redline | 4c8cc476763730d7e0df2e04e2d2aafa7aeacf0f74caa8f1cb9021f6981719fa

Analysis

max time kernel
125s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a8b8d973e5bc3013679d46fb4aea58f_JC.exe
Size

673KB
MD5

0a8b8d973e5bc3013679d46fb4aea58f
SHA1

35225e42638b7ef9a47ae8dec21760c8af02cf83
SHA256

4c8cc476763730d7e0df2e04e2d2aafa7aeacf0f74caa8f1cb9021f6981719fa
SHA512

2997926633129db5bd4f40b7d514f9210d731ce83941437f376965845ca13b5057f58af7591c6dd56307c21b4fa2a92da9483b364592a43e916b17fc0a00d4c4
SSDEEP

12288:gMrLy90XrSfd4Vb9E+GloEGnV1ewp23rCmIdsDSgzSZgvD2U:byrW4yEGfa7CmIK2hgvD2U

Score

10^/10

redline jonka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jonka

77.91.124.73:19071

Attributes

auth_value
c95bc30cd252fa6dff2a19fd78bfab4e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9941930.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9941930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9941930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9941930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9941930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9941930.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1036	v3355938.exe
2500	v8076540.exe
3156	a9941930.exe
2580	b4550649.exe
4796	c9897633.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9941930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9941930.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3355938.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8076540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a8b8d973e5bc3013679d46fb4aea58f_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3096	3156	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3156	a9941930.exe
3156	a9941930.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	a9941930.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1036	3356	0a8b8d973e5bc3013679d46fb4aea58f_JC.exe	85
PID 3356 wrote to memory of 1036	3356	0a8b8d973e5bc3013679d46fb4aea58f_JC.exe	85
PID 3356 wrote to memory of 1036	3356	0a8b8d973e5bc3013679d46fb4aea58f_JC.exe	85
PID 1036 wrote to memory of 2500	1036	v3355938.exe	87
PID 1036 wrote to memory of 2500	1036	v3355938.exe	87
PID 1036 wrote to memory of 2500	1036	v3355938.exe	87
PID 2500 wrote to memory of 3156	2500	v8076540.exe	88
PID 2500 wrote to memory of 3156	2500	v8076540.exe	88
PID 2500 wrote to memory of 3156	2500	v8076540.exe	88
PID 2500 wrote to memory of 2580	2500	v8076540.exe	93
PID 2500 wrote to memory of 2580	2500	v8076540.exe	93
PID 2500 wrote to memory of 2580	2500	v8076540.exe	93
PID 1036 wrote to memory of 4796	1036	v3355938.exe	94
PID 1036 wrote to memory of 4796	1036	v3355938.exe	94
PID 1036 wrote to memory of 4796	1036	v3355938.exe	94

C:\Users\Admin\AppData\Local\Temp\0a8b8d973e5bc3013679d46fb4aea58f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0a8b8d973e5bc3013679d46fb4aea58f_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3355938.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3355938.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8076540.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8076540.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9941930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9941930.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1080
        5⤵
        Program crash
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4550649.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4550649.exe
      4⤵
      Executes dropped EXE
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9897633.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9897633.exe
    3⤵
    - Executes dropped EXE
    PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3156 -ip 3156
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3355938.exe

Filesize
548KB

MD5
d94ed5db2d743724efe3028dc601bee6

SHA1
234bec2c4e5ec6e67bb2db061a4c03a3ab68b0d7

SHA256
bad657e36efe871f47fc33de3c38316dfc34b1b1837f4d751123cb00308391aa

SHA512
cc426edec0d5e0893a71573b8dff7966d27352ce0126c3a565e8d9e6ce7e6754e9a35095c587ee87727cdc28c4f4443933db885383c4346e15067db829d2ebe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3355938.exe

Filesize
548KB

MD5
d94ed5db2d743724efe3028dc601bee6

SHA1
234bec2c4e5ec6e67bb2db061a4c03a3ab68b0d7

SHA256
bad657e36efe871f47fc33de3c38316dfc34b1b1837f4d751123cb00308391aa

SHA512
cc426edec0d5e0893a71573b8dff7966d27352ce0126c3a565e8d9e6ce7e6754e9a35095c587ee87727cdc28c4f4443933db885383c4346e15067db829d2ebe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9897633.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9897633.exe

Filesize
174KB

MD5
2873b8b66a547327aef437fc48099ffd

SHA1
7fb523346dc975c538e5d27b1cd657c39b267d42

SHA256
d1cad7ca6edfcb9fccce2ef66023d1b652c6adcfc5ec6589034876e9d754d6ff

SHA512
c73ce31d8b4a7ff4f44f5cef0789afe12a0942cb59e9d6d5fe0797923f27afad59572eadeb6905672a3d7b27fe75316eac5d76714ecc4da74f014c6ec23a80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8076540.exe

Filesize
392KB

MD5
d25a1ea6ae1f7dad28b4ff5993da27cf

SHA1
8366f054194dda1a8e45cdf260371c646ad722d8

SHA256
685966020bd79ca657726dea6cff8051529c2b2d042d70c22538b3fe887383f4

SHA512
97943019967e12408a61665297dd8efe33a154b977b57d336873e0c7af5814654c21a600f3126213c203a030b3a9a600c493d4c12695c0e614e2f009f46119ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8076540.exe

Filesize
392KB

MD5
d25a1ea6ae1f7dad28b4ff5993da27cf

SHA1
8366f054194dda1a8e45cdf260371c646ad722d8

SHA256
685966020bd79ca657726dea6cff8051529c2b2d042d70c22538b3fe887383f4

SHA512
97943019967e12408a61665297dd8efe33a154b977b57d336873e0c7af5814654c21a600f3126213c203a030b3a9a600c493d4c12695c0e614e2f009f46119ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9941930.exe

Filesize
273KB

MD5
05e7e2d0f0e63469b8e5c58bc11d25a8

SHA1
43f7ac49259d9551298d806d6e33bff18744a970

SHA256
1487cdcb04df170a3a5b50d864bda4248892a299b02e72a6c8762f5fac2549de

SHA512
66106b54757b39ef90198fe27987acfbd1f7e383fca7a05f228afb0bfb9c1d60d53c0bd1804bdec494c6f88804dbb415ef0f2ce8ea45f0128fe03f2a86414586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9941930.exe

Filesize
273KB

MD5
05e7e2d0f0e63469b8e5c58bc11d25a8

SHA1
43f7ac49259d9551298d806d6e33bff18744a970

SHA256
1487cdcb04df170a3a5b50d864bda4248892a299b02e72a6c8762f5fac2549de

SHA512
66106b54757b39ef90198fe27987acfbd1f7e383fca7a05f228afb0bfb9c1d60d53c0bd1804bdec494c6f88804dbb415ef0f2ce8ea45f0128fe03f2a86414586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4550649.exe

Filesize
140KB

MD5
04cba969879eb44387e53ed42f474ffc

SHA1
5232c20370e125f0bb1f5bdd858253f492125483

SHA256
119c842d3037762fc6de08df5927d13b70055dcbaa9b08813b8b699cca05ae4a

SHA512
946da0fc06917a482c0fa41af6706dcf1a87ff926c3a765e4bb9bc90479bc682ea16d325cf66877505514b5a5e2f08e700bfa5a050fc986b76e4163370672dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4550649.exe

Filesize
140KB

MD5
04cba969879eb44387e53ed42f474ffc

SHA1
5232c20370e125f0bb1f5bdd858253f492125483

SHA256
119c842d3037762fc6de08df5927d13b70055dcbaa9b08813b8b699cca05ae4a

SHA512
946da0fc06917a482c0fa41af6706dcf1a87ff926c3a765e4bb9bc90479bc682ea16d325cf66877505514b5a5e2f08e700bfa5a050fc986b76e4163370672dc8

Download Submit
memory/3156-27-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3156-57-0x0000000001900000-0x000000000192F000-memory.dmp

Filesize
188KB

Download
memory/3156-24-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/3156-28-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-29-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-33-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-31-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-35-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-37-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-39-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-41-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-43-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-45-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-47-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-49-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-51-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-53-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-55-0x0000000005FD0000-0x0000000005FE6000-memory.dmp

Filesize
88KB

Download
memory/3156-56-0x00000000018D0000-0x00000000018F1000-memory.dmp

Filesize
132KB

Download
memory/3156-26-0x0000000006140000-0x00000000066E4000-memory.dmp

Filesize
5.6MB

Download
memory/3156-58-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3156-59-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/3156-60-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3156-62-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3156-63-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3156-25-0x0000000006130000-0x0000000006140000-memory.dmp

Filesize
64KB

Download
memory/3156-23-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/3156-22-0x0000000001900000-0x000000000192F000-memory.dmp

Filesize
188KB

Download
memory/3156-21-0x00000000018D0000-0x00000000018F1000-memory.dmp

Filesize
132KB

Download
memory/4796-70-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/4796-71-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4796-72-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/4796-73-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/4796-75-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4796-74-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4796-76-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/4796-77-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4796-78-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download