redline | 1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe
Size

1.5MB
MD5

4054fba7471c2b12bdc7734496b35b8c
SHA1

a892583c5167284284decc47a18f0d978be1d2e7
SHA256

1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336
SHA512

953ed9161c16bfe1f59e03f0f5e474aaf33f4985b35e0af1017dad8688f5b0c884de58beb08515bcf6ed1f7727d46876c1e8825daa9ac3e6f90a36a43ba5dbaa
SSDEEP

24576:OyITqiftF4wBvuikVcdwo/nEvFerlRLaG5sofeNMjoCLDNG9I5Z+jQgpO45SF9Y/:dITqiff4wBvFkz7QrfaG5sRNMNpmH84z

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e27-37.dat	family_redline
behavioral1/files/0x0006000000022e27-39.dat	family_redline
behavioral1/memory/3964-43-0x0000000000A90000-0x0000000000ACE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2800	NK0EM8an.exe
4152	Ch6Rg8MT.exe
1452	mQ5lo6st.exe
4540	HV6Jf0qy.exe
4900	1mW81wX0.exe
3964	2cB779vv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NK0EM8an.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ch6Rg8MT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mQ5lo6st.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	HV6Jf0qy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 3544	4900	1mW81wX0.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1368	3544	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2800	2052	1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe	86
PID 2052 wrote to memory of 2800	2052	1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe	86
PID 2052 wrote to memory of 2800	2052	1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe	86
PID 2800 wrote to memory of 4152	2800	NK0EM8an.exe	88
PID 2800 wrote to memory of 4152	2800	NK0EM8an.exe	88
PID 2800 wrote to memory of 4152	2800	NK0EM8an.exe	88
PID 4152 wrote to memory of 1452	4152	Ch6Rg8MT.exe	90
PID 4152 wrote to memory of 1452	4152	Ch6Rg8MT.exe	90
PID 4152 wrote to memory of 1452	4152	Ch6Rg8MT.exe	90
PID 1452 wrote to memory of 4540	1452	mQ5lo6st.exe	91
PID 1452 wrote to memory of 4540	1452	mQ5lo6st.exe	91
PID 1452 wrote to memory of 4540	1452	mQ5lo6st.exe	91
PID 4540 wrote to memory of 4900	4540	HV6Jf0qy.exe	92
PID 4540 wrote to memory of 4900	4540	HV6Jf0qy.exe	92
PID 4540 wrote to memory of 4900	4540	HV6Jf0qy.exe	92
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4900 wrote to memory of 3544	4900	1mW81wX0.exe	95
PID 4540 wrote to memory of 3964	4540	HV6Jf0qy.exe	96
PID 4540 wrote to memory of 3964	4540	HV6Jf0qy.exe	96
PID 4540 wrote to memory of 3964	4540	HV6Jf0qy.exe	96

C:\Users\Admin\AppData\Local\Temp\1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe
"C:\Users\Admin\AppData\Local\Temp\1de12a587c6d4f57d5364f17691d31c3830e8a875db9a2d53dccaa45a4406336.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NK0EM8an.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NK0EM8an.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch6Rg8MT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch6Rg8MT.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ5lo6st.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ5lo6st.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HV6Jf0qy.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HV6Jf0qy.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mW81wX0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mW81wX0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 540
        8⤵
        Program crash
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cB779vv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cB779vv.exe
        6⤵
        Executes dropped EXE
        
        PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3544 -ip 3544
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NK0EM8an.exe

Filesize
1.3MB

MD5
e6c43c0f5bbee7e83300fbfd33900202

SHA1
77121f6bb0cebc745d27162843f240979f129b98

SHA256
14f55dda16e1adec84dcddf5f03dbf3d0b8d32042b6972d2ce6607df66c67e1e

SHA512
ac1bd99af630c993c41215d6db4f3eb5143167db5b83f3e4d4bb931043db753b9e4174db66c9e680e65254dd26a8faea00816c1d3f60ddff494c86f7e018df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NK0EM8an.exe

Filesize
1.3MB

MD5
e6c43c0f5bbee7e83300fbfd33900202

SHA1
77121f6bb0cebc745d27162843f240979f129b98

SHA256
14f55dda16e1adec84dcddf5f03dbf3d0b8d32042b6972d2ce6607df66c67e1e

SHA512
ac1bd99af630c993c41215d6db4f3eb5143167db5b83f3e4d4bb931043db753b9e4174db66c9e680e65254dd26a8faea00816c1d3f60ddff494c86f7e018df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch6Rg8MT.exe

Filesize
1.1MB

MD5
1411ea486b8335237fdc82cd3c22a477

SHA1
e34615b4f18f979d0c6a4cb55a0da83971ee6418

SHA256
e1e0e8bd51a317aed6223d1fd3bbe3e261823be6fc29f017c4dc89686648c387

SHA512
4248a4becbe89b0c2fc5afd44610a076f9227462cdc8d2da230d629f1dd0dcfe53a0c492398341e72ab3c349281ca4e0bb0fdf6742c041c3c140b910b88368ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch6Rg8MT.exe

Filesize
1.1MB

MD5
1411ea486b8335237fdc82cd3c22a477

SHA1
e34615b4f18f979d0c6a4cb55a0da83971ee6418

SHA256
e1e0e8bd51a317aed6223d1fd3bbe3e261823be6fc29f017c4dc89686648c387

SHA512
4248a4becbe89b0c2fc5afd44610a076f9227462cdc8d2da230d629f1dd0dcfe53a0c492398341e72ab3c349281ca4e0bb0fdf6742c041c3c140b910b88368ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ5lo6st.exe

Filesize
758KB

MD5
cb7e794da1df4fb51c0ba239c8bd9b45

SHA1
f4677954b31e0c444371ec9fa2caf99ed66c6a67

SHA256
96be4001d00e167055c89c130714cc9834cb44163f1c2924d80e84f42d92cd85

SHA512
f1b56d53d7ae6c71c6c75055f63c071b6f39d2bc7ac8ed1c3ab42c483b16cb57cc61b9d6ce19b8f96d0288ffc5c41ae7632f970b7df33f5d7bc58209232ba917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ5lo6st.exe

Filesize
758KB

MD5
cb7e794da1df4fb51c0ba239c8bd9b45

SHA1
f4677954b31e0c444371ec9fa2caf99ed66c6a67

SHA256
96be4001d00e167055c89c130714cc9834cb44163f1c2924d80e84f42d92cd85

SHA512
f1b56d53d7ae6c71c6c75055f63c071b6f39d2bc7ac8ed1c3ab42c483b16cb57cc61b9d6ce19b8f96d0288ffc5c41ae7632f970b7df33f5d7bc58209232ba917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HV6Jf0qy.exe

Filesize
562KB

MD5
dc88807dd07cd3e3d18c6fc911f2cd84

SHA1
73359d160b1ef41246721a9f1045c81a60d3d744

SHA256
89bae7cc4ba7f77950aa6851e6a49cdf1bfe3323098c6613ece2117296dcb226

SHA512
d1cf79301224ba269f7fd21a7adac572a85345e90be2798989fadd55d394fc1e3fa70db5930e563ff6290b85c621193c70e6bfd7177e8b40a3880636e67d5af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HV6Jf0qy.exe

Filesize
562KB

MD5
dc88807dd07cd3e3d18c6fc911f2cd84

SHA1
73359d160b1ef41246721a9f1045c81a60d3d744

SHA256
89bae7cc4ba7f77950aa6851e6a49cdf1bfe3323098c6613ece2117296dcb226

SHA512
d1cf79301224ba269f7fd21a7adac572a85345e90be2798989fadd55d394fc1e3fa70db5930e563ff6290b85c621193c70e6bfd7177e8b40a3880636e67d5af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mW81wX0.exe

Filesize
1.1MB

MD5
5e238a459afa9b502cdf564b5e18fb2c

SHA1
d75177af6afbb9a8f14c2270393a7a45650f1c1f

SHA256
deae75ed164307c178c2ad0cb8a25e6c4eb458fcd3d0fe858d0e719138b0f6c5

SHA512
6555659b08c79565f4aeb77fb0980599d53999a4d255aacd2fa1970ef2a40000b8450648383131a498decd9a3f0bf65ef0a39fe609b7d20aa69c7b1ab3e70397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mW81wX0.exe

Filesize
1.1MB

MD5
5e238a459afa9b502cdf564b5e18fb2c

SHA1
d75177af6afbb9a8f14c2270393a7a45650f1c1f

SHA256
deae75ed164307c178c2ad0cb8a25e6c4eb458fcd3d0fe858d0e719138b0f6c5

SHA512
6555659b08c79565f4aeb77fb0980599d53999a4d255aacd2fa1970ef2a40000b8450648383131a498decd9a3f0bf65ef0a39fe609b7d20aa69c7b1ab3e70397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cB779vv.exe

Filesize
222KB

MD5
8df8270d192c2dd4a2a8065ed267b375

SHA1
7ead4687b628318d0382d24a0600e63c0c16a40e

SHA256
6b195702d967ecf10ffdb6d19e3214261be031fddfa2ef24a2f1b5abbe49407a

SHA512
43f2a8a00949d6975c43d6e149326401b2c7d08d39ff230540ccfecacbdab2a9b82e3138b332338d38919039445be0840b450c259603f22875ef3850301536ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cB779vv.exe

Filesize
222KB

MD5
8df8270d192c2dd4a2a8065ed267b375

SHA1
7ead4687b628318d0382d24a0600e63c0c16a40e

SHA256
6b195702d967ecf10ffdb6d19e3214261be031fddfa2ef24a2f1b5abbe49407a

SHA512
43f2a8a00949d6975c43d6e149326401b2c7d08d39ff230540ccfecacbdab2a9b82e3138b332338d38919039445be0840b450c259603f22875ef3850301536ff

Download Submit
memory/3544-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3544-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3544-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3544-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3964-47-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3964-44-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3964-45-0x0000000007D30000-0x00000000082D4000-memory.dmp

Filesize
5.6MB

Download
memory/3964-46-0x0000000007860000-0x00000000078F2000-memory.dmp

Filesize
584KB

Download
memory/3964-43-0x0000000000A90000-0x0000000000ACE000-memory.dmp

Filesize
248KB

Download
memory/3964-48-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/3964-49-0x0000000008900000-0x0000000008F18000-memory.dmp

Filesize
6.1MB

Download
memory/3964-50-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

Filesize
1.0MB

Download
memory/3964-51-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/3964-52-0x0000000007B50000-0x0000000007B8C000-memory.dmp

Filesize
240KB

Download
memory/3964-53-0x0000000007CD0000-0x0000000007D1C000-memory.dmp

Filesize
304KB

Download
memory/3964-54-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3964-55-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads