redline | c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66

Analysis

max time kernel
144s
max time network
170s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
23/10/2023, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe
Size

1.5MB
MD5

af87b5060f372eadbc25c704fb775878
SHA1

e5bb4938db13c29f769a4e0209087eacf22266d3
SHA256

c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66
SHA512

ca4a3eb15b13f69553bd6a3d5e70a2d70c5d02de3ffeb7842b91ee59f84329f0b3dfc39efcae65278b3dfbcb84d1b140d7527d7577cd4ea8b84a0590d1e8124b
SSDEEP

24576:iyYh/7orZPsvVXxd0V9pJbXBpej6xpPWBZqp4F7Sx6AkZ7Wk69:JK7or9sFX0VzJbXBpej6Iaab6

Score

10^/10

redline kinder infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinder

109.107.182.133:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001ab9a-39.dat	family_redline
behavioral1/files/0x000600000001ab9a-40.dat	family_redline
behavioral1/memory/3748-45-0x0000000000500000-0x000000000053E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3084	Oo9IG3ne.exe
2464	tA1Oe9lF.exe
4952	IZ8Sl4MQ.exe
4924	gU3hu1Zl.exe
4920	1wn33KI7.exe
3748	2qo227Un.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Oo9IG3ne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tA1Oe9lF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	IZ8Sl4MQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gU3hu1Zl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 4608	4920	1wn33KI7.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
380	4608	WerFault.exe	75

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3084	4372	c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe	70
PID 4372 wrote to memory of 3084	4372	c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe	70
PID 4372 wrote to memory of 3084	4372	c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe	70
PID 3084 wrote to memory of 2464	3084	Oo9IG3ne.exe	71
PID 3084 wrote to memory of 2464	3084	Oo9IG3ne.exe	71
PID 3084 wrote to memory of 2464	3084	Oo9IG3ne.exe	71
PID 2464 wrote to memory of 4952	2464	tA1Oe9lF.exe	72
PID 2464 wrote to memory of 4952	2464	tA1Oe9lF.exe	72
PID 2464 wrote to memory of 4952	2464	tA1Oe9lF.exe	72
PID 4952 wrote to memory of 4924	4952	IZ8Sl4MQ.exe	73
PID 4952 wrote to memory of 4924	4952	IZ8Sl4MQ.exe	73
PID 4952 wrote to memory of 4924	4952	IZ8Sl4MQ.exe	73
PID 4924 wrote to memory of 4920	4924	gU3hu1Zl.exe	74
PID 4924 wrote to memory of 4920	4924	gU3hu1Zl.exe	74
PID 4924 wrote to memory of 4920	4924	gU3hu1Zl.exe	74
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4920 wrote to memory of 4608	4920	1wn33KI7.exe	75
PID 4924 wrote to memory of 3748	4924	gU3hu1Zl.exe	76
PID 4924 wrote to memory of 3748	4924	gU3hu1Zl.exe	76
PID 4924 wrote to memory of 3748	4924	gU3hu1Zl.exe	76

C:\Users\Admin\AppData\Local\Temp\c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe
"C:\Users\Admin\AppData\Local\Temp\c61aa1c838bca940faf8342cc1b32b3f5013ec1f804ef716f262db82675adc66.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oo9IG3ne.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oo9IG3ne.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tA1Oe9lF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tA1Oe9lF.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IZ8Sl4MQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IZ8Sl4MQ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gU3hu1Zl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gU3hu1Zl.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wn33KI7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wn33KI7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 588
        8⤵
        Program crash
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qo227Un.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qo227Un.exe
        6⤵
        Executes dropped EXE
        
        PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oo9IG3ne.exe

Filesize
1.3MB

MD5
6b36055763074be47f3471d294fa19d4

SHA1
7e91996e8f8bb0f4170d14d763ea393741c9b908

SHA256
b0b66334c8a8579bd19b9ced17d7c45345dc21f1f183833f7db339546a9cf7a0

SHA512
dc06d3f77f8cacc504e0b0cc3872ba7e713882eb896eb264455f1a408713ae2b339fd2698d13c89d14ec564172cfd0e4fc5c2b7ac7dce691eb6ee62fe07ec4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oo9IG3ne.exe

Filesize
1.3MB

MD5
6b36055763074be47f3471d294fa19d4

SHA1
7e91996e8f8bb0f4170d14d763ea393741c9b908

SHA256
b0b66334c8a8579bd19b9ced17d7c45345dc21f1f183833f7db339546a9cf7a0

SHA512
dc06d3f77f8cacc504e0b0cc3872ba7e713882eb896eb264455f1a408713ae2b339fd2698d13c89d14ec564172cfd0e4fc5c2b7ac7dce691eb6ee62fe07ec4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tA1Oe9lF.exe

Filesize
1.1MB

MD5
93b129dc79b6cb888cda1456a578134c

SHA1
3342ac08a79eef39aa11bdb9da9fe05b520bf538

SHA256
e6ae98ed78a614916941cbabac2424964f2a459187eaaa67c06df64cf83dcf28

SHA512
f0881e013935f7420c8f0f050c41129b19f0d62f42c2700e0c574c09b9e894205df9a87d7171cf2eb79c8d098fa8915df6b1a3b86b7eff374fb284ea46c3ccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tA1Oe9lF.exe

Filesize
1.1MB

MD5
93b129dc79b6cb888cda1456a578134c

SHA1
3342ac08a79eef39aa11bdb9da9fe05b520bf538

SHA256
e6ae98ed78a614916941cbabac2424964f2a459187eaaa67c06df64cf83dcf28

SHA512
f0881e013935f7420c8f0f050c41129b19f0d62f42c2700e0c574c09b9e894205df9a87d7171cf2eb79c8d098fa8915df6b1a3b86b7eff374fb284ea46c3ccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IZ8Sl4MQ.exe

Filesize
754KB

MD5
c418cf5d41272709fe9e26952253eb5f

SHA1
0524ccdb1ad63cee9f5d907a654b35dfb6bed164

SHA256
33458ca179eeb24f3f73b76d398e4ec233456589ae24d553ce6d36341a61e76e

SHA512
6bab174b676678448bb3a88f47196e63911a071436790d43c1feeeac790d89a016ff820a167a9e6fd3cea2193ec770e20c13eb87e46c7abb3f5bcb6197cd188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IZ8Sl4MQ.exe

Filesize
754KB

MD5
c418cf5d41272709fe9e26952253eb5f

SHA1
0524ccdb1ad63cee9f5d907a654b35dfb6bed164

SHA256
33458ca179eeb24f3f73b76d398e4ec233456589ae24d553ce6d36341a61e76e

SHA512
6bab174b676678448bb3a88f47196e63911a071436790d43c1feeeac790d89a016ff820a167a9e6fd3cea2193ec770e20c13eb87e46c7abb3f5bcb6197cd188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gU3hu1Zl.exe

Filesize
559KB

MD5
523a37234d7102f48fc1fb5a59522c28

SHA1
a0ff24d9eeef109d53c9617e06e82ab40e83c50b

SHA256
5643f923de149a4cf6f869bed701bd0d3325fb042f61eacb0df07ed81706de5c

SHA512
aafee96d83c0f67e1012581c4e0ce8db71431e69ecd7c9d1e6e647b2ad517d673ac6511b33b70109c94fe4ff96717a29b95c16dda1db778e79d4adf64fb04cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gU3hu1Zl.exe

Filesize
559KB

MD5
523a37234d7102f48fc1fb5a59522c28

SHA1
a0ff24d9eeef109d53c9617e06e82ab40e83c50b

SHA256
5643f923de149a4cf6f869bed701bd0d3325fb042f61eacb0df07ed81706de5c

SHA512
aafee96d83c0f67e1012581c4e0ce8db71431e69ecd7c9d1e6e647b2ad517d673ac6511b33b70109c94fe4ff96717a29b95c16dda1db778e79d4adf64fb04cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wn33KI7.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wn33KI7.exe

Filesize
1.1MB

MD5
99187f5197d70ceccc4e0fde10fc7f30

SHA1
d66a56107782186c4b0025c9e1bc697aa213ea07

SHA256
daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644

SHA512
67070e8e3b60878ebfb160756128c1f542ad31dcc590606afec6e005ff36cd74f8c45b624bb69056f93edb71c3aad5c60d3ecd6835e61600f1c26416908a2317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qo227Un.exe

Filesize
222KB

MD5
6ea57f3fb74440b52429daab9f5fc540

SHA1
da07ee2d2450d582e72ffc8ada2d882f5e585ae9

SHA256
3033d6d07978b0a500a3160b68d13b5238bd8c2a7e04d78050201b5b4a3f5779

SHA512
235549a6c22c24a208888b8479370e02bc91e4803afe544c5b9021e4f5f8ed47cb92d693f52aa267638aedcf50fbc08f6f7d9fa1006ad3687f0436dd383a48d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qo227Un.exe

Filesize
222KB

MD5
6ea57f3fb74440b52429daab9f5fc540

SHA1
da07ee2d2450d582e72ffc8ada2d882f5e585ae9

SHA256
3033d6d07978b0a500a3160b68d13b5238bd8c2a7e04d78050201b5b4a3f5779

SHA512
235549a6c22c24a208888b8479370e02bc91e4803afe544c5b9021e4f5f8ed47cb92d693f52aa267638aedcf50fbc08f6f7d9fa1006ad3687f0436dd383a48d9

Download Submit
memory/3748-50-0x00000000081D0000-0x00000000087D6000-memory.dmp

Filesize
6.0MB

Download
memory/3748-51-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

Filesize
1.0MB

Download
memory/3748-55-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/3748-54-0x0000000007570000-0x00000000075BB000-memory.dmp

Filesize
300KB

Download
memory/3748-46-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/3748-45-0x0000000000500000-0x000000000053E000-memory.dmp

Filesize
248KB

Download
memory/3748-53-0x0000000007530000-0x000000000756E000-memory.dmp

Filesize
248KB

Download
memory/3748-49-0x0000000007270000-0x000000000727A000-memory.dmp

Filesize
40KB

Download
memory/3748-47-0x00000000076C0000-0x0000000007BBE000-memory.dmp

Filesize
5.0MB

Download
memory/3748-52-0x00000000074D0000-0x00000000074E2000-memory.dmp

Filesize
72KB

Download
memory/3748-48-0x00000000072A0000-0x0000000007332000-memory.dmp

Filesize
584KB

Download
memory/4608-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads