redline | 1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7

Analysis

max time kernel
141s
max time network
159s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
22-10-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe
Size

1.5MB
MD5

44e515bbbd2c68ca226c0c78b074bb3e
SHA1

af39abea28203ee43f0e559bb58edfe137afb75e
SHA256

1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7
SHA512

cee6bf9cd4b962aae960e8e27ef13c269d5566234d1f5b972512f4b5c4bfe304bff8396fd20db2ee512befebd59d0bbafe8a1e9260638d28f467f262bb4048e8
SSDEEP

24576:MyEZqtScxGfrXDnqLGFDOsTKtC71uKftOSgve7WIj1u+iveR4:7ltVIzDnqL8OTtMwm3WAT

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001abd2-39.dat	family_redline
behavioral1/files/0x000600000001abd2-40.dat	family_redline
behavioral1/memory/4872-45-0x0000000000BA0000-0x0000000000BDE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4044	Rd0Dj0Ap.exe
4104	EI9az9NK.exe
3564	ad9Qn3Ar.exe
4428	uK5VK6eV.exe
2140	1CY77xz0.exe
4872	2gg725Ox.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ad9Qn3Ar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uK5VK6eV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rd0Dj0Ap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	EI9az9NK.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 4852	2140	1CY77xz0.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4384	4852	WerFault.exe	77

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4044	4068	1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe	71
PID 4068 wrote to memory of 4044	4068	1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe	71
PID 4068 wrote to memory of 4044	4068	1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe	71
PID 4044 wrote to memory of 4104	4044	Rd0Dj0Ap.exe	72
PID 4044 wrote to memory of 4104	4044	Rd0Dj0Ap.exe	72
PID 4044 wrote to memory of 4104	4044	Rd0Dj0Ap.exe	72
PID 4104 wrote to memory of 3564	4104	EI9az9NK.exe	73
PID 4104 wrote to memory of 3564	4104	EI9az9NK.exe	73
PID 4104 wrote to memory of 3564	4104	EI9az9NK.exe	73
PID 3564 wrote to memory of 4428	3564	ad9Qn3Ar.exe	74
PID 3564 wrote to memory of 4428	3564	ad9Qn3Ar.exe	74
PID 3564 wrote to memory of 4428	3564	ad9Qn3Ar.exe	74
PID 4428 wrote to memory of 2140	4428	uK5VK6eV.exe	75
PID 4428 wrote to memory of 2140	4428	uK5VK6eV.exe	75
PID 4428 wrote to memory of 2140	4428	uK5VK6eV.exe	75
PID 2140 wrote to memory of 820	2140	1CY77xz0.exe	76
PID 2140 wrote to memory of 820	2140	1CY77xz0.exe	76
PID 2140 wrote to memory of 820	2140	1CY77xz0.exe	76
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 2140 wrote to memory of 4852	2140	1CY77xz0.exe	77
PID 4428 wrote to memory of 4872	4428	uK5VK6eV.exe	78
PID 4428 wrote to memory of 4872	4428	uK5VK6eV.exe	78
PID 4428 wrote to memory of 4872	4428	uK5VK6eV.exe	78

C:\Users\Admin\AppData\Local\Temp\1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe
"C:\Users\Admin\AppData\Local\Temp\1fbdb25205f7869f90738640f3afbacfe796532d8738bb0522aeae3963aaf0f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd0Dj0Ap.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd0Dj0Ap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EI9az9NK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EI9az9NK.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad9Qn3Ar.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad9Qn3Ar.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uK5VK6eV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uK5VK6eV.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CY77xz0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CY77xz0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 184
        8⤵
        Program crash
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gg725Ox.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gg725Ox.exe
        6⤵
        Executes dropped EXE
        
        PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd0Dj0Ap.exe

Filesize
1.3MB

MD5
d8bbf03ae90df71c919a2d75c5a4f87d

SHA1
221a8fa4ae9b418ad8ea5cbf241111d2ec45e947

SHA256
a948c970339979b1a6a5a052adef8631268dd86723d195431dadcc85bd5b9610

SHA512
7f6f49c29fcd1cf3e6396f6d59e64a5937f56c8a5b47d9bac7cfd9c5f7f29a61f2351426c974914b3bd27e1c8b5d0f33bfb22a5ab5cbd8a4d38a7bd05ae310c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rd0Dj0Ap.exe

Filesize
1.3MB

MD5
d8bbf03ae90df71c919a2d75c5a4f87d

SHA1
221a8fa4ae9b418ad8ea5cbf241111d2ec45e947

SHA256
a948c970339979b1a6a5a052adef8631268dd86723d195431dadcc85bd5b9610

SHA512
7f6f49c29fcd1cf3e6396f6d59e64a5937f56c8a5b47d9bac7cfd9c5f7f29a61f2351426c974914b3bd27e1c8b5d0f33bfb22a5ab5cbd8a4d38a7bd05ae310c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EI9az9NK.exe

Filesize
1.1MB

MD5
0057675e40924fd6ed3aaad9d377b822

SHA1
99e9550f2b8d212828d4717b98765bf3c3551770

SHA256
9c2e91fc7ed282b4503c19db9c00c62c45ada7cf229686d7cc89a9de1d6eb72e

SHA512
37331670f78176c2e35399b613a55dea9b6fa3f33ce50c02a7f012c6dc07e2efa54cc2208a17cc6b5480bf307fb4548f11b2e03c8356960d05fb3d74b67a0d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EI9az9NK.exe

Filesize
1.1MB

MD5
0057675e40924fd6ed3aaad9d377b822

SHA1
99e9550f2b8d212828d4717b98765bf3c3551770

SHA256
9c2e91fc7ed282b4503c19db9c00c62c45ada7cf229686d7cc89a9de1d6eb72e

SHA512
37331670f78176c2e35399b613a55dea9b6fa3f33ce50c02a7f012c6dc07e2efa54cc2208a17cc6b5480bf307fb4548f11b2e03c8356960d05fb3d74b67a0d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad9Qn3Ar.exe

Filesize
754KB

MD5
8ac396a4126da1d39e5f5c89f1dd3b65

SHA1
ab64651d8d455e134cdb2403bf6200adb18d17ff

SHA256
e79818db71514b374a055b3457438d43e8e8d220190a25e5382b5d54a1005bac

SHA512
04eb6fee27ea73caa02cb3309f08986d6b26ea95bee7067427f9255f2a82fad7f72cf97d017603b27c163348cf81d710005cc2e860b37f43d73d2e16fd61e486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ad9Qn3Ar.exe

Filesize
754KB

MD5
8ac396a4126da1d39e5f5c89f1dd3b65

SHA1
ab64651d8d455e134cdb2403bf6200adb18d17ff

SHA256
e79818db71514b374a055b3457438d43e8e8d220190a25e5382b5d54a1005bac

SHA512
04eb6fee27ea73caa02cb3309f08986d6b26ea95bee7067427f9255f2a82fad7f72cf97d017603b27c163348cf81d710005cc2e860b37f43d73d2e16fd61e486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uK5VK6eV.exe

Filesize
559KB

MD5
36d0de2498ffb1ee2743e042f378e79b

SHA1
7b46b74a97af66c39c20e5abb7ab094260db98eb

SHA256
c40c49124ca0a3cb52521bc7bf62f1c03cb35beb1addf1f72b4f8d7309ea422d

SHA512
88c3d0b54c05be3935f2d38b990efdfdb34a1cdf30ca8c6e6dbd7dca2839cb01e9ffed78a243479e08c0b82c813b2fbfc9e81453cf8e85538b236362f5479293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uK5VK6eV.exe

Filesize
559KB

MD5
36d0de2498ffb1ee2743e042f378e79b

SHA1
7b46b74a97af66c39c20e5abb7ab094260db98eb

SHA256
c40c49124ca0a3cb52521bc7bf62f1c03cb35beb1addf1f72b4f8d7309ea422d

SHA512
88c3d0b54c05be3935f2d38b990efdfdb34a1cdf30ca8c6e6dbd7dca2839cb01e9ffed78a243479e08c0b82c813b2fbfc9e81453cf8e85538b236362f5479293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CY77xz0.exe

Filesize
1.1MB

MD5
bd8381243da56c968978eb37717d7f9f

SHA1
06d3dc14b07301f017925abcb887650348e788f7

SHA256
25537fd3ed6c563fe987aa3d2935881d8e0b1bb2abb90d55c7a8f43bbe1c6ad7

SHA512
9fd94ca79a8c7b131b5d4853754bd85fc748ddd262cc73e3e9fc014848ce24cb20337e157ba66bfcbeea582feef30591745ff1093c42814e47c079baee990108

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CY77xz0.exe

Filesize
1.1MB

MD5
bd8381243da56c968978eb37717d7f9f

SHA1
06d3dc14b07301f017925abcb887650348e788f7

SHA256
25537fd3ed6c563fe987aa3d2935881d8e0b1bb2abb90d55c7a8f43bbe1c6ad7

SHA512
9fd94ca79a8c7b131b5d4853754bd85fc748ddd262cc73e3e9fc014848ce24cb20337e157ba66bfcbeea582feef30591745ff1093c42814e47c079baee990108

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gg725Ox.exe

Filesize
222KB

MD5
091fb8dcf1375f16ac11fc6eef56c06e

SHA1
3c4f18c05db428a98207803b362a3caafe88ad50

SHA256
bd04f6cd626669ef32f0267e7866f087488f00925b84391f503775b1b253eeeb

SHA512
ffbf739decf1152340459ae45e7dbc8bfe122187ed9ce6b4a2438d9bc9d13055b8382164ad5f637125dc12211fbd65a1e311c5d44cb814a2fb5e8e7c2b8506f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gg725Ox.exe

Filesize
222KB

MD5
091fb8dcf1375f16ac11fc6eef56c06e

SHA1
3c4f18c05db428a98207803b362a3caafe88ad50

SHA256
bd04f6cd626669ef32f0267e7866f087488f00925b84391f503775b1b253eeeb

SHA512
ffbf739decf1152340459ae45e7dbc8bfe122187ed9ce6b4a2438d9bc9d13055b8382164ad5f637125dc12211fbd65a1e311c5d44cb814a2fb5e8e7c2b8506f1

Download Submit
memory/4852-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4852-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4852-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4852-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-47-0x0000000007DB0000-0x00000000082AE000-memory.dmp

Filesize
5.0MB

Download
memory/4872-46-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/4872-45-0x0000000000BA0000-0x0000000000BDE000-memory.dmp

Filesize
248KB

Download
memory/4872-48-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/4872-49-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/4872-50-0x00000000088C0000-0x0000000008EC6000-memory.dmp

Filesize
6.0MB

Download
memory/4872-51-0x0000000007C80000-0x0000000007D8A000-memory.dmp

Filesize
1.0MB

Download
memory/4872-52-0x0000000007B70000-0x0000000007B82000-memory.dmp

Filesize
72KB

Download
memory/4872-53-0x0000000007BD0000-0x0000000007C0E000-memory.dmp

Filesize
248KB

Download
memory/4872-54-0x0000000007C10000-0x0000000007C5B000-memory.dmp

Filesize
300KB

Download
memory/4872-55-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads