redline | b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2023 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe
Size

890KB
MD5

4509d508c7b4caef11ae0774406fe581
SHA1

c75b89d4b2d895a2f260e5b0e545d9442e65736a
SHA256

b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86
SHA512

cca366cae7c2994db3d0688cc54ffdc5565fa1fb32a1600aac1e20b1811001cb158f9bfe2a72aefe511009761d915c9c74a90a1f8a6e28112b52f16e31f791e9
SSDEEP

24576:nyPfNFFFsIgYsS+tWFqysZH9zsSb9CvYQkVp:yPfNSYGAFDsZdz7b9C3

Score

10^/10

redline jonka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jonka

77.91.124.73:19071

Attributes

auth_value
c95bc30cd252fa6dff2a19fd78bfab4e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	r1570992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r1570992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r1570992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r1570992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r1570992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r1570992.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4296	z8603568.exe
1428	z0416496.exe
1580	z3042818.exe
4636	r1570992.exe
4000	s3815134.exe
1132	t2515789.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r1570992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r1570992.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8603568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0416496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3042818.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1112	4636	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4636	r1570992.exe
4636	r1570992.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	r1570992.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4296	4168	b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe	80
PID 4168 wrote to memory of 4296	4168	b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe	80
PID 4168 wrote to memory of 4296	4168	b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe	80
PID 4296 wrote to memory of 1428	4296	z8603568.exe	81
PID 4296 wrote to memory of 1428	4296	z8603568.exe	81
PID 4296 wrote to memory of 1428	4296	z8603568.exe	81
PID 1428 wrote to memory of 1580	1428	z0416496.exe	82
PID 1428 wrote to memory of 1580	1428	z0416496.exe	82
PID 1428 wrote to memory of 1580	1428	z0416496.exe	82
PID 1580 wrote to memory of 4636	1580	z3042818.exe	83
PID 1580 wrote to memory of 4636	1580	z3042818.exe	83
PID 1580 wrote to memory of 4636	1580	z3042818.exe	83
PID 1580 wrote to memory of 4000	1580	z3042818.exe	92
PID 1580 wrote to memory of 4000	1580	z3042818.exe	92
PID 1580 wrote to memory of 4000	1580	z3042818.exe	92
PID 1428 wrote to memory of 1132	1428	z0416496.exe	93
PID 1428 wrote to memory of 1132	1428	z0416496.exe	93
PID 1428 wrote to memory of 1132	1428	z0416496.exe	93

C:\Users\Admin\AppData\Local\Temp\b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe
"C:\Users\Admin\AppData\Local\Temp\b249c5a0b1ee99e3060f19afdea7d28713c987ff458a27856e10a43567733f86.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8603568.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8603568.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0416496.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0416496.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3042818.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3042818.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570992.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570992.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1036
        6⤵
        Program crash
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3815134.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3815134.exe
        5⤵
        Executes dropped EXE
        
        PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2515789.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2515789.exe
      4⤵
      Executes dropped EXE
      PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4636 -ip 4636
1⤵
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8603568.exe

Filesize
774KB

MD5
14d5e3859ac8955bf641ccaecaf9b1ae

SHA1
8003efbd1c65d543771770bf23388684917ad91b

SHA256
a9598b6cd9b5dd88047f454bb6c8c281002e8bd7986bbd87ac3bc08f84e91984

SHA512
b8335837a90e072b83eb19bc7b80a5cf291d17a4441d09c09fdd0bd75f1b1354a0aa7c6decf577465d1c55a06c1ca07d5f17da782c4eab577d53de59475a5764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8603568.exe

Filesize
774KB

MD5
14d5e3859ac8955bf641ccaecaf9b1ae

SHA1
8003efbd1c65d543771770bf23388684917ad91b

SHA256
a9598b6cd9b5dd88047f454bb6c8c281002e8bd7986bbd87ac3bc08f84e91984

SHA512
b8335837a90e072b83eb19bc7b80a5cf291d17a4441d09c09fdd0bd75f1b1354a0aa7c6decf577465d1c55a06c1ca07d5f17da782c4eab577d53de59475a5764

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0416496.exe

Filesize
548KB

MD5
71c9988d89c2c58dc29ba68bad688f57

SHA1
6dec43975edc6ea51aee2c6c4f39775779405e19

SHA256
500fc8b93e9332e0910467fda7f1a70432776bca881deb1ee4c363f4e41257c8

SHA512
8b96038f01a3e2e92c20a67769305399a3d1d93b8fbb11fe4ddef92c09a9da6d3f79bac9def0c7d1610fcb782f7c4dd37125cc78f991fc157e091d085b1a51e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0416496.exe

Filesize
548KB

MD5
71c9988d89c2c58dc29ba68bad688f57

SHA1
6dec43975edc6ea51aee2c6c4f39775779405e19

SHA256
500fc8b93e9332e0910467fda7f1a70432776bca881deb1ee4c363f4e41257c8

SHA512
8b96038f01a3e2e92c20a67769305399a3d1d93b8fbb11fe4ddef92c09a9da6d3f79bac9def0c7d1610fcb782f7c4dd37125cc78f991fc157e091d085b1a51e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2515789.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2515789.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3042818.exe

Filesize
392KB

MD5
2281f9b6b516ff1b7333065f5d89c9bf

SHA1
522b1d35e2a7645288ce4dc9e74997f9cf6414c9

SHA256
37056720866b0d79226daa4e9b2efcbe366588a09d2f45a2f99c6c3ec65a42f9

SHA512
25f8e6576883fa1a6fc7612640891f382203d4a40c261771b6c5f0ef923d8dd0f36ee4f128f4e747d901e7010967088d32c89ac3e4d060ae66a950bd32b6cb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3042818.exe

Filesize
392KB

MD5
2281f9b6b516ff1b7333065f5d89c9bf

SHA1
522b1d35e2a7645288ce4dc9e74997f9cf6414c9

SHA256
37056720866b0d79226daa4e9b2efcbe366588a09d2f45a2f99c6c3ec65a42f9

SHA512
25f8e6576883fa1a6fc7612640891f382203d4a40c261771b6c5f0ef923d8dd0f36ee4f128f4e747d901e7010967088d32c89ac3e4d060ae66a950bd32b6cb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570992.exe

Filesize
273KB

MD5
448af5211ba9583ece24abda2fc30dae

SHA1
2ea568139438d41a1b85b8a5893648aaf9d78b3b

SHA256
7502b5be8ab9ce9c1a3a24595a11e87884e75432650273f2ea19e4b2dc3900ef

SHA512
7e44fc56ca80718d6e7c8ca9fcd574f1d32f17b9c03e4c819c49e7e64ee3abd740e8bebbc2043b352524fe27fcdaec1a9e2efe0d9d3a3140536d449b5b5c5b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570992.exe

Filesize
273KB

MD5
448af5211ba9583ece24abda2fc30dae

SHA1
2ea568139438d41a1b85b8a5893648aaf9d78b3b

SHA256
7502b5be8ab9ce9c1a3a24595a11e87884e75432650273f2ea19e4b2dc3900ef

SHA512
7e44fc56ca80718d6e7c8ca9fcd574f1d32f17b9c03e4c819c49e7e64ee3abd740e8bebbc2043b352524fe27fcdaec1a9e2efe0d9d3a3140536d449b5b5c5b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3815134.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3815134.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
memory/1132-216-0x00000000054B0000-0x00000000054EC000-memory.dmp

Filesize
240KB

Download
memory/1132-214-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1132-213-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/1132-212-0x0000000005A00000-0x0000000006018000-memory.dmp

Filesize
6.1MB

Download
memory/1132-211-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1132-210-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download
memory/1132-215-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/1132-217-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1132-218-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4636-165-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/4636-202-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/4636-184-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-186-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-188-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-190-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-192-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-194-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-195-0x0000000001AB0000-0x0000000001AD1000-memory.dmp

Filesize
132KB

Download
memory/4636-196-0x0000000001AE0000-0x0000000001B0F000-memory.dmp

Filesize
188KB

Download
memory/4636-197-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/4636-199-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4636-200-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/4636-182-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-203-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4636-180-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-178-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-176-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-174-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-172-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-170-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-168-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-167-0x0000000006450000-0x0000000006466000-memory.dmp

Filesize
88KB

Download
memory/4636-166-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/4636-164-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4636-163-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/4636-162-0x0000000001AE0000-0x0000000001B0F000-memory.dmp

Filesize
188KB

Download
memory/4636-161-0x0000000001AB0000-0x0000000001AD1000-memory.dmp

Filesize
132KB

Download