redline | cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490

Analysis

max time kernel
139s
max time network
155s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/10/2023, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe
Size

1.7MB
MD5

c1a168e8d7773da790a4f6551a4fb7d0
SHA1

95bdfece92beab46e20d4e12141f02589708f264
SHA256

cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490
SHA512

b787e861dbcf196dd19512cdded0eaf1058f9856ff4b17c997ab9ccb7c997bae4680aebbca86978119cd144d1d8cde1274859122f56ce351e5bf312c0a83eb2c
SSDEEP

49152:WQm3hsddHp8GXfQr5EgG2VUN4EfNrjCMJs:tm3he8GXfU5EgGzDVjCOs

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001abf5-42.dat	family_redline
behavioral1/files/0x000600000001abf5-40.dat	family_redline
behavioral1/memory/3708-45-0x0000000000320000-0x000000000035E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2856	DH7tC4qi.exe
1452	Ie6ai7uk.exe
372	HC5IY2ae.exe
4380	op1ux0tf.exe
348	1DO28Nu1.exe
3708	2aF308BW.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DH7tC4qi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ie6ai7uk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	HC5IY2ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	op1ux0tf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 348 set thread context of 4980	348	1DO28Nu1.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3904	4980	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 2856	4156	cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe	71
PID 4156 wrote to memory of 2856	4156	cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe	71
PID 4156 wrote to memory of 2856	4156	cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe	71
PID 2856 wrote to memory of 1452	2856	DH7tC4qi.exe	72
PID 2856 wrote to memory of 1452	2856	DH7tC4qi.exe	72
PID 2856 wrote to memory of 1452	2856	DH7tC4qi.exe	72
PID 1452 wrote to memory of 372	1452	Ie6ai7uk.exe	73
PID 1452 wrote to memory of 372	1452	Ie6ai7uk.exe	73
PID 1452 wrote to memory of 372	1452	Ie6ai7uk.exe	73
PID 372 wrote to memory of 4380	372	HC5IY2ae.exe	74
PID 372 wrote to memory of 4380	372	HC5IY2ae.exe	74
PID 372 wrote to memory of 4380	372	HC5IY2ae.exe	74
PID 4380 wrote to memory of 348	4380	op1ux0tf.exe	75
PID 4380 wrote to memory of 348	4380	op1ux0tf.exe	75
PID 4380 wrote to memory of 348	4380	op1ux0tf.exe	75
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 348 wrote to memory of 4980	348	1DO28Nu1.exe	76
PID 4380 wrote to memory of 3708	4380	op1ux0tf.exe	77
PID 4380 wrote to memory of 3708	4380	op1ux0tf.exe	77
PID 4380 wrote to memory of 3708	4380	op1ux0tf.exe	77

C:\Users\Admin\AppData\Local\Temp\cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe
"C:\Users\Admin\AppData\Local\Temp\cef2505e5c844d4bad39d894e5b4e1d5ea54f31bb1425f522eb4b67889005490.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DH7tC4qi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DH7tC4qi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie6ai7uk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie6ai7uk.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HC5IY2ae.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HC5IY2ae.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\op1ux0tf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\op1ux0tf.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DO28Nu1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DO28Nu1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 568
        8⤵
        Program crash
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aF308BW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aF308BW.exe
        6⤵
        Executes dropped EXE
        
        PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DH7tC4qi.exe

Filesize
1.5MB

MD5
5d69befb0444dd295fd359efd6ecc9a1

SHA1
199d71a5e4004493ff4e60f2bd027418c6ffe100

SHA256
343652d15cbc1749f0454db1ed98cf1c57f7767a68b2eddd922a0e35561735d2

SHA512
3a3418337df44126396bd3c79c02a9cbb82db8c4859b4be781e56bd5b121d4400032444002da4ae69ee17578b5a6e37cd1dea6ea64d95701901d4159f94652c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DH7tC4qi.exe

Filesize
1.5MB

MD5
5d69befb0444dd295fd359efd6ecc9a1

SHA1
199d71a5e4004493ff4e60f2bd027418c6ffe100

SHA256
343652d15cbc1749f0454db1ed98cf1c57f7767a68b2eddd922a0e35561735d2

SHA512
3a3418337df44126396bd3c79c02a9cbb82db8c4859b4be781e56bd5b121d4400032444002da4ae69ee17578b5a6e37cd1dea6ea64d95701901d4159f94652c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie6ai7uk.exe

Filesize
1.4MB

MD5
6e385ff86612cf12869408468d1b91c5

SHA1
558efec194ce61d21c3bef14deb841efcc346b8b

SHA256
25ce802a822fa72b563660d8c640f2e2d1b34cf7b4cf6bf9390f44062f4283b2

SHA512
df907d0806d3d74e17d847cdc449f1eae59594ed3cf233bcc308102e07fa19fa63ce877309e7c0b2cc9ae3615ee9d7f901590599ef7d4768684cbe657354df9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie6ai7uk.exe

Filesize
1.4MB

MD5
6e385ff86612cf12869408468d1b91c5

SHA1
558efec194ce61d21c3bef14deb841efcc346b8b

SHA256
25ce802a822fa72b563660d8c640f2e2d1b34cf7b4cf6bf9390f44062f4283b2

SHA512
df907d0806d3d74e17d847cdc449f1eae59594ed3cf233bcc308102e07fa19fa63ce877309e7c0b2cc9ae3615ee9d7f901590599ef7d4768684cbe657354df9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HC5IY2ae.exe

Filesize
873KB

MD5
bfdf8a09be9ce3f1126cec2e664d1149

SHA1
52f617732121b9007fc99ebe782c9c7900d6bed0

SHA256
efe6b79cb6b809c475d637c8fffddfaa4a461821ca1d12cc958748608d21e3c4

SHA512
3203c7edb427ab137e93a77b1c86810371b422433b25b4b162c2ad5f05aee96eaef7eeb82e8a5f45c7e9a0ede24d3483ba0082474af82fad9d2b6338ba587b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HC5IY2ae.exe

Filesize
873KB

MD5
bfdf8a09be9ce3f1126cec2e664d1149

SHA1
52f617732121b9007fc99ebe782c9c7900d6bed0

SHA256
efe6b79cb6b809c475d637c8fffddfaa4a461821ca1d12cc958748608d21e3c4

SHA512
3203c7edb427ab137e93a77b1c86810371b422433b25b4b162c2ad5f05aee96eaef7eeb82e8a5f45c7e9a0ede24d3483ba0082474af82fad9d2b6338ba587b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\op1ux0tf.exe

Filesize
678KB

MD5
17c9093a9e5a9af119e559d5f45ec5fd

SHA1
9d858bdf6b36ef2602def7313a74143fa777127e

SHA256
90733104eb13dc375ee1122500ae208ccd58c0eaef163912ad62aefda1aad8eb

SHA512
86eaa00efdaa0018697bcb57b549b4947310e8fe4025ff2a6a09588008f20e6ec3023fd4d30023c2e2f44690ea8acf6049d8c260ea08b287ce3ab7519b4e27c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\op1ux0tf.exe

Filesize
678KB

MD5
17c9093a9e5a9af119e559d5f45ec5fd

SHA1
9d858bdf6b36ef2602def7313a74143fa777127e

SHA256
90733104eb13dc375ee1122500ae208ccd58c0eaef163912ad62aefda1aad8eb

SHA512
86eaa00efdaa0018697bcb57b549b4947310e8fe4025ff2a6a09588008f20e6ec3023fd4d30023c2e2f44690ea8acf6049d8c260ea08b287ce3ab7519b4e27c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DO28Nu1.exe

Filesize
1.8MB

MD5
d855c906fd7f72726405487e4e8187b9

SHA1
ae9c5e60351cd513ecb8d6366842370245baa22c

SHA256
d42230a2a77373486c3f4335b34aa0f921510e00b48313e21e7cc8a932582923

SHA512
54a9bfb21946846608a49052f5843cb0f1c950bca13828db4ad4d0fba994388c55315e0b6657cd515792deb135a877003be071f85ad17b9bace79562167b86a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DO28Nu1.exe

Filesize
1.8MB

MD5
d855c906fd7f72726405487e4e8187b9

SHA1
ae9c5e60351cd513ecb8d6366842370245baa22c

SHA256
d42230a2a77373486c3f4335b34aa0f921510e00b48313e21e7cc8a932582923

SHA512
54a9bfb21946846608a49052f5843cb0f1c950bca13828db4ad4d0fba994388c55315e0b6657cd515792deb135a877003be071f85ad17b9bace79562167b86a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aF308BW.exe

Filesize
221KB

MD5
dc779d5da5c807ae4429ac64a4ee9074

SHA1
8e9e5bf0d4aeba3540e89c82fa0e5ee726d4eafd

SHA256
bf23980039b0e0f55468484b71b5daa1ad360485b21467a548bafbee0a862b12

SHA512
eaab80e5c445fee233d65d80b07c29086e6e109af1dd5317cb107956e35c67a11827a421ad33e8883ecc8a65e2b9fe6fc0b019f06024cafdcb592f1a7836102c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aF308BW.exe

Filesize
221KB

MD5
dc779d5da5c807ae4429ac64a4ee9074

SHA1
8e9e5bf0d4aeba3540e89c82fa0e5ee726d4eafd

SHA256
bf23980039b0e0f55468484b71b5daa1ad360485b21467a548bafbee0a862b12

SHA512
eaab80e5c445fee233d65d80b07c29086e6e109af1dd5317cb107956e35c67a11827a421ad33e8883ecc8a65e2b9fe6fc0b019f06024cafdcb592f1a7836102c

Download Submit
memory/3708-50-0x0000000008040000-0x0000000008646000-memory.dmp

Filesize
6.0MB

Download
memory/3708-51-0x0000000007B40000-0x0000000007C4A000-memory.dmp

Filesize
1.0MB

Download
memory/3708-55-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3708-54-0x00000000074E0000-0x000000000752B000-memory.dmp

Filesize
300KB

Download
memory/3708-45-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/3708-46-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3708-53-0x0000000007480000-0x00000000074BE000-memory.dmp

Filesize
248KB

Download
memory/3708-49-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/3708-47-0x0000000007530000-0x0000000007A2E000-memory.dmp

Filesize
5.0MB

Download
memory/3708-52-0x0000000007420000-0x0000000007432000-memory.dmp

Filesize
72KB

Download
memory/3708-48-0x00000000070D0000-0x0000000007162000-memory.dmp

Filesize
584KB

Download
memory/4980-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4980-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads