redline | b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe
Size

1.5MB
MD5

8d575166139d6f2a40773a977912b67c
SHA1

d085227fb49c3c316f6df6069118d989a1da6c6a
SHA256

b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9
SHA512

eb0a72645431b939fbd5f2a4a88562f3d12afc12131f98e42ecf95b6bc926d327242aa18e262d7174f5535c257b2c90b68b5a56a828eee765d7af3033bd82d6c
SSDEEP

24576:DyAnmnaW4NSnbcgRtE5XAqxWnd+HMXhiir11WXQfUcx08bg533q:WAmnaXYcgzmoosXhitQfUc9

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e66-41.dat	family_redline
behavioral1/files/0x0006000000022e66-42.dat	family_redline
behavioral1/memory/1136-43-0x0000000000870000-0x00000000008AE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4760	rM5nY8ZZ.exe
2976	sE7tn2rF.exe
2292	EK7ah2gz.exe
1820	nf6kx6aJ.exe
1436	1ey84rJ9.exe
1136	2EP725ve.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	nf6kx6aJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rM5nY8ZZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sE7tn2rF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EK7ah2gz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 1664	1436	1ey84rJ9.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	1664	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4760	2368	b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe	85
PID 2368 wrote to memory of 4760	2368	b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe	85
PID 2368 wrote to memory of 4760	2368	b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe	85
PID 4760 wrote to memory of 2976	4760	rM5nY8ZZ.exe	86
PID 4760 wrote to memory of 2976	4760	rM5nY8ZZ.exe	86
PID 4760 wrote to memory of 2976	4760	rM5nY8ZZ.exe	86
PID 2976 wrote to memory of 2292	2976	sE7tn2rF.exe	88
PID 2976 wrote to memory of 2292	2976	sE7tn2rF.exe	88
PID 2976 wrote to memory of 2292	2976	sE7tn2rF.exe	88
PID 2292 wrote to memory of 1820	2292	EK7ah2gz.exe	90
PID 2292 wrote to memory of 1820	2292	EK7ah2gz.exe	90
PID 2292 wrote to memory of 1820	2292	EK7ah2gz.exe	90
PID 1820 wrote to memory of 1436	1820	nf6kx6aJ.exe	92
PID 1820 wrote to memory of 1436	1820	nf6kx6aJ.exe	92
PID 1820 wrote to memory of 1436	1820	nf6kx6aJ.exe	92
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1436 wrote to memory of 1664	1436	1ey84rJ9.exe	95
PID 1820 wrote to memory of 1136	1820	nf6kx6aJ.exe	96
PID 1820 wrote to memory of 1136	1820	nf6kx6aJ.exe	96
PID 1820 wrote to memory of 1136	1820	nf6kx6aJ.exe	96

C:\Users\Admin\AppData\Local\Temp\b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe
"C:\Users\Admin\AppData\Local\Temp\b06e1d01b82b1d8f2b73652b7bf5f40fd4a49c7e74ac98b77d5f481715bb6aa9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM5nY8ZZ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM5nY8ZZ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sE7tn2rF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sE7tn2rF.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK7ah2gz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK7ah2gz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nf6kx6aJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nf6kx6aJ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey84rJ9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey84rJ9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 540
        8⤵
        Program crash
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EP725ve.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EP725ve.exe
        6⤵
        Executes dropped EXE
        
        PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1664 -ip 1664
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM5nY8ZZ.exe

Filesize
1.3MB

MD5
d4af962c964716ff9430e5c6adec0867

SHA1
8dfec58f37360751fe0bfd97b005267e1c65e8c1

SHA256
dddc24b04a97bf1c148ae6d9ba2ebcdefe9d82894e4bae87c4d0f4225d710b9c

SHA512
5e7824afb6b01c97e66bed37b7c769bb174b6e200182583b496452edbf29cd47917ab1a9d9a9dc1824cdeb3bb6279e986ad5936fc67c42ea470b7014b6b24bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rM5nY8ZZ.exe

Filesize
1.3MB

MD5
d4af962c964716ff9430e5c6adec0867

SHA1
8dfec58f37360751fe0bfd97b005267e1c65e8c1

SHA256
dddc24b04a97bf1c148ae6d9ba2ebcdefe9d82894e4bae87c4d0f4225d710b9c

SHA512
5e7824afb6b01c97e66bed37b7c769bb174b6e200182583b496452edbf29cd47917ab1a9d9a9dc1824cdeb3bb6279e986ad5936fc67c42ea470b7014b6b24bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sE7tn2rF.exe

Filesize
1.1MB

MD5
686143be39ac2a9d13cd6ae6467a2655

SHA1
509df50f2be65e2ec963fac8c8485a20a3ed8233

SHA256
3d2640b5fb543494d0682208e9260e3f8679fd67b1b1955798b234c271e182b2

SHA512
b228a0f6fe52dea096408e9c6379ad1b7d310c767e5215e1440dba6e540a7d62d68504233490707daec37fea3023dbf9a46ece42751842d8606118d5e70a652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sE7tn2rF.exe

Filesize
1.1MB

MD5
686143be39ac2a9d13cd6ae6467a2655

SHA1
509df50f2be65e2ec963fac8c8485a20a3ed8233

SHA256
3d2640b5fb543494d0682208e9260e3f8679fd67b1b1955798b234c271e182b2

SHA512
b228a0f6fe52dea096408e9c6379ad1b7d310c767e5215e1440dba6e540a7d62d68504233490707daec37fea3023dbf9a46ece42751842d8606118d5e70a652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK7ah2gz.exe

Filesize
754KB

MD5
5bfa2d4db559d73fb479439b75c4b2d7

SHA1
2b2d5ad68ae9db68fe35739850167ebb486d55ff

SHA256
bcc3bea046b7e889f0ad28419ee14f570dffcd62fb16f120b88333f2e3987245

SHA512
3e8df45c28274094ea4157983e02c14376f376ae8a5c8b75f77aa8d6c89c44bd75529869963770943df474192117bd23f3a46ff92325c4edfb91e0582477491b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK7ah2gz.exe

Filesize
754KB

MD5
5bfa2d4db559d73fb479439b75c4b2d7

SHA1
2b2d5ad68ae9db68fe35739850167ebb486d55ff

SHA256
bcc3bea046b7e889f0ad28419ee14f570dffcd62fb16f120b88333f2e3987245

SHA512
3e8df45c28274094ea4157983e02c14376f376ae8a5c8b75f77aa8d6c89c44bd75529869963770943df474192117bd23f3a46ff92325c4edfb91e0582477491b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nf6kx6aJ.exe

Filesize
559KB

MD5
c366cc104b2fdfb0faa095e314497859

SHA1
720fb97bfbee17b9ec256d8666e4955218f6443a

SHA256
a228b197d1067b2be5f11d52b3b05f4c0361acb16a80e61fb60d925a4fb23c20

SHA512
9d858f5f4cae98c05ab76ac7a489baf2479d54813aead0b168867005f6ebb449863df55bb68ba5193da336a4d421c48cbcca7b3007c8866425b38e78ded80cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nf6kx6aJ.exe

Filesize
559KB

MD5
c366cc104b2fdfb0faa095e314497859

SHA1
720fb97bfbee17b9ec256d8666e4955218f6443a

SHA256
a228b197d1067b2be5f11d52b3b05f4c0361acb16a80e61fb60d925a4fb23c20

SHA512
9d858f5f4cae98c05ab76ac7a489baf2479d54813aead0b168867005f6ebb449863df55bb68ba5193da336a4d421c48cbcca7b3007c8866425b38e78ded80cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey84rJ9.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey84rJ9.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EP725ve.exe

Filesize
222KB

MD5
5754d33153688416c50afd15cd9733ad

SHA1
22731aeb79e01c2072759bf7120b328abb31f4a7

SHA256
47160ec8c7bbb565b2ce1e235987d1199ce83c7ec22f4254963f3e9625c0dc15

SHA512
7f33f05bd0c46d73a1a412cfd6ebfe0ce47c44c145b8ce207ba40afd378800332588564a49aae929e69a775c5176eff2d5551f73054cd8a0cd703a10a6844f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EP725ve.exe

Filesize
222KB

MD5
5754d33153688416c50afd15cd9733ad

SHA1
22731aeb79e01c2072759bf7120b328abb31f4a7

SHA256
47160ec8c7bbb565b2ce1e235987d1199ce83c7ec22f4254963f3e9625c0dc15

SHA512
7f33f05bd0c46d73a1a412cfd6ebfe0ce47c44c145b8ce207ba40afd378800332588564a49aae929e69a775c5176eff2d5551f73054cd8a0cd703a10a6844f3e

Download Submit
memory/1136-48-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/1136-52-0x0000000007A70000-0x0000000007AAC000-memory.dmp

Filesize
240KB

Download
memory/1136-55-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/1136-54-0x0000000073B50000-0x0000000074300000-memory.dmp

Filesize
7.7MB

Download
memory/1136-43-0x0000000000870000-0x00000000008AE000-memory.dmp

Filesize
248KB

Download
memory/1136-44-0x0000000073B50000-0x0000000074300000-memory.dmp

Filesize
7.7MB

Download
memory/1136-45-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/1136-46-0x00000000077E0000-0x0000000007872000-memory.dmp

Filesize
584KB

Download
memory/1136-47-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/1136-53-0x0000000007BF0000-0x0000000007C3C000-memory.dmp

Filesize
304KB

Download
memory/1136-49-0x00000000088C0000-0x0000000008ED8000-memory.dmp

Filesize
6.1MB

Download
memory/1136-50-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

Filesize
1.0MB

Download
memory/1136-51-0x0000000007A10000-0x0000000007A22000-memory.dmp

Filesize
72KB

Download
memory/1664-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads