redline | 3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe
Size

1.5MB
MD5

1a06a2142f4f3f33290bf18e16530dd8
SHA1

031ab05e5cf071bb72e8bf99362b878af632dfc8
SHA256

3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6
SHA512

f6f2ba1fda04ef11ffadc46f6c0a927e6538cafa1c8cab65825cd86eff98d0d1ad244d613c131f809402d39c6437be1229a31fafd43cb755dea894064242922b
SSDEEP

24576:8y2kyDFIjMAaKNf9L5olCdfc1W9plr9jntnWyHg6O:rEF0zbClCtZrBtrHg

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022e15-37.dat	family_redline
behavioral1/files/0x0007000000022e15-39.dat	family_redline
behavioral1/memory/876-43-0x00000000009B0000-0x00000000009EE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
648	Wu6QQ2VW.exe
2420	fS7MZ3wF.exe
4516	pR5Xd5Vf.exe
1360	MD5kd1Bt.exe
4920	1on34sS4.exe
876	2bO203gC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Wu6QQ2VW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fS7MZ3wF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pR5Xd5Vf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	MD5kd1Bt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 4536	4920	1on34sS4.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	4536	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 648	3932	3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe	86
PID 3932 wrote to memory of 648	3932	3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe	86
PID 3932 wrote to memory of 648	3932	3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe	86
PID 648 wrote to memory of 2420	648	Wu6QQ2VW.exe	88
PID 648 wrote to memory of 2420	648	Wu6QQ2VW.exe	88
PID 648 wrote to memory of 2420	648	Wu6QQ2VW.exe	88
PID 2420 wrote to memory of 4516	2420	fS7MZ3wF.exe	89
PID 2420 wrote to memory of 4516	2420	fS7MZ3wF.exe	89
PID 2420 wrote to memory of 4516	2420	fS7MZ3wF.exe	89
PID 4516 wrote to memory of 1360	4516	pR5Xd5Vf.exe	91
PID 4516 wrote to memory of 1360	4516	pR5Xd5Vf.exe	91
PID 4516 wrote to memory of 1360	4516	pR5Xd5Vf.exe	91
PID 1360 wrote to memory of 4920	1360	MD5kd1Bt.exe	92
PID 1360 wrote to memory of 4920	1360	MD5kd1Bt.exe	92
PID 1360 wrote to memory of 4920	1360	MD5kd1Bt.exe	92
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 4920 wrote to memory of 4536	4920	1on34sS4.exe	95
PID 1360 wrote to memory of 876	1360	MD5kd1Bt.exe	96
PID 1360 wrote to memory of 876	1360	MD5kd1Bt.exe	96
PID 1360 wrote to memory of 876	1360	MD5kd1Bt.exe	96

C:\Users\Admin\AppData\Local\Temp\3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe
"C:\Users\Admin\AppData\Local\Temp\3210ceac280157198acb7c5ccc7c662dc10bdcd03ad5e236a3cb478742d62ee6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wu6QQ2VW.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wu6QQ2VW.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fS7MZ3wF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fS7MZ3wF.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pR5Xd5Vf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pR5Xd5Vf.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MD5kd1Bt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MD5kd1Bt.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1on34sS4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1on34sS4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 540
        8⤵
        Program crash
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bO203gC.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bO203gC.exe
        6⤵
        Executes dropped EXE
        
        PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4536 -ip 4536
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wu6QQ2VW.exe

Filesize
1.3MB

MD5
c63898a8aecf5d32639531cf39e179a3

SHA1
b6541680fe4198c25aee9248420378f9c3b0a4c9

SHA256
36a88c12e7d81b829aa332af39c1015caab8f58b7c631ff628d3632f411f4470

SHA512
80653cd09f0306f46b12e299091d2ae07bffb3e62e6f46f4450cb43934991ebc4d40236603ab607ff4f22a1df681819b08bd3d1f29efd4f1eaaa92c03a88201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wu6QQ2VW.exe

Filesize
1.3MB

MD5
c63898a8aecf5d32639531cf39e179a3

SHA1
b6541680fe4198c25aee9248420378f9c3b0a4c9

SHA256
36a88c12e7d81b829aa332af39c1015caab8f58b7c631ff628d3632f411f4470

SHA512
80653cd09f0306f46b12e299091d2ae07bffb3e62e6f46f4450cb43934991ebc4d40236603ab607ff4f22a1df681819b08bd3d1f29efd4f1eaaa92c03a88201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fS7MZ3wF.exe

Filesize
1.1MB

MD5
4d0911feef67c0711cbae16a32e897a7

SHA1
5d4f4a90361efc72159fcaeb25bc39175795524d

SHA256
7305d31158824687a4dabe735b5fb2c45bfdc7eb3eaa344a2185712f3c72dfad

SHA512
51605bb4198ef2a2a346e338455b5de565049f488a309a1ddc93daeab8af26fea9021215a0397f30d0cf62c3af4709e07be0a980e7f5a70a9fc65962d809e92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fS7MZ3wF.exe

Filesize
1.1MB

MD5
4d0911feef67c0711cbae16a32e897a7

SHA1
5d4f4a90361efc72159fcaeb25bc39175795524d

SHA256
7305d31158824687a4dabe735b5fb2c45bfdc7eb3eaa344a2185712f3c72dfad

SHA512
51605bb4198ef2a2a346e338455b5de565049f488a309a1ddc93daeab8af26fea9021215a0397f30d0cf62c3af4709e07be0a980e7f5a70a9fc65962d809e92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pR5Xd5Vf.exe

Filesize
754KB

MD5
673f01a61e53c09011a872106a9ff32d

SHA1
9966bd72e46a765890422b48b3a5684e14a408c6

SHA256
2b110f192819f0dc82dac2af1162d5530fcae07dbb3a1603de793f3997557595

SHA512
42836051f35a2e4fe67d7d303be7ab8132ca2297f8045e9951bbd448b76b82e21c50ff7fe964728156bd668c96afd53fac4fdb6fed8ac5add3f3f4762728d0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pR5Xd5Vf.exe

Filesize
754KB

MD5
673f01a61e53c09011a872106a9ff32d

SHA1
9966bd72e46a765890422b48b3a5684e14a408c6

SHA256
2b110f192819f0dc82dac2af1162d5530fcae07dbb3a1603de793f3997557595

SHA512
42836051f35a2e4fe67d7d303be7ab8132ca2297f8045e9951bbd448b76b82e21c50ff7fe964728156bd668c96afd53fac4fdb6fed8ac5add3f3f4762728d0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MD5kd1Bt.exe

Filesize
559KB

MD5
8437f7e3399e602aee40e7bf5080ab87

SHA1
962293eab06b1b63044b73925bfa495072bc171f

SHA256
c3a04a884dc94ffb3ad437cceb3def47f76a45e350d4b2a356d70f48a6a1b333

SHA512
b8ab1ef6d6d92fe7388af7eba070ef2da0d54473114474eb27b8953c54f2ea3e13b1aca872221202dc2d305e68482606851efe90138b36647197cad203f0d6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MD5kd1Bt.exe

Filesize
559KB

MD5
8437f7e3399e602aee40e7bf5080ab87

SHA1
962293eab06b1b63044b73925bfa495072bc171f

SHA256
c3a04a884dc94ffb3ad437cceb3def47f76a45e350d4b2a356d70f48a6a1b333

SHA512
b8ab1ef6d6d92fe7388af7eba070ef2da0d54473114474eb27b8953c54f2ea3e13b1aca872221202dc2d305e68482606851efe90138b36647197cad203f0d6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1on34sS4.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1on34sS4.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bO203gC.exe

Filesize
222KB

MD5
827e76b1c573bb2283f5d5fae3e40674

SHA1
fbc49fe9fae2aec1745bbe7b8d9a63bd096204c5

SHA256
d1042c33eff8eae0b59d0c9bc876a8095b731e5f9f9eaffa51ad1262d2a07a9f

SHA512
6c29792a4ed19fb8646bd85c8288c558420b8b944c0ec8dcfd43b2bdccbc07ca8605e6f5b40b6a25c9a2c05e5bb4f777c5c69e7668ad6834297b090fe0bdb2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bO203gC.exe

Filesize
222KB

MD5
827e76b1c573bb2283f5d5fae3e40674

SHA1
fbc49fe9fae2aec1745bbe7b8d9a63bd096204c5

SHA256
d1042c33eff8eae0b59d0c9bc876a8095b731e5f9f9eaffa51ad1262d2a07a9f

SHA512
6c29792a4ed19fb8646bd85c8288c558420b8b944c0ec8dcfd43b2bdccbc07ca8605e6f5b40b6a25c9a2c05e5bb4f777c5c69e7668ad6834297b090fe0bdb2af

Download Submit
memory/876-48-0x00000000077A0000-0x00000000077AA000-memory.dmp

Filesize
40KB

Download
memory/876-52-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

Filesize
240KB

Download
memory/876-55-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/876-54-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/876-44-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/876-43-0x00000000009B0000-0x00000000009EE000-memory.dmp

Filesize
248KB

Download
memory/876-45-0x0000000007C80000-0x0000000008224000-memory.dmp

Filesize
5.6MB

Download
memory/876-46-0x00000000077B0000-0x0000000007842000-memory.dmp

Filesize
584KB

Download
memory/876-47-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/876-53-0x0000000007BF0000-0x0000000007C3C000-memory.dmp

Filesize
304KB

Download
memory/876-49-0x0000000008850000-0x0000000008E68000-memory.dmp

Filesize
6.1MB

Download
memory/876-50-0x0000000008230000-0x000000000833A000-memory.dmp

Filesize
1.0MB

Download
memory/876-51-0x0000000007B50000-0x0000000007B62000-memory.dmp

Filesize
72KB

Download
memory/4536-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4536-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads