redline | 306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6

Analysis

max time kernel
135s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 05:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe
Size

1.1MB
MD5

7678399fd110a5cad1ec55f04d38e4e1
SHA1

3321b9577ec831ddb56b8e6c9e66de09514ea9f3
SHA256

306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6
SHA512

4be9dbcb7984cdde8da08b85838b383c0039bbff5eac7fbf0c97ae268aabf7a9629e4412832678db8555791b3ee27d74932a9b648be53d5d6c8fecbd52bf56e5
SSDEEP

24576:mykqCZXsqedJ3qVUgfqqVd8+ihpfBNawOvibb:1DCuqyJaXfqqVxi/rH6i

Score

10^/10

redline genda infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

genda

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2640-35-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3604	ez8Ha3xb.exe
3320	LU8rI5jl.exe
1748	CQ1kJ9ni.exe
2656	Cx7Ez2uE.exe
2144	fW888XZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ez8Ha3xb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LU8rI5jl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	CQ1kJ9ni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Cx7Ez2uE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2144 set thread context of 2640	2144	fW888XZ.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4268	2144	WerFault.exe	74

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3604	4676	306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe	70
PID 4676 wrote to memory of 3604	4676	306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe	70
PID 4676 wrote to memory of 3604	4676	306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe	70
PID 3604 wrote to memory of 3320	3604	ez8Ha3xb.exe	71
PID 3604 wrote to memory of 3320	3604	ez8Ha3xb.exe	71
PID 3604 wrote to memory of 3320	3604	ez8Ha3xb.exe	71
PID 3320 wrote to memory of 1748	3320	LU8rI5jl.exe	72
PID 3320 wrote to memory of 1748	3320	LU8rI5jl.exe	72
PID 3320 wrote to memory of 1748	3320	LU8rI5jl.exe	72
PID 1748 wrote to memory of 2656	1748	CQ1kJ9ni.exe	73
PID 1748 wrote to memory of 2656	1748	CQ1kJ9ni.exe	73
PID 1748 wrote to memory of 2656	1748	CQ1kJ9ni.exe	73
PID 2656 wrote to memory of 2144	2656	Cx7Ez2uE.exe	74
PID 2656 wrote to memory of 2144	2656	Cx7Ez2uE.exe	74
PID 2656 wrote to memory of 2144	2656	Cx7Ez2uE.exe	74
PID 2144 wrote to memory of 4312	2144	fW888XZ.exe	76
PID 2144 wrote to memory of 4312	2144	fW888XZ.exe	76
PID 2144 wrote to memory of 4312	2144	fW888XZ.exe	76
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77
PID 2144 wrote to memory of 2640	2144	fW888XZ.exe	77

C:\Users\Admin\AppData\Local\Temp\306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe
"C:\Users\Admin\AppData\Local\Temp\306411b9b4973f40f454ee04df756769aa75bcd4ebef736221cbf299b57967e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez8Ha3xb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez8Ha3xb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU8rI5jl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU8rI5jl.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CQ1kJ9ni.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CQ1kJ9ni.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cx7Ez2uE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cx7Ez2uE.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\fW888XZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\fW888XZ.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 612
        7⤵
        Program crash
        
        PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez8Ha3xb.exe

Filesize
994KB

MD5
dea51b7d3e07a9af255806454f7a550f

SHA1
09051ad2416c0232eb6dedf266cf9396f0145713

SHA256
f44163c2370011956a58c7059c98e3493791bba7384cf687481b8f33c78701ab

SHA512
e99f68aba0118ca27e29f6a4a27e814bf790264086864634b964b5f73c183cb72c758b1a66cf52cceaea694f1e0eb8edd2a2dceff246aef6494e326b80a6a364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez8Ha3xb.exe

Filesize
994KB

MD5
dea51b7d3e07a9af255806454f7a550f

SHA1
09051ad2416c0232eb6dedf266cf9396f0145713

SHA256
f44163c2370011956a58c7059c98e3493791bba7384cf687481b8f33c78701ab

SHA512
e99f68aba0118ca27e29f6a4a27e814bf790264086864634b964b5f73c183cb72c758b1a66cf52cceaea694f1e0eb8edd2a2dceff246aef6494e326b80a6a364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU8rI5jl.exe

Filesize
735KB

MD5
fddd3a9ecca3e9ed7d9328e0bd7da017

SHA1
cf71eaf930ce49a251d7015289c66d90b5df3dfd

SHA256
ad37d8a835b298f88b8f8989a3bc46c0ccf2f0120e07311155ce9607d7f86c1f

SHA512
95cb452b000c204f843e178cbca59fa2e68ae5f991b4c7837b44821fc61987b6f1c32423283c584bc1e8b38269d53d888f3b8c78de73f59b493e825961f65d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU8rI5jl.exe

Filesize
735KB

MD5
fddd3a9ecca3e9ed7d9328e0bd7da017

SHA1
cf71eaf930ce49a251d7015289c66d90b5df3dfd

SHA256
ad37d8a835b298f88b8f8989a3bc46c0ccf2f0120e07311155ce9607d7f86c1f

SHA512
95cb452b000c204f843e178cbca59fa2e68ae5f991b4c7837b44821fc61987b6f1c32423283c584bc1e8b38269d53d888f3b8c78de73f59b493e825961f65d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CQ1kJ9ni.exe

Filesize
553KB

MD5
c721afc2e5beb03b09931b3b47953413

SHA1
52fab84b89cf09739e2fe4b2e4abe8f2c31f0f8e

SHA256
d7619499257268623243b58668ccfe0c9217f5ccf2fb2394e055609fbab2730a

SHA512
9942310d3582861561e4ea8dc925898b805c1b24228b2097c0d058a4e261f48cad376d6e8d603d540f31d58986692659e696a51fc33aebb2463d20c82f84c9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CQ1kJ9ni.exe

Filesize
553KB

MD5
c721afc2e5beb03b09931b3b47953413

SHA1
52fab84b89cf09739e2fe4b2e4abe8f2c31f0f8e

SHA256
d7619499257268623243b58668ccfe0c9217f5ccf2fb2394e055609fbab2730a

SHA512
9942310d3582861561e4ea8dc925898b805c1b24228b2097c0d058a4e261f48cad376d6e8d603d540f31d58986692659e696a51fc33aebb2463d20c82f84c9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cx7Ez2uE.exe

Filesize
387KB

MD5
ed0cb60b9f63cce977c2e1571ae48f0b

SHA1
643ac43db27cb9d4224d2e2b447da4942d1b956e

SHA256
465081900b9ca6912dffffdf0875a760db2804b19822995c243344640fee69c8

SHA512
3471fcbe36e65838b3abf6eb0f37346023af4e032dd530cd963d59113f118690fcb299de90c8e216849dbc0da3af159e8c9cbe38ca332ce320abf9ac0f8f8edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cx7Ez2uE.exe

Filesize
387KB

MD5
ed0cb60b9f63cce977c2e1571ae48f0b

SHA1
643ac43db27cb9d4224d2e2b447da4942d1b956e

SHA256
465081900b9ca6912dffffdf0875a760db2804b19822995c243344640fee69c8

SHA512
3471fcbe36e65838b3abf6eb0f37346023af4e032dd530cd963d59113f118690fcb299de90c8e216849dbc0da3af159e8c9cbe38ca332ce320abf9ac0f8f8edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\fW888XZ.exe

Filesize
386KB

MD5
33f780e42049a09f7a34f8f87385c928

SHA1
675e0dbe820e47ae89837b525aecfccd0f61db45

SHA256
5370c70dd4ae0a8960058dbbeb0e58e5b5c36b34fc1eb536da4e2c441fbd8be6

SHA512
2d6bc6396b5affb85f7d1a4f9614359c2f14c78eddc81d3d073895a6859e10591e9b19e37af8d988b806a5e15eb8c4001a6ea51b7fef7e3a6d297ef1e0e7c964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\fW888XZ.exe

Filesize
386KB

MD5
33f780e42049a09f7a34f8f87385c928

SHA1
675e0dbe820e47ae89837b525aecfccd0f61db45

SHA256
5370c70dd4ae0a8960058dbbeb0e58e5b5c36b34fc1eb536da4e2c441fbd8be6

SHA512
2d6bc6396b5affb85f7d1a4f9614359c2f14c78eddc81d3d073895a6859e10591e9b19e37af8d988b806a5e15eb8c4001a6ea51b7fef7e3a6d297ef1e0e7c964

Download Submit
memory/2640-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-39-0x0000000072860000-0x0000000072F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-40-0x000000000BD00000-0x000000000C1FE000-memory.dmp

Filesize
5.0MB

Download
memory/2640-41-0x000000000B8A0000-0x000000000B932000-memory.dmp

Filesize
584KB

Download
memory/2640-42-0x000000000B830000-0x000000000B83A000-memory.dmp

Filesize
40KB

Download
memory/2640-43-0x000000000C810000-0x000000000CE16000-memory.dmp

Filesize
6.0MB

Download
memory/2640-44-0x000000000BB80000-0x000000000BC8A000-memory.dmp

Filesize
1.0MB

Download
memory/2640-45-0x000000000BA90000-0x000000000BAA2000-memory.dmp

Filesize
72KB

Download
memory/2640-46-0x000000000BAF0000-0x000000000BB2E000-memory.dmp

Filesize
248KB

Download
memory/2640-47-0x000000000BB30000-0x000000000BB7B000-memory.dmp

Filesize
300KB

Download
memory/2640-52-0x0000000072860000-0x0000000072F4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads