redline | 8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe
Size

1.5MB
MD5

106e0f86e7e00d14c65765967b17879f
SHA1

77e6608cd1ed7ae3305f34f5f5ba19e652bf5a75
SHA256

8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905
SHA512

63d90fcafdc6ec194fa03944ef6aeefccb4fc4c695c44df93e03da55562bce0bb933425c2a774978dca97206c1129313856ea60b0dc11addabf10b9d24e6c337
SSDEEP

24576:PyrGhdyHEBxy0p4TKUfZtEq1WOhXEU9jXMDM02I5T/yxMMaLm3Da:arSyHE4HF1WDU9j87p+xS

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e61-41.dat	family_redline
behavioral1/files/0x0006000000022e61-42.dat	family_redline
behavioral1/memory/4440-43-0x0000000000390000-0x00000000003CE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4808	aE2jk2gn.exe
1940	uL6dg0NM.exe
3864	Oy2Dm4kn.exe
3856	vH5UK1xk.exe
2088	1fJ76XT4.exe
4440	2Ma629yG.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Oy2Dm4kn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vH5UK1xk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aE2jk2gn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	uL6dg0NM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2684	2088	1fJ76XT4.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
32	2684	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4808	4716	8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe	87
PID 4716 wrote to memory of 4808	4716	8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe	87
PID 4716 wrote to memory of 4808	4716	8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe	87
PID 4808 wrote to memory of 1940	4808	aE2jk2gn.exe	89
PID 4808 wrote to memory of 1940	4808	aE2jk2gn.exe	89
PID 4808 wrote to memory of 1940	4808	aE2jk2gn.exe	89
PID 1940 wrote to memory of 3864	1940	uL6dg0NM.exe	90
PID 1940 wrote to memory of 3864	1940	uL6dg0NM.exe	90
PID 1940 wrote to memory of 3864	1940	uL6dg0NM.exe	90
PID 3864 wrote to memory of 3856	3864	Oy2Dm4kn.exe	91
PID 3864 wrote to memory of 3856	3864	Oy2Dm4kn.exe	91
PID 3864 wrote to memory of 3856	3864	Oy2Dm4kn.exe	91
PID 3856 wrote to memory of 2088	3856	vH5UK1xk.exe	92
PID 3856 wrote to memory of 2088	3856	vH5UK1xk.exe	92
PID 3856 wrote to memory of 2088	3856	vH5UK1xk.exe	92
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 2088 wrote to memory of 2684	2088	1fJ76XT4.exe	95
PID 3856 wrote to memory of 4440	3856	vH5UK1xk.exe	96
PID 3856 wrote to memory of 4440	3856	vH5UK1xk.exe	96
PID 3856 wrote to memory of 4440	3856	vH5UK1xk.exe	96

C:\Users\Admin\AppData\Local\Temp\8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe
"C:\Users\Admin\AppData\Local\Temp\8c3a23bed5d8bf6fb410bc0b05f579f18d2e71fe4984d9714e7e127c9fad2905.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE2jk2gn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE2jk2gn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uL6dg0NM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uL6dg0NM.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oy2Dm4kn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oy2Dm4kn.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vH5UK1xk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vH5UK1xk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ76XT4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ76XT4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 540
        8⤵
        Program crash
        
        PID:32
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ma629yG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ma629yG.exe
        6⤵
        Executes dropped EXE
        
        PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2684 -ip 2684
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE2jk2gn.exe

Filesize
1.3MB

MD5
000751c7dd5bca6ea3437891e2cfb1cc

SHA1
c156d1aca1dc28700d2683069e83c2f626198766

SHA256
24cba26406edfe7b647af7cd8c6405ec224ee50888b9384cf268e8f5d6e95aec

SHA512
ee101a47fa27cc588a38e1a3543cf86e5d3d2351be164e19cd0afc89d9a72c308b37452ff1f4f33e079700cf789c72bb51785d43dc9215ee592edf0b16721344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE2jk2gn.exe

Filesize
1.3MB

MD5
000751c7dd5bca6ea3437891e2cfb1cc

SHA1
c156d1aca1dc28700d2683069e83c2f626198766

SHA256
24cba26406edfe7b647af7cd8c6405ec224ee50888b9384cf268e8f5d6e95aec

SHA512
ee101a47fa27cc588a38e1a3543cf86e5d3d2351be164e19cd0afc89d9a72c308b37452ff1f4f33e079700cf789c72bb51785d43dc9215ee592edf0b16721344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uL6dg0NM.exe

Filesize
1.1MB

MD5
f6e086d6439208958ab284dd4c7d086d

SHA1
572ac328b0f73c47ae5804f06d7cbcff9ce422cb

SHA256
91105e1a4ed3ccaf7ac2beaabb42f7d368db770e28224c9f4866de68e502f590

SHA512
12bb8764f3d5aec5cd2868b1ecf224f1045c6e19a2b41938de7335f2385f7b4b9a9221c5741a0b2c1f3307c7e47bfa1ba39c7fbf0ec8c6307ba00885762b5913

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uL6dg0NM.exe

Filesize
1.1MB

MD5
f6e086d6439208958ab284dd4c7d086d

SHA1
572ac328b0f73c47ae5804f06d7cbcff9ce422cb

SHA256
91105e1a4ed3ccaf7ac2beaabb42f7d368db770e28224c9f4866de68e502f590

SHA512
12bb8764f3d5aec5cd2868b1ecf224f1045c6e19a2b41938de7335f2385f7b4b9a9221c5741a0b2c1f3307c7e47bfa1ba39c7fbf0ec8c6307ba00885762b5913

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oy2Dm4kn.exe

Filesize
754KB

MD5
580c3e4c58b87845b7b8bf9012799b56

SHA1
931618f42340daf210ac33e072090b61f3f4e6f9

SHA256
5abfa665148b3d587e96b3b892c5c7cb8b26cc062f5bee088ce9304ffffb9aa1

SHA512
5fdfe1c0610777179d7debcedc4a0111d1b5c632aea5b7e5b497ae7cc1a9aace2320f3e8d0768112a8695f6310bacedca1137557f9a46338b37a0c6aa3659c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Oy2Dm4kn.exe

Filesize
754KB

MD5
580c3e4c58b87845b7b8bf9012799b56

SHA1
931618f42340daf210ac33e072090b61f3f4e6f9

SHA256
5abfa665148b3d587e96b3b892c5c7cb8b26cc062f5bee088ce9304ffffb9aa1

SHA512
5fdfe1c0610777179d7debcedc4a0111d1b5c632aea5b7e5b497ae7cc1a9aace2320f3e8d0768112a8695f6310bacedca1137557f9a46338b37a0c6aa3659c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vH5UK1xk.exe

Filesize
559KB

MD5
1c56ae24fee48a9e49bcd114ef9b2979

SHA1
28e69d4d36ecbd0b1b069fab20354abd69a571e0

SHA256
244a4fb5307fd4f57cfd78177e928e8f1e06332085a01e1ffdb8d38c4db6daf8

SHA512
b03f41afc758e37ca429bde3b951364c3bc475efccc4c304680c536898eacc9b0543b153808212f8229f88a64c12e03b9eff7614e8eeeb06042090fe6a9f7461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vH5UK1xk.exe

Filesize
559KB

MD5
1c56ae24fee48a9e49bcd114ef9b2979

SHA1
28e69d4d36ecbd0b1b069fab20354abd69a571e0

SHA256
244a4fb5307fd4f57cfd78177e928e8f1e06332085a01e1ffdb8d38c4db6daf8

SHA512
b03f41afc758e37ca429bde3b951364c3bc475efccc4c304680c536898eacc9b0543b153808212f8229f88a64c12e03b9eff7614e8eeeb06042090fe6a9f7461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ76XT4.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fJ76XT4.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ma629yG.exe

Filesize
222KB

MD5
6b030a3ad0a687c3ad204ce802dcd3a2

SHA1
9a3f17514ea3bf5786d5f397841e0f1c627a9157

SHA256
4935e7b9a19621ff02df6f65d975409d01d47ff33f37e4310338f1b6d0397940

SHA512
ad17ebd26f2405f96f1374d6f46662e419c85b43cab07d6f422e4bf76000606d56bfc220c05361b80bab2bc89c009688908dcd493e6138bfa00d306b0aab6cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ma629yG.exe

Filesize
222KB

MD5
6b030a3ad0a687c3ad204ce802dcd3a2

SHA1
9a3f17514ea3bf5786d5f397841e0f1c627a9157

SHA256
4935e7b9a19621ff02df6f65d975409d01d47ff33f37e4310338f1b6d0397940

SHA512
ad17ebd26f2405f96f1374d6f46662e419c85b43cab07d6f422e4bf76000606d56bfc220c05361b80bab2bc89c009688908dcd493e6138bfa00d306b0aab6cdd

Download Submit
memory/2684-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2684-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2684-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2684-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4440-46-0x0000000007300000-0x0000000007392000-memory.dmp

Filesize
584KB

Download
memory/4440-44-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/4440-45-0x0000000007810000-0x0000000007DB4000-memory.dmp

Filesize
5.6MB

Download
memory/4440-43-0x0000000000390000-0x00000000003CE000-memory.dmp

Filesize
248KB

Download
memory/4440-47-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/4440-48-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/4440-49-0x00000000083E0000-0x00000000089F8000-memory.dmp

Filesize
6.1MB

Download
memory/4440-50-0x00000000076B0000-0x00000000077BA000-memory.dmp

Filesize
1.0MB

Download
memory/4440-51-0x0000000007420000-0x0000000007432000-memory.dmp

Filesize
72KB

Download
memory/4440-52-0x00000000075A0000-0x00000000075DC000-memory.dmp

Filesize
240KB

Download
memory/4440-53-0x00000000075E0000-0x000000000762C000-memory.dmp

Filesize
304KB

Download
memory/4440-54-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/4440-55-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads