redline | 79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1

Analysis

max time kernel
148s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe
Size

700KB
MD5

e2fb1f0fcaba53f260792a2c1fffce1e
SHA1

7e5274b218ca2cbd0ab58365903b1ab7bd37ce2f
SHA256

79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1
SHA512

2290c84fa689140458b8bb6f50515a73c07b2f1d5d7b41131ea3cca151adcfbd5fbc95be5f2f3bfedbe0aa19ce92f609e6a09f5cc8e2a91101687949bfc4a4b0
SSDEEP

12288:5MrIy905uSdqJoyFy4hYvwI6aA0qH/GKkvIVSg/2BRvNas10t2jAD:lyloyFnZIJxE/GXvvK2haw0WAD

Score

10^/10

redline sony evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2497.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2497.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2497.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2497.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2497.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4876-180-0x00000000027A0000-0x00000000027E6000-memory.dmp	family_redline
behavioral1/memory/4876-181-0x0000000002930000-0x0000000002974000-memory.dmp	family_redline
behavioral1/memory/4876-185-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-187-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-189-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-191-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-193-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-195-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-197-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-199-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-201-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-203-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-205-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-207-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-209-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-211-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-213-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-215-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-217-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline
behavioral1/memory/4876-219-0x0000000002930000-0x000000000296E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2524	un704893.exe
3004	pro2497.exe
4876	qu4389.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2497.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2497.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un704893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un704893.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	pro2497.exe
3004	pro2497.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	pro2497.exe
Token: SeDebugPrivilege	4876	qu4389.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2524	2488	79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe	66
PID 2488 wrote to memory of 2524	2488	79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe	66
PID 2488 wrote to memory of 2524	2488	79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe	66
PID 2524 wrote to memory of 3004	2524	un704893.exe	67
PID 2524 wrote to memory of 3004	2524	un704893.exe	67
PID 2524 wrote to memory of 3004	2524	un704893.exe	67
PID 2524 wrote to memory of 4876	2524	un704893.exe	68
PID 2524 wrote to memory of 4876	2524	un704893.exe	68
PID 2524 wrote to memory of 4876	2524	un704893.exe	68

C:\Users\Admin\AppData\Local\Temp\79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe
"C:\Users\Admin\AppData\Local\Temp\79a1defcb6e4fb63439497cfe359fa0b2a186a8959ab325fae91037eb91badf1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un704893.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un704893.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2497.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2497.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4389.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4389.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un704893.exe

Filesize
558KB

MD5
5c199fc547c8dcadc70394a2ab1072ff

SHA1
158e236d315ec3d07bbb7e6a31e88a33cb12f58a

SHA256
872fe574d39f90cf236b8d4bdb973d7feb5936a02fe902d7c54c32cede7a7826

SHA512
7357e0644a3c2094495152c47879470c00b287e40a7985de83dd1781db81933f9a61fd5936f03d2839969fad3e7059801eb42a00db624ab9eb8db19584ee0f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un704893.exe

Filesize
558KB

MD5
5c199fc547c8dcadc70394a2ab1072ff

SHA1
158e236d315ec3d07bbb7e6a31e88a33cb12f58a

SHA256
872fe574d39f90cf236b8d4bdb973d7feb5936a02fe902d7c54c32cede7a7826

SHA512
7357e0644a3c2094495152c47879470c00b287e40a7985de83dd1781db81933f9a61fd5936f03d2839969fad3e7059801eb42a00db624ab9eb8db19584ee0f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2497.exe

Filesize
308KB

MD5
0f9b939faa7709fb053070c4b01f6b1d

SHA1
a63ce6ed6b4f81f3840fb45d74efa5ec607cbb1b

SHA256
3195df0eef9fdda4e748e24ca79ac0d17be50a21be501cb6cfdfe033e6c3d83c

SHA512
bd54a9cb0bfa148f897b8ee3d128663cb1c5cd09fa40663821b666d20f4295bf2c4685ce55468662f5a8ae262d06c3eb628f89ed3472c75b0f16ad4f4847b46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2497.exe

Filesize
308KB

MD5
0f9b939faa7709fb053070c4b01f6b1d

SHA1
a63ce6ed6b4f81f3840fb45d74efa5ec607cbb1b

SHA256
3195df0eef9fdda4e748e24ca79ac0d17be50a21be501cb6cfdfe033e6c3d83c

SHA512
bd54a9cb0bfa148f897b8ee3d128663cb1c5cd09fa40663821b666d20f4295bf2c4685ce55468662f5a8ae262d06c3eb628f89ed3472c75b0f16ad4f4847b46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4389.exe

Filesize
366KB

MD5
782177c8f166de289550480d52c35945

SHA1
e0b3482ef0bc054432873b05e919edd492fc9015

SHA256
f939fc500d5f3cdbec6e7215ca38f8694b9887e9918c0df013c0c4f7bb9f8121

SHA512
3aac04905017f076022d0a8d9e4f36d6817334bc7afb366da7d9ec0f0d54daf9dc73fa57e9021e754f85cdd970f2874497ff980cb1064921c39774082b570407

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4389.exe

Filesize
366KB

MD5
782177c8f166de289550480d52c35945

SHA1
e0b3482ef0bc054432873b05e919edd492fc9015

SHA256
f939fc500d5f3cdbec6e7215ca38f8694b9887e9918c0df013c0c4f7bb9f8121

SHA512
3aac04905017f076022d0a8d9e4f36d6817334bc7afb366da7d9ec0f0d54daf9dc73fa57e9021e754f85cdd970f2874497ff980cb1064921c39774082b570407

Download Submit
memory/3004-136-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/3004-137-0x0000000004CA0000-0x000000000519E000-memory.dmp

Filesize
5.0MB

Download
memory/3004-138-0x00000000024F0000-0x0000000002508000-memory.dmp

Filesize
96KB

Download
memory/3004-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3004-141-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3004-140-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3004-142-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3004-143-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-144-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-146-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-148-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-150-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-152-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-154-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-156-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-158-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-160-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-162-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-164-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-166-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-168-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-170-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/3004-171-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3004-172-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3004-173-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3004-175-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4876-180-0x00000000027A0000-0x00000000027E6000-memory.dmp

Filesize
280KB

Download
memory/4876-181-0x0000000002930000-0x0000000002974000-memory.dmp

Filesize
272KB

Download
memory/4876-182-0x0000000000870000-0x00000000008BB000-memory.dmp

Filesize
300KB

Download
memory/4876-183-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-185-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-187-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-186-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-184-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-189-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-191-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-193-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-195-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-197-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-199-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-201-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-203-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-205-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-207-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-209-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-211-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-213-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-215-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-217-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-219-0x0000000002930000-0x000000000296E000-memory.dmp

Filesize
248KB

Download
memory/4876-1092-0x0000000005380000-0x0000000005986000-memory.dmp

Filesize
6.0MB

Download
memory/4876-1093-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/4876-1094-0x0000000005B40000-0x0000000005B52000-memory.dmp

Filesize
72KB

Download
memory/4876-1095-0x0000000005B60000-0x0000000005B9E000-memory.dmp

Filesize
248KB

Download
memory/4876-1096-0x0000000005CB0000-0x0000000005CFB000-memory.dmp

Filesize
300KB

Download
memory/4876-1097-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-1099-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-1100-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-1101-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4876-1102-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download