redline | 3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe
Size

1.5MB
MD5

8f9d48be29a591c7b38fbbf8b2ec03a8
SHA1

af69ea15b07eb2b3a66307df488dc0b33df34b03
SHA256

3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf
SHA512

8f663ead922b51e2abf70d0422ed5ce98e64c04ecfb7a67e61ad3027bf0044b0b3baf910d7e9d63da4e6064fdb8d133e1b46ba74117fa34f9502b8f621bd1ba9
SSDEEP

24576:OyHKCi/QEhcv3KMntBUND2foFDIKU/39Gp27xJ6/MoD8FYx1+Kv5holM1tTpQ:dLjSEUNqfKDaFGp4lvOxsKrJ

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022e5a-41.dat	family_redline
behavioral1/files/0x0007000000022e5a-42.dat	family_redline
behavioral1/memory/1128-43-0x0000000000910000-0x000000000094E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4380	tX1Ti5Lf.exe
3876	lL8iJ4sn.exe
4396	zy9Jj3Gv.exe
1328	yJ3QR1qG.exe
3904	1Ws96LD5.exe
1128	2XT109db.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tX1Ti5Lf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lL8iJ4sn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zy9Jj3Gv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	yJ3QR1qG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3904 set thread context of 484	3904	1Ws96LD5.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3520	484	WerFault.exe	93
4532	484	WerFault.exe	93

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4380	4660	3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe	87
PID 4660 wrote to memory of 4380	4660	3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe	87
PID 4660 wrote to memory of 4380	4660	3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe	87
PID 4380 wrote to memory of 3876	4380	tX1Ti5Lf.exe	88
PID 4380 wrote to memory of 3876	4380	tX1Ti5Lf.exe	88
PID 4380 wrote to memory of 3876	4380	tX1Ti5Lf.exe	88
PID 3876 wrote to memory of 4396	3876	lL8iJ4sn.exe	89
PID 3876 wrote to memory of 4396	3876	lL8iJ4sn.exe	89
PID 3876 wrote to memory of 4396	3876	lL8iJ4sn.exe	89
PID 4396 wrote to memory of 1328	4396	zy9Jj3Gv.exe	90
PID 4396 wrote to memory of 1328	4396	zy9Jj3Gv.exe	90
PID 4396 wrote to memory of 1328	4396	zy9Jj3Gv.exe	90
PID 1328 wrote to memory of 3904	1328	yJ3QR1qG.exe	91
PID 1328 wrote to memory of 3904	1328	yJ3QR1qG.exe	91
PID 1328 wrote to memory of 3904	1328	yJ3QR1qG.exe	91
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 3904 wrote to memory of 484	3904	1Ws96LD5.exe	93
PID 1328 wrote to memory of 1128	1328	yJ3QR1qG.exe	94
PID 1328 wrote to memory of 1128	1328	yJ3QR1qG.exe	94
PID 1328 wrote to memory of 1128	1328	yJ3QR1qG.exe	94
PID 484 wrote to memory of 3520	484	AppLaunch.exe	97
PID 484 wrote to memory of 3520	484	AppLaunch.exe	97
PID 484 wrote to memory of 3520	484	AppLaunch.exe	97

C:\Users\Admin\AppData\Local\Temp\3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe
"C:\Users\Admin\AppData\Local\Temp\3d16e951638c72929671732070d8e8828b07c6062073319a6915de89c9229ccf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tX1Ti5Lf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tX1Ti5Lf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lL8iJ4sn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lL8iJ4sn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zy9Jj3Gv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zy9Jj3Gv.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yJ3QR1qG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yJ3QR1qG.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ws96LD5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ws96LD5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 540
        8⤵
        Program crash
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 540
        8⤵
        Program crash
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XT109db.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XT109db.exe
        6⤵
        Executes dropped EXE
        
        PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 484 -ip 484
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tX1Ti5Lf.exe

Filesize
1.3MB

MD5
7f8f1f2ac21dfa9220bc964e33e1e146

SHA1
e4646447539f52dd2f06fcefa92cfdfd3e0e687f

SHA256
d232cf8f821641cd318a1a47353ec6f1348afec6b1130f57965b62505dd51407

SHA512
8d93a4f26b10ea540d8b8357fdf50797a9d8c423b0b28355f2b5c4f316844d68b52df766e71d81c858cb9c45877d2a8a1d8124b5007badf04382451ff68bc86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tX1Ti5Lf.exe

Filesize
1.3MB

MD5
7f8f1f2ac21dfa9220bc964e33e1e146

SHA1
e4646447539f52dd2f06fcefa92cfdfd3e0e687f

SHA256
d232cf8f821641cd318a1a47353ec6f1348afec6b1130f57965b62505dd51407

SHA512
8d93a4f26b10ea540d8b8357fdf50797a9d8c423b0b28355f2b5c4f316844d68b52df766e71d81c858cb9c45877d2a8a1d8124b5007badf04382451ff68bc86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lL8iJ4sn.exe

Filesize
1.1MB

MD5
c033fe5f51931facd9e38fbdda34bcdd

SHA1
814b6edb16e1a40031efe3e6935d15670f9133d7

SHA256
6daceb9e3ed81333fe77ab6ca87117b4d5b1882296c78c328131ad9d932a9d85

SHA512
cf9389814cfb949e37c2d7fcbabb2fceeb351d315300c694b50f200196809c3fce34581e25fed0806f6f3aecc8c79849626842c47c8f8f36c4a23bdfcc9b8744

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lL8iJ4sn.exe

Filesize
1.1MB

MD5
c033fe5f51931facd9e38fbdda34bcdd

SHA1
814b6edb16e1a40031efe3e6935d15670f9133d7

SHA256
6daceb9e3ed81333fe77ab6ca87117b4d5b1882296c78c328131ad9d932a9d85

SHA512
cf9389814cfb949e37c2d7fcbabb2fceeb351d315300c694b50f200196809c3fce34581e25fed0806f6f3aecc8c79849626842c47c8f8f36c4a23bdfcc9b8744

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zy9Jj3Gv.exe

Filesize
754KB

MD5
d924d65fca70fe5c0883731b66ee38e8

SHA1
de1a5739cc49d73b6e187d351561eacca8ae9cf6

SHA256
acddee884a1f372aaf9fb9cde02ecbdc6b2791aac8e9f192d3aa0ec1672f23f9

SHA512
38bd0ecccd33df17740bfcfca16d49176fc8ea99b4cf95ff207b9248fd05e5fd7b24c78cc72f43f3ecdfc87d61c28d3e32c67fc844e254468407e13197a4e8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zy9Jj3Gv.exe

Filesize
754KB

MD5
d924d65fca70fe5c0883731b66ee38e8

SHA1
de1a5739cc49d73b6e187d351561eacca8ae9cf6

SHA256
acddee884a1f372aaf9fb9cde02ecbdc6b2791aac8e9f192d3aa0ec1672f23f9

SHA512
38bd0ecccd33df17740bfcfca16d49176fc8ea99b4cf95ff207b9248fd05e5fd7b24c78cc72f43f3ecdfc87d61c28d3e32c67fc844e254468407e13197a4e8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yJ3QR1qG.exe

Filesize
559KB

MD5
ecd124b886b967b28ad0d80641be4af3

SHA1
81340b29b31a5bda453f6859573cf2c7ca947525

SHA256
43f587d63f5763725f3a0713f6efbd51e4a0173d17cc8a15d0a57bb8bc8632e5

SHA512
1eb31ea928e9d7d772d7944e143e88426a802dbfd4ebe117169b553b329b7461f0875b6cfb57f2eb260fbe291242620764f776789cc8fd8c92f7b732b6be731f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yJ3QR1qG.exe

Filesize
559KB

MD5
ecd124b886b967b28ad0d80641be4af3

SHA1
81340b29b31a5bda453f6859573cf2c7ca947525

SHA256
43f587d63f5763725f3a0713f6efbd51e4a0173d17cc8a15d0a57bb8bc8632e5

SHA512
1eb31ea928e9d7d772d7944e143e88426a802dbfd4ebe117169b553b329b7461f0875b6cfb57f2eb260fbe291242620764f776789cc8fd8c92f7b732b6be731f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ws96LD5.exe

Filesize
1.1MB

MD5
497a7fe8c8e807c4189cf0c3d8a568b0

SHA1
122a209473fba0ebded8cfe4c31d16fb327a44d2

SHA256
cef5cba0f46eccd99b171430a8058ae407592578fc6aa317ac72038ea49dba74

SHA512
09fd7158922a1e4ff46e60fb259f04ff5b1f7cf5a06c965863770b151bd58036034a93f6d9a4a69624b382fa4e6978e67720f69bea2fd2af0cbab9c729d2dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ws96LD5.exe

Filesize
1.1MB

MD5
497a7fe8c8e807c4189cf0c3d8a568b0

SHA1
122a209473fba0ebded8cfe4c31d16fb327a44d2

SHA256
cef5cba0f46eccd99b171430a8058ae407592578fc6aa317ac72038ea49dba74

SHA512
09fd7158922a1e4ff46e60fb259f04ff5b1f7cf5a06c965863770b151bd58036034a93f6d9a4a69624b382fa4e6978e67720f69bea2fd2af0cbab9c729d2dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XT109db.exe

Filesize
222KB

MD5
4e91f74e618a5861ea53eb3ab41c1de5

SHA1
f017d6bfb9fb0ecdeeeb17db1c13c69dfdfd53ec

SHA256
43cf61e8a320e099e13a7e11424e834847de3752a4423cac7935757ca75dbb12

SHA512
71449051f533b76d697441f6b06d3213c705db2336e73f7fd44efc8d985207527b67e7cabebf5e5faf4fe76328b233728856aec6d23c9a75daebd4306802c54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XT109db.exe

Filesize
222KB

MD5
4e91f74e618a5861ea53eb3ab41c1de5

SHA1
f017d6bfb9fb0ecdeeeb17db1c13c69dfdfd53ec

SHA256
43cf61e8a320e099e13a7e11424e834847de3752a4423cac7935757ca75dbb12

SHA512
71449051f533b76d697441f6b06d3213c705db2336e73f7fd44efc8d985207527b67e7cabebf5e5faf4fe76328b233728856aec6d23c9a75daebd4306802c54a

Download Submit
memory/484-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/484-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/484-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/484-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1128-46-0x0000000007D60000-0x0000000008304000-memory.dmp

Filesize
5.6MB

Download
memory/1128-43-0x0000000000910000-0x000000000094E000-memory.dmp

Filesize
248KB

Download
memory/1128-45-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/1128-44-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/1128-47-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download
memory/1128-48-0x0000000007C20000-0x0000000007C30000-memory.dmp

Filesize
64KB

Download
memory/1128-49-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/1128-50-0x0000000008930000-0x0000000008F48000-memory.dmp

Filesize
6.1MB

Download
memory/1128-51-0x0000000008420000-0x000000000852A000-memory.dmp

Filesize
1.0MB

Download
memory/1128-52-0x0000000007D30000-0x0000000007D42000-memory.dmp

Filesize
72KB

Download
memory/1128-53-0x0000000008350000-0x000000000838C000-memory.dmp

Filesize
240KB

Download
memory/1128-54-0x0000000008390000-0x00000000083DC000-memory.dmp

Filesize
304KB

Download
memory/1128-55-0x0000000007C20000-0x0000000007C30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads