redline | b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe
Size

1.5MB
MD5

779f5fad41cce60fb654526697978cbc
SHA1

7fb203d75f0d0c354a3b2be1735a33a9b0858f3a
SHA256

b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef
SHA512

16689167a6a74efb13b7a9bb789e1afffc6d35999fc23b9d22175786565b5ea861c9e847139c51dc49bcac5e8dc474333ec0bb74515c4173903fd1d50870e2c4
SSDEEP

24576:yyhYBJzoQr+bJYQO0mEbKxUjfgQLtYWy1BlPYq6Zsl6USt13McQCkozcs2:ZuvqY6mEWEfVp3y1Bi9ZMrSt13D/zQ

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022eae-37.dat	family_redline
behavioral1/files/0x0006000000022eae-40.dat	family_redline
behavioral1/memory/2136-43-0x0000000000640000-0x000000000067E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4556	dH8rH4rz.exe
1424	Hg8rD3If.exe
1616	iN7Ih3qW.exe
4192	uf2CI3Vu.exe
4544	1zq17py8.exe
2136	2Fk737yR.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dH8rH4rz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Hg8rD3If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	iN7Ih3qW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uf2CI3Vu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 3652	4544	1zq17py8.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1860	3652	WerFault.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4556	1060	b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe	85
PID 1060 wrote to memory of 4556	1060	b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe	85
PID 1060 wrote to memory of 4556	1060	b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe	85
PID 4556 wrote to memory of 1424	4556	dH8rH4rz.exe	87
PID 4556 wrote to memory of 1424	4556	dH8rH4rz.exe	87
PID 4556 wrote to memory of 1424	4556	dH8rH4rz.exe	87
PID 1424 wrote to memory of 1616	1424	Hg8rD3If.exe	88
PID 1424 wrote to memory of 1616	1424	Hg8rD3If.exe	88
PID 1424 wrote to memory of 1616	1424	Hg8rD3If.exe	88
PID 1616 wrote to memory of 4192	1616	iN7Ih3qW.exe	89
PID 1616 wrote to memory of 4192	1616	iN7Ih3qW.exe	89
PID 1616 wrote to memory of 4192	1616	iN7Ih3qW.exe	89
PID 4192 wrote to memory of 4544	4192	uf2CI3Vu.exe	90
PID 4192 wrote to memory of 4544	4192	uf2CI3Vu.exe	90
PID 4192 wrote to memory of 4544	4192	uf2CI3Vu.exe	90
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4544 wrote to memory of 3652	4544	1zq17py8.exe	91
PID 4192 wrote to memory of 2136	4192	uf2CI3Vu.exe	92
PID 4192 wrote to memory of 2136	4192	uf2CI3Vu.exe	92
PID 4192 wrote to memory of 2136	4192	uf2CI3Vu.exe	92

C:\Users\Admin\AppData\Local\Temp\b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe
"C:\Users\Admin\AppData\Local\Temp\b0a7af9a6cf6cc9da2260140a8012fa9630cff7afb85cb152022bbc852dd2eef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dH8rH4rz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dH8rH4rz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hg8rD3If.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hg8rD3If.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN7Ih3qW.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN7Ih3qW.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uf2CI3Vu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uf2CI3Vu.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zq17py8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zq17py8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 540
        8⤵
        Program crash
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk737yR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk737yR.exe
        6⤵
        Executes dropped EXE
        
        PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3652 -ip 3652
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dH8rH4rz.exe

Filesize
1.3MB

MD5
c89340e26828b2bd5443ba5c19ae9008

SHA1
227b8ed2bd7515cd6598f74dea2bc111548982be

SHA256
4380b18fba175acecca097e711418c1db1875e878549b14d0de5e178c44871dd

SHA512
943ba5ad6e3e31ece5683f4b9b0e74a45be50ee1ff52fc1d77166ee4bc0ab7190e0160a975dc69d99da815cb089c63a4a558c1c87b3787eb8ddc249db4e0a127

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dH8rH4rz.exe

Filesize
1.3MB

MD5
c89340e26828b2bd5443ba5c19ae9008

SHA1
227b8ed2bd7515cd6598f74dea2bc111548982be

SHA256
4380b18fba175acecca097e711418c1db1875e878549b14d0de5e178c44871dd

SHA512
943ba5ad6e3e31ece5683f4b9b0e74a45be50ee1ff52fc1d77166ee4bc0ab7190e0160a975dc69d99da815cb089c63a4a558c1c87b3787eb8ddc249db4e0a127

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hg8rD3If.exe

Filesize
1.1MB

MD5
f06edcae0836bda86b13f296205f8677

SHA1
884ce56ac3d00fa956f954c4ca00836208e22427

SHA256
c830c2502225a16083c484aeaf6970d8dfe531b0033582e4d3d9f5613f6c47a5

SHA512
a7397640a1ab8e93662f8b19cb5e02395acc1ddaa4738286ac5cf76d1b2b7a8066a4addb9add0f15c17ffe27ffb4e84841b0979ae712b1f5798011ffd27e2082

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hg8rD3If.exe

Filesize
1.1MB

MD5
f06edcae0836bda86b13f296205f8677

SHA1
884ce56ac3d00fa956f954c4ca00836208e22427

SHA256
c830c2502225a16083c484aeaf6970d8dfe531b0033582e4d3d9f5613f6c47a5

SHA512
a7397640a1ab8e93662f8b19cb5e02395acc1ddaa4738286ac5cf76d1b2b7a8066a4addb9add0f15c17ffe27ffb4e84841b0979ae712b1f5798011ffd27e2082

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN7Ih3qW.exe

Filesize
759KB

MD5
3817a5f2225c0f90dd0cf87d0ae18447

SHA1
45aa0895790e7b3df3f1f61285c96096ea06024c

SHA256
329e0c891fe8f6cf7f7f1c933e2f4a37d951316d8abb7ead578949805615646f

SHA512
eadef3f309e3d2ca2896a7e156969cb44fcb65c96ef60b4fde4460aca6c2c74bf347e6a3bbcff5e6f5bdd2975cdef757dacde5de74300cb711a60ec8913e8572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN7Ih3qW.exe

Filesize
759KB

MD5
3817a5f2225c0f90dd0cf87d0ae18447

SHA1
45aa0895790e7b3df3f1f61285c96096ea06024c

SHA256
329e0c891fe8f6cf7f7f1c933e2f4a37d951316d8abb7ead578949805615646f

SHA512
eadef3f309e3d2ca2896a7e156969cb44fcb65c96ef60b4fde4460aca6c2c74bf347e6a3bbcff5e6f5bdd2975cdef757dacde5de74300cb711a60ec8913e8572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uf2CI3Vu.exe

Filesize
563KB

MD5
bec7af1072f969016ad0ba32f032078d

SHA1
264c058970b742642a9701425840e3c7e7bcd1b8

SHA256
5bbebb69f517af7572d9ab3691feaf10b2e3616cd4c5134849eae01f004ccc0a

SHA512
f5761101af7247e702ae6c85d9182222065986cb1937d9672001c04cd749733609771bfe880cdef6a949d496c63b5d3e7cf7b9ca90c7e6d38e25c74ca0548bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uf2CI3Vu.exe

Filesize
563KB

MD5
bec7af1072f969016ad0ba32f032078d

SHA1
264c058970b742642a9701425840e3c7e7bcd1b8

SHA256
5bbebb69f517af7572d9ab3691feaf10b2e3616cd4c5134849eae01f004ccc0a

SHA512
f5761101af7247e702ae6c85d9182222065986cb1937d9672001c04cd749733609771bfe880cdef6a949d496c63b5d3e7cf7b9ca90c7e6d38e25c74ca0548bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zq17py8.exe

Filesize
1.1MB

MD5
049ef5157dc773f29b299d8bbe0ddbdf

SHA1
6b82a47e27e879cefab69571eb51a3de0ceea77b

SHA256
169b219a0b3163150f7a0ea4866c4c32fa8d89bb5e96c2a267d3febd1e7f821b

SHA512
9f5af8224fba71407571f95ccd8799be079ff778d174a0261909d3e750cb1f37452d15f2fbc620f32086619adce96032f2d7f571501ea668067216ac675de49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zq17py8.exe

Filesize
1.1MB

MD5
049ef5157dc773f29b299d8bbe0ddbdf

SHA1
6b82a47e27e879cefab69571eb51a3de0ceea77b

SHA256
169b219a0b3163150f7a0ea4866c4c32fa8d89bb5e96c2a267d3febd1e7f821b

SHA512
9f5af8224fba71407571f95ccd8799be079ff778d174a0261909d3e750cb1f37452d15f2fbc620f32086619adce96032f2d7f571501ea668067216ac675de49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk737yR.exe

Filesize
222KB

MD5
60ba200adfbd0137823d5071cd826052

SHA1
9a57b3e8f39c9740ef907f2f24e8feed98ed97d4

SHA256
f31497e1a4943d3498e82b81ea808b4a86e6ee5794127205f9848ce21302596a

SHA512
a365d97a02d3226d870d67ab88ff4c8f7d454df3a80709a6cf511ed52b6b1327263daed7b7e443e724e5f26f453c5cd55119b7a86a3fb64f624ed6cb99a1cb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk737yR.exe

Filesize
222KB

MD5
60ba200adfbd0137823d5071cd826052

SHA1
9a57b3e8f39c9740ef907f2f24e8feed98ed97d4

SHA256
f31497e1a4943d3498e82b81ea808b4a86e6ee5794127205f9848ce21302596a

SHA512
a365d97a02d3226d870d67ab88ff4c8f7d454df3a80709a6cf511ed52b6b1327263daed7b7e443e724e5f26f453c5cd55119b7a86a3fb64f624ed6cb99a1cb05

Download Submit
memory/2136-48-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/2136-52-0x0000000007700000-0x000000000773C000-memory.dmp

Filesize
240KB

Download
memory/2136-55-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2136-54-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2136-43-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download
memory/2136-44-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2136-45-0x0000000007900000-0x0000000007EA4000-memory.dmp

Filesize
5.6MB

Download
memory/2136-46-0x00000000073F0000-0x0000000007482000-memory.dmp

Filesize
584KB

Download
memory/2136-47-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2136-53-0x0000000007890000-0x00000000078DC000-memory.dmp

Filesize
304KB

Download
memory/2136-49-0x00000000084D0000-0x0000000008AE8000-memory.dmp

Filesize
6.1MB

Download
memory/2136-50-0x0000000007780000-0x000000000788A000-memory.dmp

Filesize
1.0MB

Download
memory/2136-51-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/3652-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3652-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3652-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3652-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads