redline | 9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1

Analysis

max time kernel
140s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe
Size

1.7MB
MD5

9b0bb250194dec0ec5ba12d3324b4aa5
SHA1

aef49e8f255cb3884bbd36bd86300e1cb2d870ac
SHA256

9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1
SHA512

767e53cbc406a4e4c7c26a9d192a6541b1ad55a75de5c30b2c518bf223fcce548aff3600c48dd79c6eccfb6594ae2fff0410815a6e72acbebfec2dcba2dddad5
SSDEEP

49152:xjSlacchxKkZiXDrbkOpt4FA8f/FJeIqKnwj:UkT1ZiTrbkOoFA+kZ

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022df4-41.dat	family_redline
behavioral1/files/0x0007000000022df4-42.dat	family_redline
behavioral1/memory/4500-43-0x0000000000420000-0x000000000045E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2824	Su8zl3Vh.exe
4428	TF9pU7ua.exe
4460	tc1Uf4NN.exe
2772	WR8Uf0PI.exe
436	1Kl28sk9.exe
4500	2zs052Bc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Su8zl3Vh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TF9pU7ua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tc1Uf4NN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	WR8Uf0PI.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 3416	436	1Kl28sk9.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3884	3416	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2824	5092	9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe	87
PID 5092 wrote to memory of 2824	5092	9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe	87
PID 5092 wrote to memory of 2824	5092	9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe	87
PID 2824 wrote to memory of 4428	2824	Su8zl3Vh.exe	88
PID 2824 wrote to memory of 4428	2824	Su8zl3Vh.exe	88
PID 2824 wrote to memory of 4428	2824	Su8zl3Vh.exe	88
PID 4428 wrote to memory of 4460	4428	TF9pU7ua.exe	89
PID 4428 wrote to memory of 4460	4428	TF9pU7ua.exe	89
PID 4428 wrote to memory of 4460	4428	TF9pU7ua.exe	89
PID 4460 wrote to memory of 2772	4460	tc1Uf4NN.exe	90
PID 4460 wrote to memory of 2772	4460	tc1Uf4NN.exe	90
PID 4460 wrote to memory of 2772	4460	tc1Uf4NN.exe	90
PID 2772 wrote to memory of 436	2772	WR8Uf0PI.exe	91
PID 2772 wrote to memory of 436	2772	WR8Uf0PI.exe	91
PID 2772 wrote to memory of 436	2772	WR8Uf0PI.exe	91
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 436 wrote to memory of 3416	436	1Kl28sk9.exe	92
PID 2772 wrote to memory of 4500	2772	WR8Uf0PI.exe	93
PID 2772 wrote to memory of 4500	2772	WR8Uf0PI.exe	93
PID 2772 wrote to memory of 4500	2772	WR8Uf0PI.exe	93

C:\Users\Admin\AppData\Local\Temp\9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe
"C:\Users\Admin\AppData\Local\Temp\9d86a437f43b3ae20e9326b94fe32d33778a868d3d185a7c5bad3e2a2307adf1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Su8zl3Vh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Su8zl3Vh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF9pU7ua.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF9pU7ua.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tc1Uf4NN.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tc1Uf4NN.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WR8Uf0PI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WR8Uf0PI.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kl28sk9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kl28sk9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 540
        8⤵
        Program crash
        
        PID:3884
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zs052Bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zs052Bc.exe
        6⤵
        Executes dropped EXE
        
        PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Su8zl3Vh.exe

Filesize
1.5MB

MD5
138d801221ba1f1b4337a0f05fb56b73

SHA1
458eabcfb85693aceef2bf065990cfad0616cf4a

SHA256
8ab751e6ea7923fbc41b23abf7df730f3afb1cddf55dd08d9987a7a457d4bf5d

SHA512
b393148a566e02ac1e6e283e0de19344d7667d0ece945c0598641284374af0b592e429ff0e60c87f7bf345e1c4772b2eb2c0cba7d4e2006404522cbba62a6e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Su8zl3Vh.exe

Filesize
1.5MB

MD5
138d801221ba1f1b4337a0f05fb56b73

SHA1
458eabcfb85693aceef2bf065990cfad0616cf4a

SHA256
8ab751e6ea7923fbc41b23abf7df730f3afb1cddf55dd08d9987a7a457d4bf5d

SHA512
b393148a566e02ac1e6e283e0de19344d7667d0ece945c0598641284374af0b592e429ff0e60c87f7bf345e1c4772b2eb2c0cba7d4e2006404522cbba62a6e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF9pU7ua.exe

Filesize
1.4MB

MD5
354af320c6b39c339c52b2502e5421e0

SHA1
fdf860592899403ecc3acf1fa9131a934c4f5c91

SHA256
05996bfb9444a4a81aa9ef42a8daad815f97a8cedc0f26ff12a77e56c1963788

SHA512
68758261492c90b931941a1eb9198b34d73cf60325c4e7e604366d8d039ede740d7cbbcb1a81c3f1585b45cbaf4b45021292cdbf11477eef3e92729f3c4141e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TF9pU7ua.exe

Filesize
1.4MB

MD5
354af320c6b39c339c52b2502e5421e0

SHA1
fdf860592899403ecc3acf1fa9131a934c4f5c91

SHA256
05996bfb9444a4a81aa9ef42a8daad815f97a8cedc0f26ff12a77e56c1963788

SHA512
68758261492c90b931941a1eb9198b34d73cf60325c4e7e604366d8d039ede740d7cbbcb1a81c3f1585b45cbaf4b45021292cdbf11477eef3e92729f3c4141e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tc1Uf4NN.exe

Filesize
871KB

MD5
f8ce2c1c21fd8c61f4c82af9dfc4f24f

SHA1
8ccd62a53089e328ae4844b86f66a4a985b62ee1

SHA256
6ef9acd937bbf67d2a7e175cde125cbbc72ed51e2f11a193bde1d84f60fcbf1a

SHA512
dd55dfe70f9df40d1266f9eb82ebc8541a0d39a974e45bae51b9227dc8d9e801cdcb1b6ca735e3cda05aa8a0815b9c93d77035e42f015db4011ef88953ee3539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tc1Uf4NN.exe

Filesize
871KB

MD5
f8ce2c1c21fd8c61f4c82af9dfc4f24f

SHA1
8ccd62a53089e328ae4844b86f66a4a985b62ee1

SHA256
6ef9acd937bbf67d2a7e175cde125cbbc72ed51e2f11a193bde1d84f60fcbf1a

SHA512
dd55dfe70f9df40d1266f9eb82ebc8541a0d39a974e45bae51b9227dc8d9e801cdcb1b6ca735e3cda05aa8a0815b9c93d77035e42f015db4011ef88953ee3539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WR8Uf0PI.exe

Filesize
676KB

MD5
6b1f36df8939cdcc474373dbc01029b9

SHA1
818e8bdd153fea69c4a80be7446cd46063cf91c3

SHA256
bfbbe7321f5d63c912ecdd3c579965a625d88258b9ad49a847ff61d71cd99622

SHA512
4026925fe1243478cc62276b547815020f02fb0c22fe6ba14cda783bd3af6ba6a58ea281ae0f392d778e8b4305e02c28292fc7cc84e198fef00240fae229cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WR8Uf0PI.exe

Filesize
676KB

MD5
6b1f36df8939cdcc474373dbc01029b9

SHA1
818e8bdd153fea69c4a80be7446cd46063cf91c3

SHA256
bfbbe7321f5d63c912ecdd3c579965a625d88258b9ad49a847ff61d71cd99622

SHA512
4026925fe1243478cc62276b547815020f02fb0c22fe6ba14cda783bd3af6ba6a58ea281ae0f392d778e8b4305e02c28292fc7cc84e198fef00240fae229cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kl28sk9.exe

Filesize
1.8MB

MD5
b54c82705c3563a6a1206b922f57345e

SHA1
63fb005fe57007aa17f63dd4140ec2341e19a568

SHA256
0c353e74965adbe697fbbb40b1180e1de6698db24bd31d3b0ae72f83c58212b1

SHA512
44c7b65748711a489c5c8869eaf2f33fbe54a1a44afa9dcaabdf0386667641c90c57147cbcf00bc68e777c369533b87583f7b01614983d0d8c64991a4c8fd52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kl28sk9.exe

Filesize
1.8MB

MD5
b54c82705c3563a6a1206b922f57345e

SHA1
63fb005fe57007aa17f63dd4140ec2341e19a568

SHA256
0c353e74965adbe697fbbb40b1180e1de6698db24bd31d3b0ae72f83c58212b1

SHA512
44c7b65748711a489c5c8869eaf2f33fbe54a1a44afa9dcaabdf0386667641c90c57147cbcf00bc68e777c369533b87583f7b01614983d0d8c64991a4c8fd52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zs052Bc.exe

Filesize
221KB

MD5
a1f8995441a7b6824c0de17dfc04e7fc

SHA1
8d916a83cb2674c945ec4aa43eb1d07261b5467a

SHA256
d8d92e03db5a59cccaf138f162fc1da06ac0ff2cd17aa426ab7eafa09c5351c6

SHA512
b5c90d6c861f966e1c45b66f7392338475ec2cb367ac64400a260cc5b2dba843c51b8281c29c327c804092ddab1bf2af7fd069f3018c28fbce1d38e9084c20f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zs052Bc.exe

Filesize
221KB

MD5
a1f8995441a7b6824c0de17dfc04e7fc

SHA1
8d916a83cb2674c945ec4aa43eb1d07261b5467a

SHA256
d8d92e03db5a59cccaf138f162fc1da06ac0ff2cd17aa426ab7eafa09c5351c6

SHA512
b5c90d6c861f966e1c45b66f7392338475ec2cb367ac64400a260cc5b2dba843c51b8281c29c327c804092ddab1bf2af7fd069f3018c28fbce1d38e9084c20f6

Download Submit
memory/3416-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4500-47-0x0000000007530000-0x0000000007540000-memory.dmp

Filesize
64KB

Download
memory/4500-44-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-45-0x0000000007860000-0x0000000007E04000-memory.dmp

Filesize
5.6MB

Download
memory/4500-46-0x0000000007350000-0x00000000073E2000-memory.dmp

Filesize
584KB

Download
memory/4500-43-0x0000000000420000-0x000000000045E000-memory.dmp

Filesize
248KB

Download
memory/4500-48-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/4500-49-0x0000000008430000-0x0000000008A48000-memory.dmp

Filesize
6.1MB

Download
memory/4500-50-0x0000000007740000-0x000000000784A000-memory.dmp

Filesize
1.0MB

Download
memory/4500-51-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/4500-52-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/4500-53-0x0000000007650000-0x000000000769C000-memory.dmp

Filesize
304KB

Download
memory/4500-54-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-55-0x0000000007530000-0x0000000007540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads