redline | 1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2023, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe
Size

1.7MB
MD5

9edd4cb606a9b702afc59c7c39b73576
SHA1

17666310def8602d9af24b0f0c043ff3b1a323c3
SHA256

1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487
SHA512

027eee9e1b43b517a906654b709a0ed144c85a41ed6ef412dc779397750ab54fc12c962cd9a387d57b41c9edc6fc62a356dafebfa83812a960ed561b92eba0c6
SSDEEP

24576:4y1dVKwS0EWbk30W5Tpz2No9a1XaT1lVxIRskrT//MbiT38vlcOMr4hM1MMITFsF:/1TBe0ETpz2uk9UItElcOI4eS18F

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022c99-41.dat	family_redline
behavioral1/files/0x0007000000022c99-42.dat	family_redline
behavioral1/memory/4676-44-0x0000000000010000-0x000000000004E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2464	QG6eD8wV.exe
2344	Cf0Gn3TL.exe
2672	ch6Np8Xg.exe
4076	gb4lZ3yS.exe
1760	1AB96UI2.exe
4676	2YZ687fg.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QG6eD8wV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Cf0Gn3TL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ch6Np8Xg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gb4lZ3yS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 3708	1760	1AB96UI2.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4148	3708	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2464	2648	1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe	84
PID 2648 wrote to memory of 2464	2648	1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe	84
PID 2648 wrote to memory of 2464	2648	1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe	84
PID 2464 wrote to memory of 2344	2464	QG6eD8wV.exe	85
PID 2464 wrote to memory of 2344	2464	QG6eD8wV.exe	85
PID 2464 wrote to memory of 2344	2464	QG6eD8wV.exe	85
PID 2344 wrote to memory of 2672	2344	Cf0Gn3TL.exe	86
PID 2344 wrote to memory of 2672	2344	Cf0Gn3TL.exe	86
PID 2344 wrote to memory of 2672	2344	Cf0Gn3TL.exe	86
PID 2672 wrote to memory of 4076	2672	ch6Np8Xg.exe	87
PID 2672 wrote to memory of 4076	2672	ch6Np8Xg.exe	87
PID 2672 wrote to memory of 4076	2672	ch6Np8Xg.exe	87
PID 4076 wrote to memory of 1760	4076	gb4lZ3yS.exe	88
PID 4076 wrote to memory of 1760	4076	gb4lZ3yS.exe	88
PID 4076 wrote to memory of 1760	4076	gb4lZ3yS.exe	88
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 1760 wrote to memory of 3708	1760	1AB96UI2.exe	89
PID 4076 wrote to memory of 4676	4076	gb4lZ3yS.exe	90
PID 4076 wrote to memory of 4676	4076	gb4lZ3yS.exe	90
PID 4076 wrote to memory of 4676	4076	gb4lZ3yS.exe	90

C:\Users\Admin\AppData\Local\Temp\1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe
"C:\Users\Admin\AppData\Local\Temp\1fa7f56e25731d4db03f7597694360bf5042a580da6415f52fb47a1c36914487.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG6eD8wV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG6eD8wV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cf0Gn3TL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cf0Gn3TL.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6Np8Xg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6Np8Xg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gb4lZ3yS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gb4lZ3yS.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AB96UI2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AB96UI2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 540
        8⤵
        Program crash
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YZ687fg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YZ687fg.exe
        6⤵
        Executes dropped EXE
        
        PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3708 -ip 3708
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG6eD8wV.exe

Filesize
1.5MB

MD5
d3191a8de110393465ad828a0edf7972

SHA1
6b5e103877a98fb0a73b9ab708b1702d44b8a009

SHA256
cba699031da0a27295ac39cffd9627a2e04bdecf08e655870a07b9d5481d690d

SHA512
0c0607485fb041fcd7931bcb5b766ec76f02ac83b1b351dec614710a25aa0748909c38a5747c2e032d06021ddd0dc2baa34b55ffd2b3b70dd0a9de026844be15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QG6eD8wV.exe

Filesize
1.5MB

MD5
d3191a8de110393465ad828a0edf7972

SHA1
6b5e103877a98fb0a73b9ab708b1702d44b8a009

SHA256
cba699031da0a27295ac39cffd9627a2e04bdecf08e655870a07b9d5481d690d

SHA512
0c0607485fb041fcd7931bcb5b766ec76f02ac83b1b351dec614710a25aa0748909c38a5747c2e032d06021ddd0dc2baa34b55ffd2b3b70dd0a9de026844be15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cf0Gn3TL.exe

Filesize
1.4MB

MD5
3ac940974972c65928d905a862a344d2

SHA1
67fe7be398372be133aaf1754b729383ddd9a152

SHA256
fe09535412ac285d9bc80c25fb5dd4818da24f6192b1b3b6d0f976c058d645fe

SHA512
a7f41781a2c32e4d816feec777f267ebc6fdc78251172d6a2849c861de5b2d2d72368ce7849165bc794a588f443dd55434bccdcc640f3528fc5f0ad4e8baa685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cf0Gn3TL.exe

Filesize
1.4MB

MD5
3ac940974972c65928d905a862a344d2

SHA1
67fe7be398372be133aaf1754b729383ddd9a152

SHA256
fe09535412ac285d9bc80c25fb5dd4818da24f6192b1b3b6d0f976c058d645fe

SHA512
a7f41781a2c32e4d816feec777f267ebc6fdc78251172d6a2849c861de5b2d2d72368ce7849165bc794a588f443dd55434bccdcc640f3528fc5f0ad4e8baa685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6Np8Xg.exe

Filesize
873KB

MD5
5aad0c36402bb3a24db2675f001c96a2

SHA1
de47dfb6528b0cf26609a3dabd26beb20955fd79

SHA256
f64dced3b4127fd73ab96a22dd4f2f48567553b483ba30eca774a5972966de6b

SHA512
29367d99ee241630c612f5f0667a4a87ed0619b7f2160110daadc4de763e4f3e6d1ecc4874a3c3071e94ba8ce6aaf11bece270607644c0d68409cf354ed5e570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ch6Np8Xg.exe

Filesize
873KB

MD5
5aad0c36402bb3a24db2675f001c96a2

SHA1
de47dfb6528b0cf26609a3dabd26beb20955fd79

SHA256
f64dced3b4127fd73ab96a22dd4f2f48567553b483ba30eca774a5972966de6b

SHA512
29367d99ee241630c612f5f0667a4a87ed0619b7f2160110daadc4de763e4f3e6d1ecc4874a3c3071e94ba8ce6aaf11bece270607644c0d68409cf354ed5e570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gb4lZ3yS.exe

Filesize
677KB

MD5
3f455e8e2e9ea419c95b2ff513b01233

SHA1
c76e8dfa2222cd26df1ed934ee7b463fa4743179

SHA256
b3155a41db26cf882cf9b163d7888868c606582ca214dc6b626c83fcafb6afa3

SHA512
761f55fa07c0e2e929d118c457a88b34610009c1d01f80eb1a4439f836762c15222b0b670700bd0d10ce74b5f51e59cb6450e8e2e18ac9062a8a38e3f7cad7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gb4lZ3yS.exe

Filesize
677KB

MD5
3f455e8e2e9ea419c95b2ff513b01233

SHA1
c76e8dfa2222cd26df1ed934ee7b463fa4743179

SHA256
b3155a41db26cf882cf9b163d7888868c606582ca214dc6b626c83fcafb6afa3

SHA512
761f55fa07c0e2e929d118c457a88b34610009c1d01f80eb1a4439f836762c15222b0b670700bd0d10ce74b5f51e59cb6450e8e2e18ac9062a8a38e3f7cad7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AB96UI2.exe

Filesize
1.8MB

MD5
2ead8ed2f065b8c2be167473822f7c91

SHA1
96cf47fe101108ac2d2c70a988cc27e48b91e40c

SHA256
123068b678230ebb2278b44c2c28af7fe87d5f727333476a829dbfc75ab48c2b

SHA512
012d8f70c6b7b732f16014420c22724cb3568f56c16131a6546d291de17d6c1c01ce0f8c908f38b3b0b0cab178ca1d76e25e814cdcc1102f3f2599e5a6a4b2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AB96UI2.exe

Filesize
1.8MB

MD5
2ead8ed2f065b8c2be167473822f7c91

SHA1
96cf47fe101108ac2d2c70a988cc27e48b91e40c

SHA256
123068b678230ebb2278b44c2c28af7fe87d5f727333476a829dbfc75ab48c2b

SHA512
012d8f70c6b7b732f16014420c22724cb3568f56c16131a6546d291de17d6c1c01ce0f8c908f38b3b0b0cab178ca1d76e25e814cdcc1102f3f2599e5a6a4b2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YZ687fg.exe

Filesize
221KB

MD5
2c0ea4dc2aff7b12ee1b20af24636bee

SHA1
366a580e61fde5f08acf20b4a288e0c303972241

SHA256
9eae6042e9a38b02530f6c24733622c4e7cf35eacc071f6a4609cba496e6514a

SHA512
80bbd465e596e83ace25d5da0252024b91127cb45554276389180f97786802a838ab89f367b5a6329fb501e3194c056dd56ef3b568118d408c8bfa8c32a956fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YZ687fg.exe

Filesize
221KB

MD5
2c0ea4dc2aff7b12ee1b20af24636bee

SHA1
366a580e61fde5f08acf20b4a288e0c303972241

SHA256
9eae6042e9a38b02530f6c24733622c4e7cf35eacc071f6a4609cba496e6514a

SHA512
80bbd465e596e83ace25d5da0252024b91127cb45554276389180f97786802a838ab89f367b5a6329fb501e3194c056dd56ef3b568118d408c8bfa8c32a956fd

Download Submit
memory/3708-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3708-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3708-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3708-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4676-46-0x0000000006DF0000-0x0000000006E82000-memory.dmp

Filesize
584KB

Download
memory/4676-44-0x0000000000010000-0x000000000004E000-memory.dmp

Filesize
248KB

Download
memory/4676-45-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/4676-43-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/4676-47-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4676-48-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/4676-49-0x0000000007ED0000-0x00000000084E8000-memory.dmp

Filesize
6.1MB

Download
memory/4676-50-0x0000000007160000-0x000000000726A000-memory.dmp

Filesize
1.0MB

Download
memory/4676-51-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4676-52-0x00000000070D0000-0x000000000710C000-memory.dmp

Filesize
240KB

Download
memory/4676-53-0x0000000007110000-0x000000000715C000-memory.dmp

Filesize
304KB

Download
memory/4676-54-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/4676-55-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads