redline | d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7

Analysis

max time kernel
136s
max time network
152s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/10/2023, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe
Size

1.7MB
MD5

32fe76193366a182ca105bad5152de90
SHA1

86449e1a8e39b1f03bc40130ae7b4ff68805aac6
SHA256

d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7
SHA512

6aacf3427873e013177a3d75edd8ee011b4237cfa117d2f578c44ae95a26ef9d7c67510bb4c1455f5b1e04dcaca80cd30b3909a22dab3eab1c46e6e799d53ba8
SSDEEP

24576:lybEmrzG0x2SJhoP8CeBeDjtn/YTubZB0NTJ1hOWKh0+dbWAVj3iodW0IszCpIwv:A/ra4KPBd1/YqtyV7hhKxtWYjvW0NCp

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001abab-40.dat	family_redline
behavioral1/files/0x000600000001abab-42.dat	family_redline
behavioral1/memory/2276-45-0x0000000000930000-0x000000000096E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2872	EW9QS1Id.exe
3292	sB8GM5Wy.exe
4544	Ay4eq4Gv.exe
4360	IW6Ye1gs.exe
2300	1zR33Ag8.exe
2276	2Vo528kH.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	IW6Ye1gs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EW9QS1Id.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sB8GM5Wy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ay4eq4Gv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 4164	2300	1zR33Ag8.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1240	4164	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2872	3480	d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe	71
PID 3480 wrote to memory of 2872	3480	d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe	71
PID 3480 wrote to memory of 2872	3480	d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe	71
PID 2872 wrote to memory of 3292	2872	EW9QS1Id.exe	72
PID 2872 wrote to memory of 3292	2872	EW9QS1Id.exe	72
PID 2872 wrote to memory of 3292	2872	EW9QS1Id.exe	72
PID 3292 wrote to memory of 4544	3292	sB8GM5Wy.exe	73
PID 3292 wrote to memory of 4544	3292	sB8GM5Wy.exe	73
PID 3292 wrote to memory of 4544	3292	sB8GM5Wy.exe	73
PID 4544 wrote to memory of 4360	4544	Ay4eq4Gv.exe	74
PID 4544 wrote to memory of 4360	4544	Ay4eq4Gv.exe	74
PID 4544 wrote to memory of 4360	4544	Ay4eq4Gv.exe	74
PID 4360 wrote to memory of 2300	4360	IW6Ye1gs.exe	75
PID 4360 wrote to memory of 2300	4360	IW6Ye1gs.exe	75
PID 4360 wrote to memory of 2300	4360	IW6Ye1gs.exe	75
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 2300 wrote to memory of 4164	2300	1zR33Ag8.exe	76
PID 4360 wrote to memory of 2276	4360	IW6Ye1gs.exe	77
PID 4360 wrote to memory of 2276	4360	IW6Ye1gs.exe	77
PID 4360 wrote to memory of 2276	4360	IW6Ye1gs.exe	77

C:\Users\Admin\AppData\Local\Temp\d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe
"C:\Users\Admin\AppData\Local\Temp\d493d5cb2fafa19d36786dc635b066eaaee07ccb1b7e4adb79829c4847083ec7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW9QS1Id.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW9QS1Id.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sB8GM5Wy.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sB8GM5Wy.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ay4eq4Gv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ay4eq4Gv.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IW6Ye1gs.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IW6Ye1gs.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR33Ag8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR33Ag8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 568
        8⤵
        Program crash
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vo528kH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vo528kH.exe
        6⤵
        Executes dropped EXE
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW9QS1Id.exe

Filesize
1.5MB

MD5
03914454812c908c2686188e9edc4a22

SHA1
b06f8b0f0a156b9e500a35bd9e4ec2fa0fa2c757

SHA256
1c46a4861044e258005927a03104d8566bafe9691247a3c5456cc05f28f21841

SHA512
2bc81baac176d2bba3ce7f8fd2be041f7a2f784fd8fa63d98671932e6549f54618323b4558ca3e953dcbb1b690facf95abbb2ecd380e37c0842bfd529a67d5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW9QS1Id.exe

Filesize
1.5MB

MD5
03914454812c908c2686188e9edc4a22

SHA1
b06f8b0f0a156b9e500a35bd9e4ec2fa0fa2c757

SHA256
1c46a4861044e258005927a03104d8566bafe9691247a3c5456cc05f28f21841

SHA512
2bc81baac176d2bba3ce7f8fd2be041f7a2f784fd8fa63d98671932e6549f54618323b4558ca3e953dcbb1b690facf95abbb2ecd380e37c0842bfd529a67d5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sB8GM5Wy.exe

Filesize
1.4MB

MD5
3fb25d24cab2f5c79f951e7455cf49f3

SHA1
552ef08125159b0fe86ee177c6e97042036535d2

SHA256
422ec7aacc08ddd60c806eb8ee60fc1f159c34822a3ea1a29d100ad3963daa7c

SHA512
8d628281bfae632719f7624a96701745120db85c2b9f73f8d4a4310b27cc13fc7bafe1a74bf8e67e705a5b4c1fc2f37fcd22c4dd003712d9068098088217b828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sB8GM5Wy.exe

Filesize
1.4MB

MD5
3fb25d24cab2f5c79f951e7455cf49f3

SHA1
552ef08125159b0fe86ee177c6e97042036535d2

SHA256
422ec7aacc08ddd60c806eb8ee60fc1f159c34822a3ea1a29d100ad3963daa7c

SHA512
8d628281bfae632719f7624a96701745120db85c2b9f73f8d4a4310b27cc13fc7bafe1a74bf8e67e705a5b4c1fc2f37fcd22c4dd003712d9068098088217b828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ay4eq4Gv.exe

Filesize
871KB

MD5
0a2e0af7c48a92fc235829a7d263168f

SHA1
838b4c5e76840d4c196c04ec5458ad692dc407ca

SHA256
f42b24af070bf2628022f071cf2a89401a46ab9c99496895a88edacedc206ee8

SHA512
191003b7358b66b13db16012b5ebdfc6ad1fe98e3558576dd7d604a4155c83308414e526133d97de3de757e2b3b23cc97dd7ccb926f51d4be1b7edbb18833bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ay4eq4Gv.exe

Filesize
871KB

MD5
0a2e0af7c48a92fc235829a7d263168f

SHA1
838b4c5e76840d4c196c04ec5458ad692dc407ca

SHA256
f42b24af070bf2628022f071cf2a89401a46ab9c99496895a88edacedc206ee8

SHA512
191003b7358b66b13db16012b5ebdfc6ad1fe98e3558576dd7d604a4155c83308414e526133d97de3de757e2b3b23cc97dd7ccb926f51d4be1b7edbb18833bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IW6Ye1gs.exe

Filesize
675KB

MD5
b84fbba9542b2c6d5b3f16caf672479c

SHA1
113c68825bd1d0d0e7c71e4b166d32581ec97c3c

SHA256
e321f89bd2e44aca762fe0b76677ca7977a420ca9763c0e2a61d62bf16a8a5ab

SHA512
6b9e2dd1f7b6cbed2bcfc75cc6febd542661365d36428948b84f49fe2914dbe382d305184cb427c55d31fd68db0ba66527b94abb024cea34febbf93903223d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IW6Ye1gs.exe

Filesize
675KB

MD5
b84fbba9542b2c6d5b3f16caf672479c

SHA1
113c68825bd1d0d0e7c71e4b166d32581ec97c3c

SHA256
e321f89bd2e44aca762fe0b76677ca7977a420ca9763c0e2a61d62bf16a8a5ab

SHA512
6b9e2dd1f7b6cbed2bcfc75cc6febd542661365d36428948b84f49fe2914dbe382d305184cb427c55d31fd68db0ba66527b94abb024cea34febbf93903223d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR33Ag8.exe

Filesize
1.8MB

MD5
aa07a26ee8cf1b8c6b903f4e86ada9de

SHA1
8d8c88dfe86ef0be389d9ee8f396da2e3e66e377

SHA256
e050c8605722d7bc96e2f9f92eb85556a0135bffbe162d1e1b0a9a4b8bec74b6

SHA512
ac82d205f4377dc2e5cd7b32cdd02292ff6270c1e5672094442f2dd6fb4eceaadf68487bb40984f4f993b08efcac14e0508d50e10a7590490efd260362504776

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zR33Ag8.exe

Filesize
1.8MB

MD5
aa07a26ee8cf1b8c6b903f4e86ada9de

SHA1
8d8c88dfe86ef0be389d9ee8f396da2e3e66e377

SHA256
e050c8605722d7bc96e2f9f92eb85556a0135bffbe162d1e1b0a9a4b8bec74b6

SHA512
ac82d205f4377dc2e5cd7b32cdd02292ff6270c1e5672094442f2dd6fb4eceaadf68487bb40984f4f993b08efcac14e0508d50e10a7590490efd260362504776

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vo528kH.exe

Filesize
221KB

MD5
d46305392bdc7421b84ce76cffcc065e

SHA1
23b125db8da6723e573d5336742700400cf6c43c

SHA256
81b83020d63ce388f4fdf75827fb76fce28352d36ba00970b8a2caa7937b77c9

SHA512
762b538816546f0ed58ddf8dc8565f2e1521f44c33939f99107727283c43a554488a407abf6b6bfe72b84a579f57d3792204d5f2755208d885af1b971466d599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vo528kH.exe

Filesize
221KB

MD5
d46305392bdc7421b84ce76cffcc065e

SHA1
23b125db8da6723e573d5336742700400cf6c43c

SHA256
81b83020d63ce388f4fdf75827fb76fce28352d36ba00970b8a2caa7937b77c9

SHA512
762b538816546f0ed58ddf8dc8565f2e1521f44c33939f99107727283c43a554488a407abf6b6bfe72b84a579f57d3792204d5f2755208d885af1b971466d599

Download Submit
memory/2276-47-0x0000000007B00000-0x0000000007FFE000-memory.dmp

Filesize
5.0MB

Download
memory/2276-48-0x00000000076A0000-0x0000000007732000-memory.dmp

Filesize
584KB

Download
memory/2276-55-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-54-0x0000000008000000-0x000000000804B000-memory.dmp

Filesize
300KB

Download
memory/2276-45-0x0000000000930000-0x000000000096E000-memory.dmp

Filesize
248KB

Download
memory/2276-46-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-53-0x0000000007960000-0x000000000799E000-memory.dmp

Filesize
248KB

Download
memory/2276-52-0x0000000007900000-0x0000000007912000-memory.dmp

Filesize
72KB

Download
memory/2276-49-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/2276-50-0x0000000008610000-0x0000000008C16000-memory.dmp

Filesize
6.0MB

Download
memory/2276-51-0x00000000079D0000-0x0000000007ADA000-memory.dmp

Filesize
1.0MB

Download
memory/4164-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads