redline | 38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2023, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe
Size

890KB
MD5

605759df0fda85e64629dce6caab56c8
SHA1

57106dbcba9c4cfc0a6cdada846a35915a93c10f
SHA256

38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2
SHA512

3ab29f21311e790f8e49d1badeb3837ad468ef9e615cd8a99f1961adbee4bfff167ddd5eaabc7609bb5a2fcf5f35d86731a6966aae02b133a1427befa4f5e279
SSDEEP

24576:AyisRb4xFA7bzwD9dPyWUQjHvmZHyRcQ:HX4xyz+9FyW/Hv+yRc

Score

10^/10

redline jonka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jonka

77.91.124.73:19071

Attributes

auth_value
c95bc30cd252fa6dff2a19fd78bfab4e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r3673928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r3673928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r3673928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r3673928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	r3673928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r3673928.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1828	z2770023.exe
1776	z8876881.exe
4960	z8950472.exe
4472	r3673928.exe
1940	s9101467.exe
3992	t2459678.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r3673928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r3673928.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2770023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8876881.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8950472.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	4472	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	r3673928.exe
4472	r3673928.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	r3673928.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1828	1664	38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe	83
PID 1664 wrote to memory of 1828	1664	38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe	83
PID 1664 wrote to memory of 1828	1664	38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe	83
PID 1828 wrote to memory of 1776	1828	z2770023.exe	84
PID 1828 wrote to memory of 1776	1828	z2770023.exe	84
PID 1828 wrote to memory of 1776	1828	z2770023.exe	84
PID 1776 wrote to memory of 4960	1776	z8876881.exe	85
PID 1776 wrote to memory of 4960	1776	z8876881.exe	85
PID 1776 wrote to memory of 4960	1776	z8876881.exe	85
PID 4960 wrote to memory of 4472	4960	z8950472.exe	86
PID 4960 wrote to memory of 4472	4960	z8950472.exe	86
PID 4960 wrote to memory of 4472	4960	z8950472.exe	86
PID 4960 wrote to memory of 1940	4960	z8950472.exe	99
PID 4960 wrote to memory of 1940	4960	z8950472.exe	99
PID 4960 wrote to memory of 1940	4960	z8950472.exe	99
PID 1776 wrote to memory of 3992	1776	z8876881.exe	100
PID 1776 wrote to memory of 3992	1776	z8876881.exe	100
PID 1776 wrote to memory of 3992	1776	z8876881.exe	100

C:\Users\Admin\AppData\Local\Temp\38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe
"C:\Users\Admin\AppData\Local\Temp\38a73350f14f7521147dea22faa01e6b56e1f296a0aa68335bce1133736262d2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2770023.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2770023.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8876881.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8876881.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8950472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8950472.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3673928.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3673928.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1092
        6⤵
        Program crash
        
        PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9101467.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9101467.exe
        5⤵
        Executes dropped EXE
        
        PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2459678.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2459678.exe
      4⤵
      Executes dropped EXE
      PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 4472
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2770023.exe

Filesize
775KB

MD5
7868bf0b799217886a8fc758dd83106e

SHA1
e1b09cb3d3c4c9b31682028d63bb6152ef7db7a7

SHA256
1bf41171ee8acc730f525eeecb571fe2bfa62cfe3a4f897dede364e60aabb2f4

SHA512
22f8f76fd315e15eef1ade31f70f27aa587c176329419c8cdff8182317c6972e37d172affe6c4a1f12b5b0c8771bf045ec09f34cef133b545b1746deb22bf6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2770023.exe

Filesize
775KB

MD5
7868bf0b799217886a8fc758dd83106e

SHA1
e1b09cb3d3c4c9b31682028d63bb6152ef7db7a7

SHA256
1bf41171ee8acc730f525eeecb571fe2bfa62cfe3a4f897dede364e60aabb2f4

SHA512
22f8f76fd315e15eef1ade31f70f27aa587c176329419c8cdff8182317c6972e37d172affe6c4a1f12b5b0c8771bf045ec09f34cef133b545b1746deb22bf6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8876881.exe

Filesize
549KB

MD5
43f208135fdd2a24238f75dbeb3632e3

SHA1
fbe5e6574e6287722a12a1d3c57bf50d9f020c15

SHA256
48727e0f59f03e1a03da9e8482eaa3e8d319d3b4023d7fca9db5e9ce346cd9e2

SHA512
36950a9cb5f31373681fe1afa4f318dd76d8421f07acd86f5b8f9970ecf35be0adc0842933a3112e5aa93ef978cbd5a335e3f598fbaac2403150220481d44f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8876881.exe

Filesize
549KB

MD5
43f208135fdd2a24238f75dbeb3632e3

SHA1
fbe5e6574e6287722a12a1d3c57bf50d9f020c15

SHA256
48727e0f59f03e1a03da9e8482eaa3e8d319d3b4023d7fca9db5e9ce346cd9e2

SHA512
36950a9cb5f31373681fe1afa4f318dd76d8421f07acd86f5b8f9970ecf35be0adc0842933a3112e5aa93ef978cbd5a335e3f598fbaac2403150220481d44f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2459678.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2459678.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8950472.exe

Filesize
392KB

MD5
99998c816ba10deb4b556dcc059de313

SHA1
75c7dda2db481959841c7042d7c8c991d61cea83

SHA256
7fd0e790f1b1ef401e00bc0c9f6a839294a1224b5586df59ee4ac1d0c7676f39

SHA512
1504fd237c5303f07b1f417ebbe60662bb1bcb656f166eb7e371352633b154474bea23b18990187f9ffa8592d820fd8d823a61946beca3ab81c59c8daf3838af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8950472.exe

Filesize
392KB

MD5
99998c816ba10deb4b556dcc059de313

SHA1
75c7dda2db481959841c7042d7c8c991d61cea83

SHA256
7fd0e790f1b1ef401e00bc0c9f6a839294a1224b5586df59ee4ac1d0c7676f39

SHA512
1504fd237c5303f07b1f417ebbe60662bb1bcb656f166eb7e371352633b154474bea23b18990187f9ffa8592d820fd8d823a61946beca3ab81c59c8daf3838af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3673928.exe

Filesize
273KB

MD5
9f2cf727714c138f749611a540848a9d

SHA1
9a7b8020168557e8d5de34ed0605b416f28424ef

SHA256
32772a3bc8dc86ce487c79f0e90e7c4799e23866e6006a36ef8b81fd12a7b1d8

SHA512
e7f195d5ebad65dea3a3d43efdfc3b4693109f76f16c698ebb9c02f04aa400d217116b49426e6ef821f0689d7c2df32d1438e1dfe2e48a33ab2cd6bf494fcc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3673928.exe

Filesize
273KB

MD5
9f2cf727714c138f749611a540848a9d

SHA1
9a7b8020168557e8d5de34ed0605b416f28424ef

SHA256
32772a3bc8dc86ce487c79f0e90e7c4799e23866e6006a36ef8b81fd12a7b1d8

SHA512
e7f195d5ebad65dea3a3d43efdfc3b4693109f76f16c698ebb9c02f04aa400d217116b49426e6ef821f0689d7c2df32d1438e1dfe2e48a33ab2cd6bf494fcc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9101467.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9101467.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
memory/3992-220-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/3992-219-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-218-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/3992-217-0x0000000005340000-0x0000000005352000-memory.dmp

Filesize
72KB

Download
memory/3992-216-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/3992-215-0x0000000005590000-0x000000000569A000-memory.dmp

Filesize
1.0MB

Download
memory/3992-214-0x0000000005AA0000-0x00000000060B8000-memory.dmp

Filesize
6.1MB

Download
memory/3992-213-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-212-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download
memory/4472-177-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-198-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/4472-175-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-171-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-179-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-181-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-183-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-185-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-187-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-189-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-191-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-193-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-195-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-196-0x0000000003290000-0x00000000032B1000-memory.dmp

Filesize
132KB

Download
memory/4472-197-0x00000000032C0000-0x00000000032EF000-memory.dmp

Filesize
188KB

Download
memory/4472-173-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-200-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/4472-169-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-168-0x0000000005E90000-0x0000000005EA6000-memory.dmp

Filesize
88KB

Download
memory/4472-167-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/4472-166-0x0000000006050000-0x0000000006060000-memory.dmp

Filesize
64KB

Download
memory/4472-165-0x0000000006050000-0x0000000006060000-memory.dmp

Filesize
64KB

Download
memory/4472-164-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/4472-163-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/4472-162-0x00000000032C0000-0x00000000032EF000-memory.dmp

Filesize
188KB

Download
memory/4472-161-0x0000000003290000-0x00000000032B1000-memory.dmp

Filesize
132KB

Download
memory/4472-201-0x0000000006050000-0x0000000006060000-memory.dmp

Filesize
64KB

Download
memory/4472-202-0x0000000006050000-0x0000000006060000-memory.dmp

Filesize
64KB

Download
memory/4472-204-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/4472-205-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download