redline | 4ea6d64ab4fcb5ffb06e1f8ef5db4290be3a535c0ca256bc922e9708ca6191a6

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00451fa6d543d1ecc4a863c1a.exe
Size

514KB
MD5

00451fa6d543d1ecc4a863c1a99c1e65
SHA1

b5401045d48b24cf0e9fcb1bc62c05ddce21af06
SHA256

4ea6d64ab4fcb5ffb06e1f8ef5db4290be3a535c0ca256bc922e9708ca6191a6
SHA512

959d1d65a4db7fdd44c9ad0070d371b33443107caccc71ddbf007b51f880007ec266140ffe1dca024b5e9605049f6164c6caa0c966b6bcb2c0c8d89025418f78
SSDEEP

6144:xmPD0GqyHBBDCWGYLUz247rT2+PsCd0ukjIormfdVKMNR8jl4D46JdrOE1LULXJj:xmYAbz47H2+RYtKfPKheECp1wLr

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1308	x2788619.exe
2132	f0988076.exe

Loads dropped DLL 5 IoCs

pid	Process
2336	00451fa6d543d1ecc4a863c1a.exe
1308	x2788619.exe
1308	x2788619.exe
1308	x2788619.exe
2132	f0988076.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2788619.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00451fa6d543d1ecc4a863c1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00451fa6d543d1ecc4a863c1a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2788619.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 2336 wrote to memory of 1308	2336	00451fa6d543d1ecc4a863c1a.exe	30
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31
PID 1308 wrote to memory of 2132	1308	x2788619.exe	31

C:\Users\Admin\AppData\Local\Temp\00451fa6d543d1ecc4a863c1a.exe
"C:\Users\Admin\AppData\Local\Temp\00451fa6d543d1ecc4a863c1a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2788619.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2788619.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2788619.exe

Filesize
319KB

MD5
4081f816f2d139888c67f0cd687063c6

SHA1
c2282f676a50552c587f970560aa3bc94e219b2e

SHA256
155cbd4270df2b8bc232238d87db2783a43bfbe9b7832072358cf1f7545937af

SHA512
e7d561a8955030cd3d6ca595ce1f7fb99be59cb461ea06237e7b714d82e19bc5c2b3f18b9ae38339bcce9edffa9a8929e9f5a58ccc5b23cf913c6fa4ae82987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2788619.exe

Filesize
319KB

MD5
4081f816f2d139888c67f0cd687063c6

SHA1
c2282f676a50552c587f970560aa3bc94e219b2e

SHA256
155cbd4270df2b8bc232238d87db2783a43bfbe9b7832072358cf1f7545937af

SHA512
e7d561a8955030cd3d6ca595ce1f7fb99be59cb461ea06237e7b714d82e19bc5c2b3f18b9ae38339bcce9edffa9a8929e9f5a58ccc5b23cf913c6fa4ae82987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe

Filesize
266KB

MD5
2622522f974971fff94433364ea9322d

SHA1
ef99e237d59fa66a5530b1833987767dc610e2d5

SHA256
23464a5b1d265503d39aa7a79742b7d207f97ddb6d28e8e269910d80ce9f9141

SHA512
adc0bb3635b400ccfc7ebe54bfa1ba752b8d2da06520293e228332075fa6023619cc6a890d71e03891fbb8ad30dd683b8f932271e86ec1376b601a80b70f3a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe

Filesize
266KB

MD5
2622522f974971fff94433364ea9322d

SHA1
ef99e237d59fa66a5530b1833987767dc610e2d5

SHA256
23464a5b1d265503d39aa7a79742b7d207f97ddb6d28e8e269910d80ce9f9141

SHA512
adc0bb3635b400ccfc7ebe54bfa1ba752b8d2da06520293e228332075fa6023619cc6a890d71e03891fbb8ad30dd683b8f932271e86ec1376b601a80b70f3a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe

Filesize
266KB

MD5
2622522f974971fff94433364ea9322d

SHA1
ef99e237d59fa66a5530b1833987767dc610e2d5

SHA256
23464a5b1d265503d39aa7a79742b7d207f97ddb6d28e8e269910d80ce9f9141

SHA512
adc0bb3635b400ccfc7ebe54bfa1ba752b8d2da06520293e228332075fa6023619cc6a890d71e03891fbb8ad30dd683b8f932271e86ec1376b601a80b70f3a74

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2788619.exe

Filesize
319KB

MD5
4081f816f2d139888c67f0cd687063c6

SHA1
c2282f676a50552c587f970560aa3bc94e219b2e

SHA256
155cbd4270df2b8bc232238d87db2783a43bfbe9b7832072358cf1f7545937af

SHA512
e7d561a8955030cd3d6ca595ce1f7fb99be59cb461ea06237e7b714d82e19bc5c2b3f18b9ae38339bcce9edffa9a8929e9f5a58ccc5b23cf913c6fa4ae82987d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2788619.exe

Filesize
319KB

MD5
4081f816f2d139888c67f0cd687063c6

SHA1
c2282f676a50552c587f970560aa3bc94e219b2e

SHA256
155cbd4270df2b8bc232238d87db2783a43bfbe9b7832072358cf1f7545937af

SHA512
e7d561a8955030cd3d6ca595ce1f7fb99be59cb461ea06237e7b714d82e19bc5c2b3f18b9ae38339bcce9edffa9a8929e9f5a58ccc5b23cf913c6fa4ae82987d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe

Filesize
266KB

MD5
2622522f974971fff94433364ea9322d

SHA1
ef99e237d59fa66a5530b1833987767dc610e2d5

SHA256
23464a5b1d265503d39aa7a79742b7d207f97ddb6d28e8e269910d80ce9f9141

SHA512
adc0bb3635b400ccfc7ebe54bfa1ba752b8d2da06520293e228332075fa6023619cc6a890d71e03891fbb8ad30dd683b8f932271e86ec1376b601a80b70f3a74

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe

Filesize
266KB

MD5
2622522f974971fff94433364ea9322d

SHA1
ef99e237d59fa66a5530b1833987767dc610e2d5

SHA256
23464a5b1d265503d39aa7a79742b7d207f97ddb6d28e8e269910d80ce9f9141

SHA512
adc0bb3635b400ccfc7ebe54bfa1ba752b8d2da06520293e228332075fa6023619cc6a890d71e03891fbb8ad30dd683b8f932271e86ec1376b601a80b70f3a74

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0988076.exe

Filesize
266KB

MD5
2622522f974971fff94433364ea9322d

SHA1
ef99e237d59fa66a5530b1833987767dc610e2d5

SHA256
23464a5b1d265503d39aa7a79742b7d207f97ddb6d28e8e269910d80ce9f9141

SHA512
adc0bb3635b400ccfc7ebe54bfa1ba752b8d2da06520293e228332075fa6023619cc6a890d71e03891fbb8ad30dd683b8f932271e86ec1376b601a80b70f3a74

Download Submit
memory/2132-83-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2132-87-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/2132-88-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2336-54-0x0000000000220000-0x000000000028E000-memory.dmp

Filesize
440KB

Download