redline | 532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe
Size

1.5MB
MD5

9dcaf48802c4c3ad52af5f557c8c1fc6
SHA1

91c19ee7cb86f90c096af379af0fee2f50d8eb39
SHA256

532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0
SHA512

c7ffd90615bd9a4eb0a6e50be127c2f2a84b404cb4f9c262b509f98d598e57314cbd4809dfaa61b117e19aec2273302195fcc6ddff05909986563dd9b31f9323
SSDEEP

24576:vyov2UtfpkzCOVBJ7BPF8YcfVqdv94SWj31msg7y/ngjq30j7bQk0b3CgFxZCH8z:6ov2XCO95FXd94PjRIiMfQk0jCgkH8S

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e0c-38.dat	family_redline
behavioral1/files/0x0006000000022e0c-41.dat	family_redline
behavioral1/memory/2468-43-0x00000000006A0000-0x00000000006DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2852	tm1fq8XE.exe
3668	ai8hV7iV.exe
992	fO5Ei5Jf.exe
1688	ge1PD6gc.exe
1816	1FD07so6.exe
2468	2wY946gV.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tm1fq8XE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ai8hV7iV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fO5Ei5Jf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ge1PD6gc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 632	1816	1FD07so6.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	632	WerFault.exe	98

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2852	844	532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe	88
PID 844 wrote to memory of 2852	844	532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe	88
PID 844 wrote to memory of 2852	844	532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe	88
PID 2852 wrote to memory of 3668	2852	tm1fq8XE.exe	90
PID 2852 wrote to memory of 3668	2852	tm1fq8XE.exe	90
PID 2852 wrote to memory of 3668	2852	tm1fq8XE.exe	90
PID 3668 wrote to memory of 992	3668	ai8hV7iV.exe	91
PID 3668 wrote to memory of 992	3668	ai8hV7iV.exe	91
PID 3668 wrote to memory of 992	3668	ai8hV7iV.exe	91
PID 992 wrote to memory of 1688	992	fO5Ei5Jf.exe	93
PID 992 wrote to memory of 1688	992	fO5Ei5Jf.exe	93
PID 992 wrote to memory of 1688	992	fO5Ei5Jf.exe	93
PID 1688 wrote to memory of 1816	1688	ge1PD6gc.exe	94
PID 1688 wrote to memory of 1816	1688	ge1PD6gc.exe	94
PID 1688 wrote to memory of 1816	1688	ge1PD6gc.exe	94
PID 1816 wrote to memory of 1828	1816	1FD07so6.exe	97
PID 1816 wrote to memory of 1828	1816	1FD07so6.exe	97
PID 1816 wrote to memory of 1828	1816	1FD07so6.exe	97
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1816 wrote to memory of 632	1816	1FD07so6.exe	98
PID 1688 wrote to memory of 2468	1688	ge1PD6gc.exe	99
PID 1688 wrote to memory of 2468	1688	ge1PD6gc.exe	99
PID 1688 wrote to memory of 2468	1688	ge1PD6gc.exe	99

C:\Users\Admin\AppData\Local\Temp\532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe
"C:\Users\Admin\AppData\Local\Temp\532b241bb55c86388db422bab4327f29381c267e485905769b105ba6b1bf05b0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tm1fq8XE.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tm1fq8XE.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ai8hV7iV.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ai8hV7iV.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO5Ei5Jf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO5Ei5Jf.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ge1PD6gc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ge1PD6gc.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FD07so6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FD07so6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 540
        8⤵
        Program crash
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2wY946gV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2wY946gV.exe
        6⤵
        Executes dropped EXE
        
        PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 632 -ip 632
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tm1fq8XE.exe

Filesize
1.3MB

MD5
e87f4c7cdbce30963e619ad4dc3bbc16

SHA1
2be8ccb8e0ab5abc88677e0518438adcfa714193

SHA256
57001c9d4bc8ee803b9346a4942e3992378690714088c21f27c1ca7ff5184436

SHA512
75312097ac9b84f1dab5881e19a6b6bb031969278a5b7853ee4c32f015b63f58333efaade59898c122ad70ee472a3762ff65b04a7f3cb01000946ed649b7d2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tm1fq8XE.exe

Filesize
1.3MB

MD5
e87f4c7cdbce30963e619ad4dc3bbc16

SHA1
2be8ccb8e0ab5abc88677e0518438adcfa714193

SHA256
57001c9d4bc8ee803b9346a4942e3992378690714088c21f27c1ca7ff5184436

SHA512
75312097ac9b84f1dab5881e19a6b6bb031969278a5b7853ee4c32f015b63f58333efaade59898c122ad70ee472a3762ff65b04a7f3cb01000946ed649b7d2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ai8hV7iV.exe

Filesize
1.1MB

MD5
366ce4244ceaa083a467b9b1af12632c

SHA1
76b78622d38c8323bbca5bc94122acd7c86cadc2

SHA256
adeec718aa6b69539b91ee3ea737b91f437208dc14412092150fbd3a746c0514

SHA512
a34561d4fa8f3ba6811a3379adf60a28b3b11774b1ca2453273e7f06a2260a3d8793b42b7d947b70e2a3cbe14b409366c53aedc74f7c67d2ac4926d08305aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ai8hV7iV.exe

Filesize
1.1MB

MD5
366ce4244ceaa083a467b9b1af12632c

SHA1
76b78622d38c8323bbca5bc94122acd7c86cadc2

SHA256
adeec718aa6b69539b91ee3ea737b91f437208dc14412092150fbd3a746c0514

SHA512
a34561d4fa8f3ba6811a3379adf60a28b3b11774b1ca2453273e7f06a2260a3d8793b42b7d947b70e2a3cbe14b409366c53aedc74f7c67d2ac4926d08305aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO5Ei5Jf.exe

Filesize
754KB

MD5
cb1c3a87817260be205d01921acbc20f

SHA1
054887cea1c4b0c4d84a2c71c68deb4116b4e36f

SHA256
96fbc003fe79fe42759355acc09c323ac85cdccb62ea4c10c68a2cb33932313b

SHA512
1f8dbfca3ebfb371a2a226b7fb4c114c015ba46ef4e6e7a8618b049d2f5bbc45990360d3c79edc4c154fcdecbb59cd6e387f121cda4577f2f9075230ff4dedbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO5Ei5Jf.exe

Filesize
754KB

MD5
cb1c3a87817260be205d01921acbc20f

SHA1
054887cea1c4b0c4d84a2c71c68deb4116b4e36f

SHA256
96fbc003fe79fe42759355acc09c323ac85cdccb62ea4c10c68a2cb33932313b

SHA512
1f8dbfca3ebfb371a2a226b7fb4c114c015ba46ef4e6e7a8618b049d2f5bbc45990360d3c79edc4c154fcdecbb59cd6e387f121cda4577f2f9075230ff4dedbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ge1PD6gc.exe

Filesize
559KB

MD5
11f8bea23929d92e95fe7c39fd424c53

SHA1
341bae0e9ceb30d4819a1c34e99bf8ab63ae4176

SHA256
54712239c12dd5ea135b29059a81cf7836fa3be73c4767cd6930c0ec36be5ddf

SHA512
e1558f3d7acb1904d3b723ffd3b689ffddf8248973c04005f8f06d562fd7cbdd04ed24211724a2c4f24436106303f3ad602af7b37f1e0e435a1f5960adfb65e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ge1PD6gc.exe

Filesize
559KB

MD5
11f8bea23929d92e95fe7c39fd424c53

SHA1
341bae0e9ceb30d4819a1c34e99bf8ab63ae4176

SHA256
54712239c12dd5ea135b29059a81cf7836fa3be73c4767cd6930c0ec36be5ddf

SHA512
e1558f3d7acb1904d3b723ffd3b689ffddf8248973c04005f8f06d562fd7cbdd04ed24211724a2c4f24436106303f3ad602af7b37f1e0e435a1f5960adfb65e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FD07so6.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FD07so6.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2wY946gV.exe

Filesize
222KB

MD5
f071c4d8fbd58741ab3165c18144f827

SHA1
6333f02029800e28570453a0c9798017b5133e0c

SHA256
2b545056074ba87b004904e186573b7bc854a149a6b9ee96696cacee27e10dd4

SHA512
d778b7ab0daef639c0433b5f9a0b8895de6b1bcc4b1cb03ce575c70112193c807f2d6534d5c9e46c26df200884f2ab468a2afec1b0ef99f52fab909328980e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2wY946gV.exe

Filesize
222KB

MD5
f071c4d8fbd58741ab3165c18144f827

SHA1
6333f02029800e28570453a0c9798017b5133e0c

SHA256
2b545056074ba87b004904e186573b7bc854a149a6b9ee96696cacee27e10dd4

SHA512
d778b7ab0daef639c0433b5f9a0b8895de6b1bcc4b1cb03ce575c70112193c807f2d6534d5c9e46c26df200884f2ab468a2afec1b0ef99f52fab909328980e45

Download Submit
memory/632-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/632-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/632-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/632-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2468-48-0x0000000007660000-0x000000000766A000-memory.dmp

Filesize
40KB

Download
memory/2468-43-0x00000000006A0000-0x00000000006DE000-memory.dmp

Filesize
248KB

Download
memory/2468-45-0x0000000007910000-0x0000000007EB4000-memory.dmp

Filesize
5.6MB

Download
memory/2468-46-0x0000000007460000-0x00000000074F2000-memory.dmp

Filesize
584KB

Download
memory/2468-47-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/2468-44-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/2468-49-0x00000000084E0000-0x0000000008AF8000-memory.dmp

Filesize
6.1MB

Download
memory/2468-50-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/2468-51-0x0000000007830000-0x0000000007842000-memory.dmp

Filesize
72KB

Download
memory/2468-52-0x00000000078D0000-0x000000000790C000-memory.dmp

Filesize
240KB

Download
memory/2468-53-0x0000000007EC0000-0x0000000007F0C000-memory.dmp

Filesize
304KB

Download
memory/2468-54-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/2468-55-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads