557KB

MD5
569b1280c4d8bb9284320b50448caa97

SHA1
1e50549ec29be34911bb1a6b34689b1231a1c54d

SHA256
21a0138fdf62a096f1e728d628a8ec5db70dc0a35e0388863bc20c3db57fd998

SHA512
08de6314cedbecbb7f62b859bfbdfc29104fc3c9e49ee70b5ab3aabc313d04493054ea92a83157f0294e5beae2b3d0533f55a1833c45c30d66865452c4c5a78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9133.exe

Filesize
308KB

MD5
d8946fd1b20738afc0d92ebb6c3139e6

SHA1
723f00dac5eb8c0ace19bbe0ed7c9b1fac176f3a

SHA256
89c933dccde049421b1d1aec4b5930b309babd06256bf881c80becef323239f8

SHA512
0cfa5af7d2d3dcc264399d6e29d33644d19543e537d2bb5b624cfde44324ed68c8f6238e71f0d74eb43a2496857dfc655f2370cb2f125fedd5781258ef5929d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9133.exe

Filesize
308KB

MD5
d8946fd1b20738afc0d92ebb6c3139e6

SHA1
723f00dac5eb8c0ace19bbe0ed7c9b1fac176f3a

SHA256
89c933dccde049421b1d1aec4b5930b309babd06256bf881c80becef323239f8

SHA512
0cfa5af7d2d3dcc264399d6e29d33644d19543e537d2bb5b624cfde44324ed68c8f6238e71f0d74eb43a2496857dfc655f2370cb2f125fedd5781258ef5929d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7867.exe

Filesize
366KB

MD5
f1a40834ff374289e8542875a357030c

SHA1
c1f212e6cb9de155c35ff677b4323aaac2d11ae4

SHA256
e2c132a855b9cea40b1684c72071da5477a85000e448cc88d7f98cbb2e203c02

SHA512
e89d9b4d4f34624181391726998124cd01eab528a619e73b9f4af55d2c6699018c03fed9852df973d17bebd01dd7f4b816d6ba35d10d49b4b4033e316335c37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7867.exe

Filesize
366KB

MD5
f1a40834ff374289e8542875a357030c

SHA1
c1f212e6cb9de155c35ff677b4323aaac2d11ae4

SHA256
e2c132a855b9cea40b1684c72071da5477a85000e448cc88d7f98cbb2e203c02

SHA512
e89d9b4d4f34624181391726998124cd01eab528a619e73b9f4af55d2c6699018c03fed9852df973d17bebd01dd7f4b816d6ba35d10d49b4b4033e316335c37f

Download Submit
memory/4044-211-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-219-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-1107-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-1106-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-193-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-1104-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-1102-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-195-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-1100-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4044-1099-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4044-1098-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/4044-225-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-223-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-221-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-217-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-215-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-213-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-209-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-207-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-205-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-203-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-201-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-199-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-189-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/4044-192-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4044-191-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-190-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-1105-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4044-1101-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4044-197-0x0000000002690000-0x00000000026CE000-memory.dmp

Filesize
248KB

Download
memory/4996-155-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-175-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-150-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/4996-182-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4996-181-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4996-180-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4996-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4996-179-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-177-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-171-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-184-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4996-149-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4996-152-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-173-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-167-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-165-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-163-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-161-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-159-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-157-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-151-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4996-153-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4996-169-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download