redline | ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

General

Target

2c52c514ed30a21dbfc181f9a56e756d.exe
Size

864KB
MD5

2c52c514ed30a21dbfc181f9a56e756d
SHA1

251cf6719d43e1fd2c52df211e76b8644c3cd2b0
SHA256

ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716
SHA512

e59f6f72001fbfb87dfbdf3ac73832f17ba334a5877f395f3c3173d18ba41c3a962714d6f91ce92d484ffe5368bf3ff90b388be4175032dc20a2bee0005c000b
SSDEEP

24576:5yQ6k1XlUuV6gbsDRA/vTXLp3qiwikDLDJtgYBNSu+KpEFMe:sQ6knTs2XTXLpFusYKu+yQ

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1884	y6497315.exe
1772	k0077088.exe
3108	l7490768.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2c52c514ed30a21dbfc181f9a56e756d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c52c514ed30a21dbfc181f9a56e756d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6497315.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6497315.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1400	1772	WerFault.exe	85

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1884	2156	2c52c514ed30a21dbfc181f9a56e756d.exe	84
PID 2156 wrote to memory of 1884	2156	2c52c514ed30a21dbfc181f9a56e756d.exe	84
PID 2156 wrote to memory of 1884	2156	2c52c514ed30a21dbfc181f9a56e756d.exe	84
PID 1884 wrote to memory of 1772	1884	y6497315.exe	85
PID 1884 wrote to memory of 1772	1884	y6497315.exe	85
PID 1884 wrote to memory of 1772	1884	y6497315.exe	85
PID 1884 wrote to memory of 3108	1884	y6497315.exe	91
PID 1884 wrote to memory of 3108	1884	y6497315.exe	91
PID 1884 wrote to memory of 3108	1884	y6497315.exe	91

C:\Users\Admin\AppData\Local\Temp\2c52c514ed30a21dbfc181f9a56e756d.exe
"C:\Users\Admin\AppData\Local\Temp\2c52c514ed30a21dbfc181f9a56e756d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
    3⤵
    - Executes dropped EXE
    PID:1772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 140
      4⤵
      Program crash
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
    3⤵
    - Executes dropped EXE
    PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1772 -ip 1772
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe

Filesize
681KB

MD5
347fa3300c887f6ed7b1a13377bb28bd

SHA1
f7290c370763737aa41f0bc92d66b2423647815c

SHA256
8ecc876c0ce1dc9774cb4ee93fbcd638c9182cd5c33e4a7aee74bbc39bd75cc4

SHA512
e17a78db324fd6bd80872c92fd6c03f0308b20c256d9a42cec304f21f13df2f0c6069ba95998d525e39b6e99040d07baaabf60015ab4ff88344e5d222c0cc341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe

Filesize
681KB

MD5
347fa3300c887f6ed7b1a13377bb28bd

SHA1
f7290c370763737aa41f0bc92d66b2423647815c

SHA256
8ecc876c0ce1dc9774cb4ee93fbcd638c9182cd5c33e4a7aee74bbc39bd75cc4

SHA512
e17a78db324fd6bd80872c92fd6c03f0308b20c256d9a42cec304f21f13df2f0c6069ba95998d525e39b6e99040d07baaabf60015ab4ff88344e5d222c0cc341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe

Filesize
530KB

MD5
3afbc821636e1e7951821231f0cdc4bc

SHA1
d962f7454a83bdeb81b16476055773c65090c068

SHA256
b05287fda0d66708df3d5a927caeb62a87e8809fb992871a5615a3c62ce1eeff

SHA512
4b74ca6740b4a8cf7d6bf4a54e64cbf564f42443d4b23d824feb661a8945a7a1a08fb6428afb8a8af7646607b5edc1af9d4c7aea8aac341965dbbf220db86eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe

Filesize
530KB

MD5
3afbc821636e1e7951821231f0cdc4bc

SHA1
d962f7454a83bdeb81b16476055773c65090c068

SHA256
b05287fda0d66708df3d5a927caeb62a87e8809fb992871a5615a3c62ce1eeff

SHA512
4b74ca6740b4a8cf7d6bf4a54e64cbf564f42443d4b23d824feb661a8945a7a1a08fb6428afb8a8af7646607b5edc1af9d4c7aea8aac341965dbbf220db86eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe

Filesize
692KB

MD5
ed78531c3da44f95b5e5f7aa280bf586

SHA1
a9e403fcbf3a8020cb51d8f3a406c74775936c2d

SHA256
d996d9ed8e0931fe6f414b91b0d4f52fc6b80a8493829f63fdd44cbf9afea60e

SHA512
7649d4ceb7cf0771ed8905dbff16e74b117b0ced16f94026d457a6534a10f39c91da18bd986fd66ded33d9c2c4ef501e7c895760418b39361089f196bbdb6970

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe

Filesize
692KB

MD5
ed78531c3da44f95b5e5f7aa280bf586

SHA1
a9e403fcbf3a8020cb51d8f3a406c74775936c2d

SHA256
d996d9ed8e0931fe6f414b91b0d4f52fc6b80a8493829f63fdd44cbf9afea60e

SHA512
7649d4ceb7cf0771ed8905dbff16e74b117b0ced16f94026d457a6534a10f39c91da18bd986fd66ded33d9c2c4ef501e7c895760418b39361089f196bbdb6970

Download Submit
memory/3108-150-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/3108-154-0x0000000004A90000-0x00000000050A8000-memory.dmp

Filesize
6.1MB

Download
memory/3108-155-0x00000000050B0000-0x00000000051BA000-memory.dmp

Filesize
1.0MB

Download
memory/3108-156-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/3108-157-0x0000000005210000-0x000000000524C000-memory.dmp

Filesize
240KB

Download
memory/3108-158-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3108-159-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing