redline | 3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418

Analysis

max time kernel
148s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2023, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe
Size

891KB
MD5

ec18c7ffab3f686f933f7944183c43bc
SHA1

ac0654feb53d3b7a209907464207fa0fd1db7d51
SHA256

3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418
SHA512

f6c0bfedfdf2c1e3dbf55b75895b4b5ef9b9b4566a67bab2256b63666b3f071f2e9f6704e563c92b4210313bc42cf81521bc9ae9699f55acbdd2c446787b84c8
SSDEEP

24576:dycvvhozeRkzul7kz84WJnWVtIy3SpmyZ0i38:4QYzFzsWfI2VyWi

Score

10^/10

redline jonka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jonka

77.91.124.73:19071

Attributes

auth_value
c95bc30cd252fa6dff2a19fd78bfab4e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r3952782.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r3952782.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r3952782.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r3952782.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r3952782.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1140	z9999224.exe
2896	z6854840.exe
1172	z4383241.exe
3816	r3952782.exe
1824	s9807295.exe
3996	t2853830.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r3952782.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r3952782.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9999224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6854840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4383241.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3816	r3952782.exe
3816	r3952782.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	r3952782.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1140	3628	3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe	69
PID 3628 wrote to memory of 1140	3628	3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe	69
PID 3628 wrote to memory of 1140	3628	3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe	69
PID 1140 wrote to memory of 2896	1140	z9999224.exe	70
PID 1140 wrote to memory of 2896	1140	z9999224.exe	70
PID 1140 wrote to memory of 2896	1140	z9999224.exe	70
PID 2896 wrote to memory of 1172	2896	z6854840.exe	71
PID 2896 wrote to memory of 1172	2896	z6854840.exe	71
PID 2896 wrote to memory of 1172	2896	z6854840.exe	71
PID 1172 wrote to memory of 3816	1172	z4383241.exe	72
PID 1172 wrote to memory of 3816	1172	z4383241.exe	72
PID 1172 wrote to memory of 3816	1172	z4383241.exe	72
PID 1172 wrote to memory of 1824	1172	z4383241.exe	73
PID 1172 wrote to memory of 1824	1172	z4383241.exe	73
PID 1172 wrote to memory of 1824	1172	z4383241.exe	73
PID 2896 wrote to memory of 3996	2896	z6854840.exe	74
PID 2896 wrote to memory of 3996	2896	z6854840.exe	74
PID 2896 wrote to memory of 3996	2896	z6854840.exe	74

C:\Users\Admin\AppData\Local\Temp\3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe
"C:\Users\Admin\AppData\Local\Temp\3ff1c62ec3950b969a4d744d73e4e7be76383467c51cd85f7120208791fbe418.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9999224.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9999224.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6854840.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6854840.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4383241.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4383241.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3952782.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3952782.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9807295.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9807295.exe
        5⤵
        Executes dropped EXE
        
        PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2853830.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2853830.exe
      4⤵
      Executes dropped EXE
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9999224.exe

Filesize
775KB

MD5
90a0ee46c1489787e3b4d1582bacbfa9

SHA1
c715a2e0b7b8c53b6e1e164528570951aa96c7b0

SHA256
e8d142573569d171a764af25a7910e528280679d981c49cbb6af08f713f34d30

SHA512
76745c8904a5e956ecdc7fa3f95830a6ac24723f4dd0ba9fb4dffac058281df3fd024bf66576ea64488d3f3c17ef36957e1e3c67a00e9946a260511030b992d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9999224.exe

Filesize
775KB

MD5
90a0ee46c1489787e3b4d1582bacbfa9

SHA1
c715a2e0b7b8c53b6e1e164528570951aa96c7b0

SHA256
e8d142573569d171a764af25a7910e528280679d981c49cbb6af08f713f34d30

SHA512
76745c8904a5e956ecdc7fa3f95830a6ac24723f4dd0ba9fb4dffac058281df3fd024bf66576ea64488d3f3c17ef36957e1e3c67a00e9946a260511030b992d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6854840.exe

Filesize
549KB

MD5
c90464351e4c119d7f92c54aed29f875

SHA1
36b18e61f0e24d7a7f8bf808af70dc7087df4f93

SHA256
97e25c70ec51b15bfa52bffb07f793a7eea3f028dd9a7c3ee254010a4d9299d9

SHA512
6fb016f436750144d92ecceb8442da5c40205fd3a574c1a247ed8ddbe22a0b80498baa7f2455ed29701aaa9c6390ee9afd5c1484d5bc5ac01026af1c4449b6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6854840.exe

Filesize
549KB

MD5
c90464351e4c119d7f92c54aed29f875

SHA1
36b18e61f0e24d7a7f8bf808af70dc7087df4f93

SHA256
97e25c70ec51b15bfa52bffb07f793a7eea3f028dd9a7c3ee254010a4d9299d9

SHA512
6fb016f436750144d92ecceb8442da5c40205fd3a574c1a247ed8ddbe22a0b80498baa7f2455ed29701aaa9c6390ee9afd5c1484d5bc5ac01026af1c4449b6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2853830.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2853830.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4383241.exe

Filesize
392KB

MD5
a5b3c40be2a3a486820791df94ca634f

SHA1
4ae8b2fd8e82d23ff7d0125784988225ddbf4645

SHA256
745fc9929e6a8b80ae998c7ab844c1693395e77076533217165ce5f830e8368b

SHA512
db805ea1bd3b985efe95f781c32eaf95ae83acdfbb1212a90517bfd02415c9743182790c3395a9d3294d6473d11e3b2f17c205312b6e34d9688932ed3d0fe484

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4383241.exe

Filesize
392KB

MD5
a5b3c40be2a3a486820791df94ca634f

SHA1
4ae8b2fd8e82d23ff7d0125784988225ddbf4645

SHA256
745fc9929e6a8b80ae998c7ab844c1693395e77076533217165ce5f830e8368b

SHA512
db805ea1bd3b985efe95f781c32eaf95ae83acdfbb1212a90517bfd02415c9743182790c3395a9d3294d6473d11e3b2f17c205312b6e34d9688932ed3d0fe484

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3952782.exe

Filesize
273KB

MD5
9d143ec0db16baf8c61c32277230b50d

SHA1
1bff87adec4126cf978f5675fbb57b3cb1ad3252

SHA256
a4ca64d8e202003abb8267a5926f4f724e2f39c9a1733d3afd7d7389857104e6

SHA512
de12a5d7f8d52728ed81231efd42607d09cbb1f75df6bb2a77924e035238feed983e784592c7c923862c1bd215e111fd05392c74adbe62d46c07f7a1174872dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3952782.exe

Filesize
273KB

MD5
9d143ec0db16baf8c61c32277230b50d

SHA1
1bff87adec4126cf978f5675fbb57b3cb1ad3252

SHA256
a4ca64d8e202003abb8267a5926f4f724e2f39c9a1733d3afd7d7389857104e6

SHA512
de12a5d7f8d52728ed81231efd42607d09cbb1f75df6bb2a77924e035238feed983e784592c7c923862c1bd215e111fd05392c74adbe62d46c07f7a1174872dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9807295.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9807295.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
memory/3816-152-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/3816-184-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3816-154-0x00000000038A0000-0x00000000038BC000-memory.dmp

Filesize
112KB

Download
memory/3816-155-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-156-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-158-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-160-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-162-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-164-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-166-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-168-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-170-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-172-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-174-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-176-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-178-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-180-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-182-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3816-183-0x00000000018D0000-0x00000000018F1000-memory.dmp

Filesize
132KB

Download
memory/3816-153-0x0000000005ED0000-0x00000000063CE000-memory.dmp

Filesize
5.0MB

Download
memory/3816-185-0x0000000001900000-0x000000000192F000-memory.dmp

Filesize
188KB

Download
memory/3816-186-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/3816-188-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3816-189-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/3816-150-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3816-151-0x0000000001C90000-0x0000000001CAE000-memory.dmp

Filesize
120KB

Download
memory/3816-149-0x0000000001900000-0x000000000192F000-memory.dmp

Filesize
188KB

Download
memory/3816-148-0x00000000018D0000-0x00000000018F1000-memory.dmp

Filesize
132KB

Download
memory/3996-196-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/3996-197-0x0000000073440000-0x0000000073B2E000-memory.dmp

Filesize
6.9MB

Download
memory/3996-198-0x0000000002640000-0x0000000002646000-memory.dmp

Filesize
24KB

Download
memory/3996-199-0x000000000AA20000-0x000000000B026000-memory.dmp

Filesize
6.0MB

Download
memory/3996-200-0x000000000A580000-0x000000000A68A000-memory.dmp

Filesize
1.0MB

Download
memory/3996-201-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

Filesize
72KB

Download
memory/3996-202-0x000000000A510000-0x000000000A54E000-memory.dmp

Filesize
248KB

Download
memory/3996-203-0x000000000A690000-0x000000000A6DB000-memory.dmp

Filesize
300KB

Download
memory/3996-204-0x0000000073440000-0x0000000073B2E000-memory.dmp

Filesize
6.9MB

Download