redline | 92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4

Analysis

max time kernel
125s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
19-08-2023 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe
Size

1013KB
MD5

c5f74e9fc0d13d755b4f7a717e4df9db
SHA1

7fbddd16c96fd2ab4b591d0f1d769044955a517e
SHA256

92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4
SHA512

4116f2766fa0a5947a704b2f1fcba0f395f9ba07f25b2a41e59f27e5616d75a08db4f8c9a3328866010b4a21f960557bc3b9c87c0425d007c1376762c9fc9bf9
SSDEEP

24576:SyotZnvEVZMZxFzeoNoHXQgBaADY5ANJ8WkLu5z339WdV:5csVZNgo3fB05AN/5z3tW

Score

10^/10

redline jonka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jonka

77.91.124.73:19071

Attributes

auth_value
c95bc30cd252fa6dff2a19fd78bfab4e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9557190.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9557190.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9557190.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9557190.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9557190.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4812	v5817126.exe
2364	v7348554.exe
4572	v2891111.exe
2276	v9984553.exe
4172	a9557190.exe
3668	b9232342.exe
704	c1743446.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9557190.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9557190.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9984553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5817126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7348554.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2891111.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4172	a9557190.exe
4172	a9557190.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	a9557190.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4812	4980	92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe	70
PID 4980 wrote to memory of 4812	4980	92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe	70
PID 4980 wrote to memory of 4812	4980	92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe	70
PID 4812 wrote to memory of 2364	4812	v5817126.exe	71
PID 4812 wrote to memory of 2364	4812	v5817126.exe	71
PID 4812 wrote to memory of 2364	4812	v5817126.exe	71
PID 2364 wrote to memory of 4572	2364	v7348554.exe	72
PID 2364 wrote to memory of 4572	2364	v7348554.exe	72
PID 2364 wrote to memory of 4572	2364	v7348554.exe	72
PID 4572 wrote to memory of 2276	4572	v2891111.exe	73
PID 4572 wrote to memory of 2276	4572	v2891111.exe	73
PID 4572 wrote to memory of 2276	4572	v2891111.exe	73
PID 2276 wrote to memory of 4172	2276	v9984553.exe	74
PID 2276 wrote to memory of 4172	2276	v9984553.exe	74
PID 2276 wrote to memory of 4172	2276	v9984553.exe	74
PID 2276 wrote to memory of 3668	2276	v9984553.exe	75
PID 2276 wrote to memory of 3668	2276	v9984553.exe	75
PID 2276 wrote to memory of 3668	2276	v9984553.exe	75
PID 4572 wrote to memory of 704	4572	v2891111.exe	76
PID 4572 wrote to memory of 704	4572	v2891111.exe	76
PID 4572 wrote to memory of 704	4572	v2891111.exe	76

C:\Users\Admin\AppData\Local\Temp\92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe
"C:\Users\Admin\AppData\Local\Temp\92a3d02de3d565d66a741a56571f96c5317ad26eb276d5f0f61d08a460e461a4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5817126.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5817126.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348554.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348554.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2891111.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2891111.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9984553.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9984553.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9557190.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9557190.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9232342.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9232342.exe
        6⤵
        Executes dropped EXE
        
        PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1743446.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1743446.exe
        5⤵
        Executes dropped EXE
        
        PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5817126.exe

Filesize
898KB

MD5
fdadb11ef083bf295400525672de4193

SHA1
12a680873c7e098fc3cc1fd1950f9e96df4f9865

SHA256
a1493a3aef384408fb102248f13aa3232457e46383563e2adbf2bf504c8c4604

SHA512
2e66363ceaa18e6c55f2222d33ffcb8a4e73f9f48c36c1937047a358eb0bbf7482e7f930628161dc848c829fdaa5961df6470db65f1769c38bf24ffa81098b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5817126.exe

Filesize
898KB

MD5
fdadb11ef083bf295400525672de4193

SHA1
12a680873c7e098fc3cc1fd1950f9e96df4f9865

SHA256
a1493a3aef384408fb102248f13aa3232457e46383563e2adbf2bf504c8c4604

SHA512
2e66363ceaa18e6c55f2222d33ffcb8a4e73f9f48c36c1937047a358eb0bbf7482e7f930628161dc848c829fdaa5961df6470db65f1769c38bf24ffa81098b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348554.exe

Filesize
672KB

MD5
9b12fcc21abb947bc857ecdc7c88ed79

SHA1
50312c3616557fdb47076c201111daa895b44467

SHA256
c7f82b2f5357471b8694a2ffd5ad1461bc3e1cc697f78f6b6b1e6a343b37b596

SHA512
58fd94618b0845f3b5cbfe9c50f3a6ba7f210f622eb467544dd1be8f1a4e26f0c6373c915583bbf9c9cfe31774e53267fd2d0db5418d8018f12b333ba90d0164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348554.exe

Filesize
672KB

MD5
9b12fcc21abb947bc857ecdc7c88ed79

SHA1
50312c3616557fdb47076c201111daa895b44467

SHA256
c7f82b2f5357471b8694a2ffd5ad1461bc3e1cc697f78f6b6b1e6a343b37b596

SHA512
58fd94618b0845f3b5cbfe9c50f3a6ba7f210f622eb467544dd1be8f1a4e26f0c6373c915583bbf9c9cfe31774e53267fd2d0db5418d8018f12b333ba90d0164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2891111.exe

Filesize
547KB

MD5
17fa57c46e30918b354e0cdb80fa2d76

SHA1
5b25ffa46a55a4df271a4dd44d0ed124c1b7b3a4

SHA256
933e05241fc1f7298764f8e5367998862a517c429352382508ba44593c4ca710

SHA512
2afba2a3f8526f1104fd1c27ba0b767c8c5e33785aa2e5f652d992aba0bb30c48c2053159d46fe594bedb6f64b276d4fecb023c98c6284ccf15ff7e07781077c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2891111.exe

Filesize
547KB

MD5
17fa57c46e30918b354e0cdb80fa2d76

SHA1
5b25ffa46a55a4df271a4dd44d0ed124c1b7b3a4

SHA256
933e05241fc1f7298764f8e5367998862a517c429352382508ba44593c4ca710

SHA512
2afba2a3f8526f1104fd1c27ba0b767c8c5e33785aa2e5f652d992aba0bb30c48c2053159d46fe594bedb6f64b276d4fecb023c98c6284ccf15ff7e07781077c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1743446.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1743446.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9984553.exe

Filesize
391KB

MD5
571c00be7b9cbfcdcee50fd15ad7f21f

SHA1
14a84fdb23d030a3fafbb14b159f0d58501c7189

SHA256
9e93b1f5db93155fd97d419f698c5dd4210e4a01b1aa8a841c6e5540c277fe1d

SHA512
8e047739a2c25f3feb3efc885d5651201685fde7d29762f4eb2bca1344a4953dee8e5f68ab525f8389eb1101750dd8465b4af392e7421b687f0bd3c4dd9e7f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9984553.exe

Filesize
391KB

MD5
571c00be7b9cbfcdcee50fd15ad7f21f

SHA1
14a84fdb23d030a3fafbb14b159f0d58501c7189

SHA256
9e93b1f5db93155fd97d419f698c5dd4210e4a01b1aa8a841c6e5540c277fe1d

SHA512
8e047739a2c25f3feb3efc885d5651201685fde7d29762f4eb2bca1344a4953dee8e5f68ab525f8389eb1101750dd8465b4af392e7421b687f0bd3c4dd9e7f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9557190.exe

Filesize
268KB

MD5
8790fb715f1a652c4d549a98533bda82

SHA1
1308b9102bb330dcf40f5fddedc15332cb434e68

SHA256
4779838631e661f0c609646b52c0429c82f952c99b28103ed05fcffc778782f7

SHA512
249a214dee583b10d6303330aff421cbb73e92e9fdb05cbffbb52635ca17f21e2ab13fa06dcb578bd9a158353e5212f356d4aae4832dd1ebe891abf7a51a64b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9557190.exe

Filesize
268KB

MD5
8790fb715f1a652c4d549a98533bda82

SHA1
1308b9102bb330dcf40f5fddedc15332cb434e68

SHA256
4779838631e661f0c609646b52c0429c82f952c99b28103ed05fcffc778782f7

SHA512
249a214dee583b10d6303330aff421cbb73e92e9fdb05cbffbb52635ca17f21e2ab13fa06dcb578bd9a158353e5212f356d4aae4832dd1ebe891abf7a51a64b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9232342.exe

Filesize
140KB

MD5
04cba969879eb44387e53ed42f474ffc

SHA1
5232c20370e125f0bb1f5bdd858253f492125483

SHA256
119c842d3037762fc6de08df5927d13b70055dcbaa9b08813b8b699cca05ae4a

SHA512
946da0fc06917a482c0fa41af6706dcf1a87ff926c3a765e4bb9bc90479bc682ea16d325cf66877505514b5a5e2f08e700bfa5a050fc986b76e4163370672dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9232342.exe

Filesize
140KB

MD5
04cba969879eb44387e53ed42f474ffc

SHA1
5232c20370e125f0bb1f5bdd858253f492125483

SHA256
119c842d3037762fc6de08df5927d13b70055dcbaa9b08813b8b699cca05ae4a

SHA512
946da0fc06917a482c0fa41af6706dcf1a87ff926c3a765e4bb9bc90479bc682ea16d325cf66877505514b5a5e2f08e700bfa5a050fc986b76e4163370672dc8

Download Submit
memory/704-203-0x0000000000F80000-0x0000000000FB0000-memory.dmp

Filesize
192KB

Download
memory/704-211-0x0000000073630000-0x0000000073D1E000-memory.dmp

Filesize
6.9MB

Download
memory/704-210-0x000000000AFE0000-0x000000000B02B000-memory.dmp

Filesize
300KB

Download
memory/704-209-0x000000000AE60000-0x000000000AE9E000-memory.dmp

Filesize
248KB

Download
memory/704-208-0x000000000AE00000-0x000000000AE12000-memory.dmp

Filesize
72KB

Download
memory/704-207-0x000000000AED0000-0x000000000AFDA000-memory.dmp

Filesize
1.0MB

Download
memory/704-206-0x000000000B390000-0x000000000B996000-memory.dmp

Filesize
6.0MB

Download
memory/704-204-0x0000000073630000-0x0000000073D1E000-memory.dmp

Filesize
6.9MB

Download
memory/704-205-0x0000000001800000-0x0000000001806000-memory.dmp

Filesize
24KB

Download
memory/4172-165-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-189-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-167-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-169-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-171-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-173-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-175-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-177-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-179-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-181-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-183-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-185-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-187-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-163-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-190-0x00000000019D0000-0x00000000019F2000-memory.dmp

Filesize
136KB

Download
memory/4172-162-0x0000000005E20000-0x0000000005E36000-memory.dmp

Filesize
88KB

Download
memory/4172-161-0x0000000005E20000-0x0000000005E3C000-memory.dmp

Filesize
112KB

Download
memory/4172-160-0x0000000005F80000-0x000000000647E000-memory.dmp

Filesize
5.0MB

Download
memory/4172-159-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4172-157-0x0000000003570000-0x000000000358E000-memory.dmp

Filesize
120KB

Download
memory/4172-158-0x0000000000400000-0x00000000018C0000-memory.dmp

Filesize
20.8MB

Download
memory/4172-156-0x0000000001A00000-0x0000000001A2F000-memory.dmp

Filesize
188KB

Download
memory/4172-155-0x00000000019D0000-0x00000000019F2000-memory.dmp

Filesize
136KB

Download
memory/4172-191-0x0000000000400000-0x00000000018C0000-memory.dmp

Filesize
20.8MB

Download
memory/4172-192-0x0000000001A00000-0x0000000001A2F000-memory.dmp

Filesize
188KB

Download
memory/4172-193-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/4172-195-0x0000000000400000-0x00000000018C0000-memory.dmp

Filesize
20.8MB

Download
memory/4172-196-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download