redline | 696d56ece02f86a544b46d6a9395f2e817c93be972d0c57e7a16da35523a5b8d

Analysis

max time kernel
130s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 03:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a5c96faf2f9692cd61acd87c4a8904a.exe
Size

673KB
MD5

0a5c96faf2f9692cd61acd87c4a8904a
SHA1

5bb618b80eac7823b0f32be3f75c804a2568cc5f
SHA256

696d56ece02f86a544b46d6a9395f2e817c93be972d0c57e7a16da35523a5b8d
SHA512

1c2f9d7d5eec8a7500beca4be6ddb11f18b75c96064efc7ac3112f124dcd5fba4c889a025a78d27f15cbda2cee18f0f4e4f7063d571797dd36d3940a325ecddf
SSDEEP

12288:9Mrmy9093T08Ofx7hR0rJ1sLZlJYO7L/zQSZxUAiYSdarAkyH:3yG08Opd+JuLlb7DzQ4ibagH

Score

10^/10

redline jonka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jonka

77.91.124.73:19071

Attributes

auth_value
c95bc30cd252fa6dff2a19fd78bfab4e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7568855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7568855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7568855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7568855.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7568855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7568855.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4208	v5869328.exe
5076	v7146218.exe
3628	a7568855.exe
5024	b0294551.exe
3620	c2302149.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7568855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7568855.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5869328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7146218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a5c96faf2f9692cd61acd87c4a8904a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
232	3628	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3628	a7568855.exe
3628	a7568855.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	a7568855.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4208	4856	0a5c96faf2f9692cd61acd87c4a8904a.exe	83
PID 4856 wrote to memory of 4208	4856	0a5c96faf2f9692cd61acd87c4a8904a.exe	83
PID 4856 wrote to memory of 4208	4856	0a5c96faf2f9692cd61acd87c4a8904a.exe	83
PID 4208 wrote to memory of 5076	4208	v5869328.exe	84
PID 4208 wrote to memory of 5076	4208	v5869328.exe	84
PID 4208 wrote to memory of 5076	4208	v5869328.exe	84
PID 5076 wrote to memory of 3628	5076	v7146218.exe	85
PID 5076 wrote to memory of 3628	5076	v7146218.exe	85
PID 5076 wrote to memory of 3628	5076	v7146218.exe	85
PID 5076 wrote to memory of 5024	5076	v7146218.exe	97
PID 5076 wrote to memory of 5024	5076	v7146218.exe	97
PID 5076 wrote to memory of 5024	5076	v7146218.exe	97
PID 4208 wrote to memory of 3620	4208	v5869328.exe	98
PID 4208 wrote to memory of 3620	4208	v5869328.exe	98
PID 4208 wrote to memory of 3620	4208	v5869328.exe	98

C:\Users\Admin\AppData\Local\Temp\0a5c96faf2f9692cd61acd87c4a8904a.exe
"C:\Users\Admin\AppData\Local\Temp\0a5c96faf2f9692cd61acd87c4a8904a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5869328.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5869328.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7146218.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7146218.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7568855.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7568855.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1088
        5⤵
        Program crash
        
        PID:232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0294551.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0294551.exe
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2302149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2302149.exe
    3⤵
    - Executes dropped EXE
    PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3628 -ip 3628
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5869328.exe

Filesize
548KB

MD5
1cf289fabbe00432b373e42694460b86

SHA1
a05729e9b55496c7849e89da4c9ebb1f555a6e67

SHA256
be6195035f6f1ba47dc7950ac201cbf574a04a1915fde32ec19fabc64a33d7d6

SHA512
07ef4957165830298f845edc3ced8f50492070d1f89bc4cb9ce4edb37a7afb37e7f71f08f13af7e4e75aa3f248c27e773e9c19bdb42204d3fa9c82832cb3ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5869328.exe

Filesize
548KB

MD5
1cf289fabbe00432b373e42694460b86

SHA1
a05729e9b55496c7849e89da4c9ebb1f555a6e67

SHA256
be6195035f6f1ba47dc7950ac201cbf574a04a1915fde32ec19fabc64a33d7d6

SHA512
07ef4957165830298f845edc3ced8f50492070d1f89bc4cb9ce4edb37a7afb37e7f71f08f13af7e4e75aa3f248c27e773e9c19bdb42204d3fa9c82832cb3ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2302149.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2302149.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7146218.exe

Filesize
392KB

MD5
2846a5cf314e4a29acc962231f8ce079

SHA1
9d4117afb5819dd0a857fdcdaa1c90b4b7335b07

SHA256
692caed83eca24987aa5b5b072c4ba48ef4b5222869af6576ab4f2535b0492b1

SHA512
69538917236ca63709a9703e9c3c7700a25228cf7025979c75e36283df11605e831b38069c0c35fe645d9a9fddec9016be2cd9ad2df19abe533ff306590afe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7146218.exe

Filesize
392KB

MD5
2846a5cf314e4a29acc962231f8ce079

SHA1
9d4117afb5819dd0a857fdcdaa1c90b4b7335b07

SHA256
692caed83eca24987aa5b5b072c4ba48ef4b5222869af6576ab4f2535b0492b1

SHA512
69538917236ca63709a9703e9c3c7700a25228cf7025979c75e36283df11605e831b38069c0c35fe645d9a9fddec9016be2cd9ad2df19abe533ff306590afe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7568855.exe

Filesize
273KB

MD5
4ef838f3afb1719e10ee504ec33ac107

SHA1
645db8e88f39f6e57c8bd1f01b30df91269aa776

SHA256
91e79343da711b962986548f17356c16560f52f2aced82289209ae5ec61483d2

SHA512
a0c0e8facaafea57e7d3f74de10184731afed838e7b445574b4f3080aca9aeda9d0f3df94ac3f2819cde7a70f96862df1ed7755d9d5732e8b7391abdfde1f314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7568855.exe

Filesize
273KB

MD5
4ef838f3afb1719e10ee504ec33ac107

SHA1
645db8e88f39f6e57c8bd1f01b30df91269aa776

SHA256
91e79343da711b962986548f17356c16560f52f2aced82289209ae5ec61483d2

SHA512
a0c0e8facaafea57e7d3f74de10184731afed838e7b445574b4f3080aca9aeda9d0f3df94ac3f2819cde7a70f96862df1ed7755d9d5732e8b7391abdfde1f314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0294551.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0294551.exe

Filesize
140KB

MD5
8d5f17011509ea2a6f1334430c6fa664

SHA1
dcae78973384c3b600af0f4c045b61cf62310907

SHA256
566508cf56b529db924eeb1f99e33d7281088ec66655242fd5136ce4a25892ea

SHA512
6e8f05ae41a27e865281819981aca8f5d2af9d4f86c089ca413db88bb4811504f19c7a2ed87698c91b8ba77aeb3752172064757591efed097f4ff250d18e27da

Download Submit
memory/3620-79-0x0000000005180000-0x00000000051BC000-memory.dmp

Filesize
240KB

Download
memory/3620-76-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/3620-75-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/3620-74-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3620-73-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/3620-77-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3620-78-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/3620-80-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3620-81-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3628-48-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-63-0x00000000060E0000-0x00000000060F0000-memory.dmp

Filesize
64KB

Download
memory/3628-42-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-44-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-46-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-38-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-50-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-52-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-54-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-56-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-57-0x00000000018D0000-0x00000000018F1000-memory.dmp

Filesize
132KB

Download
memory/3628-58-0x0000000001930000-0x000000000195F000-memory.dmp

Filesize
188KB

Download
memory/3628-59-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3628-61-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-62-0x00000000060E0000-0x00000000060F0000-memory.dmp

Filesize
64KB

Download
memory/3628-40-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-65-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3628-66-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-36-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-34-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-32-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-30-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-29-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3628-28-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download
memory/3628-27-0x00000000060E0000-0x00000000060F0000-memory.dmp

Filesize
64KB

Download
memory/3628-26-0x00000000060E0000-0x00000000060F0000-memory.dmp

Filesize
64KB

Download
memory/3628-25-0x00000000060E0000-0x00000000060F0000-memory.dmp

Filesize
64KB

Download
memory/3628-24-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-23-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3628-22-0x0000000001930000-0x000000000195F000-memory.dmp

Filesize
188KB

Download
memory/3628-21-0x00000000018D0000-0x00000000018F1000-memory.dmp

Filesize
132KB

Download