redline | 0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe
Size

700KB
MD5

4f4fa1b1e67b102bd08a7461b8b7d663
SHA1

c884129e2fdb124615c5305a008cf14fbbca86a4
SHA256

0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d
SHA512

5e873f7ced8a60af623082bb5c08747adaeb47812a5cb289a01b601d3133436c64c73e8d0b96b79d0035d45108651ca350ab179f79faa92e87424b16d4c2daf1
SSDEEP

12288:eMr6y90FD9Wk9q7BS9LJ0+pHVKHqGVHV2cu4dhrxwP4BRvwJ55TycsZV68wegOw:MyKeGGu4KGLjxwP4cJ5tjs/6V

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7974.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/3540-178-0x00000000025B0000-0x00000000025F6000-memory.dmp	family_redline
behavioral1/memory/3540-179-0x0000000002990000-0x00000000029D4000-memory.dmp	family_redline
behavioral1/memory/3540-181-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-180-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-183-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-185-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-187-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-189-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-191-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-193-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-195-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-197-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-199-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-201-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-203-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-205-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-207-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-209-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-211-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-213-0x0000000002990000-0x00000000029CE000-memory.dmp	family_redline
behavioral1/memory/3540-274-0x00000000022D0000-0x00000000022E0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2488	un376479.exe
2560	pro7974.exe
3540	qu3404.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7974.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un376479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un376479.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	pro7974.exe
2560	pro7974.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	pro7974.exe
Token: SeDebugPrivilege	3540	qu3404.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2488	2156	0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe	66
PID 2156 wrote to memory of 2488	2156	0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe	66
PID 2156 wrote to memory of 2488	2156	0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe	66
PID 2488 wrote to memory of 2560	2488	un376479.exe	67
PID 2488 wrote to memory of 2560	2488	un376479.exe	67
PID 2488 wrote to memory of 2560	2488	un376479.exe	67
PID 2488 wrote to memory of 3540	2488	un376479.exe	68
PID 2488 wrote to memory of 3540	2488	un376479.exe	68
PID 2488 wrote to memory of 3540	2488	un376479.exe	68

C:\Users\Admin\AppData\Local\Temp\0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe
"C:\Users\Admin\AppData\Local\Temp\0dbe073c6ae4a80af04922a048094daeabfbb5d634908aaabb99e34e0972261d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un376479.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un376479.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7974.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7974.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3404.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3404.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un376479.exe

Filesize
558KB

MD5
872f9ea117bad7307eae3e4038843478

SHA1
794a82771b3b9838e5f2657fc60d210be60c53f8

SHA256
a2891d86f0fcd966906ab90aa83a512ef4bbecfdff2c416226d2b029ef0e90a5

SHA512
4d52812bee958177e2cb419cbe7b012e213cbdc0a2e6e026a3dd3da5d8e5347e8edae5545c9d54fbe132ea8f7d2f266844d6651d6bbabf05eb72910d4c882a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un376479.exe

Filesize
558KB

MD5
872f9ea117bad7307eae3e4038843478

SHA1
794a82771b3b9838e5f2657fc60d210be60c53f8

SHA256
a2891d86f0fcd966906ab90aa83a512ef4bbecfdff2c416226d2b029ef0e90a5

SHA512
4d52812bee958177e2cb419cbe7b012e213cbdc0a2e6e026a3dd3da5d8e5347e8edae5545c9d54fbe132ea8f7d2f266844d6651d6bbabf05eb72910d4c882a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7974.exe

Filesize
308KB

MD5
44fbd0a6ad46079a01984ddab80ddc98

SHA1
212888ad18e772a22e4b0c4e01c6417cf13df636

SHA256
4a5d7f932161770da5b746ae8af772527b1a3505c429297c8ba04166505cfad1

SHA512
3d84f2ee122049ffbbb430c5803c56c03bb33ce7a850f125279c36b5a0274cefe46297b6d49e1621a4023050b426ce9bac5409254e0f2f5159e8db9a6f4cfa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7974.exe

Filesize
308KB

MD5
44fbd0a6ad46079a01984ddab80ddc98

SHA1
212888ad18e772a22e4b0c4e01c6417cf13df636

SHA256
4a5d7f932161770da5b746ae8af772527b1a3505c429297c8ba04166505cfad1

SHA512
3d84f2ee122049ffbbb430c5803c56c03bb33ce7a850f125279c36b5a0274cefe46297b6d49e1621a4023050b426ce9bac5409254e0f2f5159e8db9a6f4cfa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3404.exe

Filesize
366KB

MD5
3dacd10becab3626127c9e2de7fcd594

SHA1
5342ffbbd1ef197a7e25a304d166cef7ff2da9f9

SHA256
673aa1fe5e34de2b7badc43a2fedc789cf190d57e543601a29446aaf5fdccbb6

SHA512
407a56da33a917ae2a5e971af84e26de03176cc774c9f10142981304989c58318ff22509e79a9eae9f7220bd886a4d7679b3cac831189d68a7b231a8453a6efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3404.exe

Filesize
366KB

MD5
3dacd10becab3626127c9e2de7fcd594

SHA1
5342ffbbd1ef197a7e25a304d166cef7ff2da9f9

SHA256
673aa1fe5e34de2b7badc43a2fedc789cf190d57e543601a29446aaf5fdccbb6

SHA512
407a56da33a917ae2a5e971af84e26de03176cc774c9f10142981304989c58318ff22509e79a9eae9f7220bd886a4d7679b3cac831189d68a7b231a8453a6efb

Download Submit
memory/2560-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2560-137-0x0000000000D00000-0x0000000000D1A000-memory.dmp

Filesize
104KB

Download
memory/2560-138-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/2560-139-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/2560-140-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-141-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-143-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-145-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-147-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-149-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-151-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-153-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-158-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2560-156-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2560-160-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2560-159-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-155-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-162-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-164-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-166-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-168-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-170-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/2560-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2560-173-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3540-178-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/3540-179-0x0000000002990000-0x00000000029D4000-memory.dmp

Filesize
272KB

Download
memory/3540-181-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-180-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-183-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-185-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-187-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-189-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-191-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-193-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-195-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-197-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-199-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-201-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-203-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-205-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-207-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-209-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-211-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-213-0x0000000002990000-0x00000000029CE000-memory.dmp

Filesize
248KB

Download
memory/3540-272-0x00000000020F0000-0x000000000213B000-memory.dmp

Filesize
300KB

Download
memory/3540-274-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-278-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-276-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-1090-0x00000000052A0000-0x00000000058A6000-memory.dmp

Filesize
6.0MB

Download
memory/3540-1091-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/3540-1092-0x0000000005A00000-0x0000000005A12000-memory.dmp

Filesize
72KB

Download
memory/3540-1093-0x0000000005A20000-0x0000000005A5E000-memory.dmp

Filesize
248KB

Download
memory/3540-1094-0x0000000005B70000-0x0000000005BBB000-memory.dmp

Filesize
300KB

Download
memory/3540-1095-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-1097-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-1098-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-1099-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/3540-1100-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download