redline | e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bbe91e701238f2b4a13ec

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe
Size

513KB
MD5

ce7e1d1cd104a4a7c242689ac5c39b6d
SHA1

c6fa8af4763985ed39b4d285ed76624cfb8f0ff2
SHA256

e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bbe91e701238f2b4a13ec
SHA512

fd98dda85f8c3f0b7402b239f604c9c8d0e2d9a42beb42630082660ff84090eb8ba2964b21af552c3a2fd6a6470079f51cea3a87c2a27d0e7f55b3493bb8dde3
SSDEEP

12288:30UXez473QJ2y2+w4fc6gYz+GQF1zZrPLcttZ7MwV:bk47gUd+wOc6gRX3VPutZAw

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2876	x2495952.exe
2116	f9539978.exe

Loads dropped DLL 5 IoCs

pid	Process
3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe
2876	x2495952.exe
2876	x2495952.exe
2876	x2495952.exe
2116	f9539978.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2495952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2495952.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 3032 wrote to memory of 2876	3032	e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe	29
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30
PID 2876 wrote to memory of 2116	2876	x2495952.exe	30

C:\Users\Admin\AppData\Local\Temp\e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe
"C:\Users\Admin\AppData\Local\Temp\e84450dd9afdaacd15e943271f9e0d0c52b2d98f615bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2495952.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2495952.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2495952.exe

Filesize
319KB

MD5
d60333ed85ee02d160035fa7292145e8

SHA1
4a84093ad16f0ab675002c39fdfa6a412b7f0322

SHA256
4a43e50a93175f91539e1b567a98ac0cfde04a5fa5727c7df15e2cbd27075096

SHA512
00b9f4dd0c57cc85f1851e1472b82b8ada706a4514acf88da6e511692857c0f909c6b0f6d0181a3df6a2e7c7742013b425ca0b288dfe2bb70145760c05f50d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2495952.exe

Filesize
319KB

MD5
d60333ed85ee02d160035fa7292145e8

SHA1
4a84093ad16f0ab675002c39fdfa6a412b7f0322

SHA256
4a43e50a93175f91539e1b567a98ac0cfde04a5fa5727c7df15e2cbd27075096

SHA512
00b9f4dd0c57cc85f1851e1472b82b8ada706a4514acf88da6e511692857c0f909c6b0f6d0181a3df6a2e7c7742013b425ca0b288dfe2bb70145760c05f50d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe

Filesize
266KB

MD5
856865c98a2ddde13f659acee7af30d1

SHA1
ce8051c3a18fb406a031d90b8ee928ab8ae2138c

SHA256
c84b2274165a6855bb1b41cd83fda770edf34c5d155fa0980d3d732b57844780

SHA512
19cd98a2faa79e558e447310d7a2e1f48dfd2d0c7cdd369db502522d91ce6cf2b6e64804e4f91a897252e489e959c37007e881b4c36a7fea413e45475ec3f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe

Filesize
266KB

MD5
856865c98a2ddde13f659acee7af30d1

SHA1
ce8051c3a18fb406a031d90b8ee928ab8ae2138c

SHA256
c84b2274165a6855bb1b41cd83fda770edf34c5d155fa0980d3d732b57844780

SHA512
19cd98a2faa79e558e447310d7a2e1f48dfd2d0c7cdd369db502522d91ce6cf2b6e64804e4f91a897252e489e959c37007e881b4c36a7fea413e45475ec3f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe

Filesize
266KB

MD5
856865c98a2ddde13f659acee7af30d1

SHA1
ce8051c3a18fb406a031d90b8ee928ab8ae2138c

SHA256
c84b2274165a6855bb1b41cd83fda770edf34c5d155fa0980d3d732b57844780

SHA512
19cd98a2faa79e558e447310d7a2e1f48dfd2d0c7cdd369db502522d91ce6cf2b6e64804e4f91a897252e489e959c37007e881b4c36a7fea413e45475ec3f666

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2495952.exe

Filesize
319KB

MD5
d60333ed85ee02d160035fa7292145e8

SHA1
4a84093ad16f0ab675002c39fdfa6a412b7f0322

SHA256
4a43e50a93175f91539e1b567a98ac0cfde04a5fa5727c7df15e2cbd27075096

SHA512
00b9f4dd0c57cc85f1851e1472b82b8ada706a4514acf88da6e511692857c0f909c6b0f6d0181a3df6a2e7c7742013b425ca0b288dfe2bb70145760c05f50d4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2495952.exe

Filesize
319KB

MD5
d60333ed85ee02d160035fa7292145e8

SHA1
4a84093ad16f0ab675002c39fdfa6a412b7f0322

SHA256
4a43e50a93175f91539e1b567a98ac0cfde04a5fa5727c7df15e2cbd27075096

SHA512
00b9f4dd0c57cc85f1851e1472b82b8ada706a4514acf88da6e511692857c0f909c6b0f6d0181a3df6a2e7c7742013b425ca0b288dfe2bb70145760c05f50d4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe

Filesize
266KB

MD5
856865c98a2ddde13f659acee7af30d1

SHA1
ce8051c3a18fb406a031d90b8ee928ab8ae2138c

SHA256
c84b2274165a6855bb1b41cd83fda770edf34c5d155fa0980d3d732b57844780

SHA512
19cd98a2faa79e558e447310d7a2e1f48dfd2d0c7cdd369db502522d91ce6cf2b6e64804e4f91a897252e489e959c37007e881b4c36a7fea413e45475ec3f666

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe

Filesize
266KB

MD5
856865c98a2ddde13f659acee7af30d1

SHA1
ce8051c3a18fb406a031d90b8ee928ab8ae2138c

SHA256
c84b2274165a6855bb1b41cd83fda770edf34c5d155fa0980d3d732b57844780

SHA512
19cd98a2faa79e558e447310d7a2e1f48dfd2d0c7cdd369db502522d91ce6cf2b6e64804e4f91a897252e489e959c37007e881b4c36a7fea413e45475ec3f666

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9539978.exe

Filesize
266KB

MD5
856865c98a2ddde13f659acee7af30d1

SHA1
ce8051c3a18fb406a031d90b8ee928ab8ae2138c

SHA256
c84b2274165a6855bb1b41cd83fda770edf34c5d155fa0980d3d732b57844780

SHA512
19cd98a2faa79e558e447310d7a2e1f48dfd2d0c7cdd369db502522d91ce6cf2b6e64804e4f91a897252e489e959c37007e881b4c36a7fea413e45475ec3f666

Download Submit
memory/2116-83-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2116-87-0x0000000001E70000-0x0000000001E76000-memory.dmp

Filesize
24KB

Download
memory/2116-88-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/3032-54-0x0000000000220000-0x000000000028E000-memory.dmp

Filesize
440KB

Download