redline | 52bd35e92b25fa394ef3811f27f4d1bc260d51b515d9fea78fed85efc885fb7e

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2023 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a2c8bc6c80293890c5f759276ff6a11.exe
Size

1.7MB
MD5

0a2c8bc6c80293890c5f759276ff6a11
SHA1

d488442bce8e1c2ac2247e98c14ca2db4385800f
SHA256

52bd35e92b25fa394ef3811f27f4d1bc260d51b515d9fea78fed85efc885fb7e
SHA512

b21322d0ed09db70dc83697cc1cb9198ca8b39aeead50826677b73a11fe287cd00c05ca946b7d4fb9758c4de41300a451cfa23c711789a021de3b5cb95377143
SSDEEP

49152:rt4e/b1mFUqWFs90qo1G2yXziO9buIlLk:aeTAFp+1WXzb5k

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022d97-37.dat	family_redline
behavioral2/files/0x0006000000022d97-40.dat	family_redline
behavioral2/memory/3696-43-0x0000000000650000-0x000000000068E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2244	WN8hE6Sw.exe
1100	mN0VX7sr.exe
880	EA9Cy3Rt.exe
2796	Dw7mK7LP.exe
1348	1MP94vJ0.exe
3696	2Qi221mQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EA9Cy3Rt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Dw7mK7LP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a2c8bc6c80293890c5f759276ff6a11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WN8hE6Sw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mN0VX7sr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 1268	1348	1MP94vJ0.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3728	1268	WerFault.exe	85

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2244	3392	0a2c8bc6c80293890c5f759276ff6a11.exe	80
PID 3392 wrote to memory of 2244	3392	0a2c8bc6c80293890c5f759276ff6a11.exe	80
PID 3392 wrote to memory of 2244	3392	0a2c8bc6c80293890c5f759276ff6a11.exe	80
PID 2244 wrote to memory of 1100	2244	WN8hE6Sw.exe	81
PID 2244 wrote to memory of 1100	2244	WN8hE6Sw.exe	81
PID 2244 wrote to memory of 1100	2244	WN8hE6Sw.exe	81
PID 1100 wrote to memory of 880	1100	mN0VX7sr.exe	82
PID 1100 wrote to memory of 880	1100	mN0VX7sr.exe	82
PID 1100 wrote to memory of 880	1100	mN0VX7sr.exe	82
PID 880 wrote to memory of 2796	880	EA9Cy3Rt.exe	83
PID 880 wrote to memory of 2796	880	EA9Cy3Rt.exe	83
PID 880 wrote to memory of 2796	880	EA9Cy3Rt.exe	83
PID 2796 wrote to memory of 1348	2796	Dw7mK7LP.exe	84
PID 2796 wrote to memory of 1348	2796	Dw7mK7LP.exe	84
PID 2796 wrote to memory of 1348	2796	Dw7mK7LP.exe	84
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 1348 wrote to memory of 1268	1348	1MP94vJ0.exe	85
PID 2796 wrote to memory of 3696	2796	Dw7mK7LP.exe	86
PID 2796 wrote to memory of 3696	2796	Dw7mK7LP.exe	86
PID 2796 wrote to memory of 3696	2796	Dw7mK7LP.exe	86

C:\Users\Admin\AppData\Local\Temp\0a2c8bc6c80293890c5f759276ff6a11.exe
"C:\Users\Admin\AppData\Local\Temp\0a2c8bc6c80293890c5f759276ff6a11.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WN8hE6Sw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WN8hE6Sw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mN0VX7sr.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mN0VX7sr.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EA9Cy3Rt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EA9Cy3Rt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dw7mK7LP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dw7mK7LP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MP94vJ0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MP94vJ0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 204
        8⤵
        Program crash
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qi221mQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qi221mQ.exe
        6⤵
        Executes dropped EXE
        
        PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1268 -ip 1268
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WN8hE6Sw.exe

Filesize
1.5MB

MD5
9c116e409e7a246990846e9aa0c36d6e

SHA1
bdda2918baa83129c3fefef1f4af6626cc24acb6

SHA256
232cd58d2ff091a237e5b4bb84a149aad77afa71ed68c72de9875e9c64a801d7

SHA512
be6e3b2cec48a23ce8849c06a396c2ae677edaa6ecfd3fc85d3e72ab3d00cec3776f263281764bc318df2e390cedb29fe15bc3d1568403eda241aac9f7864a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WN8hE6Sw.exe

Filesize
1.5MB

MD5
9c116e409e7a246990846e9aa0c36d6e

SHA1
bdda2918baa83129c3fefef1f4af6626cc24acb6

SHA256
232cd58d2ff091a237e5b4bb84a149aad77afa71ed68c72de9875e9c64a801d7

SHA512
be6e3b2cec48a23ce8849c06a396c2ae677edaa6ecfd3fc85d3e72ab3d00cec3776f263281764bc318df2e390cedb29fe15bc3d1568403eda241aac9f7864a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mN0VX7sr.exe

Filesize
1.4MB

MD5
ae0906d5611ef0facdf22812a3ad80f8

SHA1
41b5f82cf7eed0db889916a386201e7a1079a876

SHA256
a75741442d308c552abb9143ecd683fa8b0d8c707a811fde2beeef217e38ae7d

SHA512
9163592782867b883db5826ad7bfa1d53e7f56c32e080f3680470e62b1a522e1945a3e06b3f995a49b6b49959b3ea09b520de590db8ce852fe1bcebbe1ce2202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mN0VX7sr.exe

Filesize
1.4MB

MD5
ae0906d5611ef0facdf22812a3ad80f8

SHA1
41b5f82cf7eed0db889916a386201e7a1079a876

SHA256
a75741442d308c552abb9143ecd683fa8b0d8c707a811fde2beeef217e38ae7d

SHA512
9163592782867b883db5826ad7bfa1d53e7f56c32e080f3680470e62b1a522e1945a3e06b3f995a49b6b49959b3ea09b520de590db8ce852fe1bcebbe1ce2202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EA9Cy3Rt.exe

Filesize
871KB

MD5
bbab50c2243efb788ff759154983f52e

SHA1
be71fe59597516e857d426085c1a540d79f0c2bf

SHA256
6dcba2f79884ed867904c6fbc789e84ec48e039ab70e9fcedf84051154dcedf9

SHA512
aadb847ec959ea5ec8ea01eb6d39e499e3e975ddc6419bc3611b68afe1f31a6349a3f247582d298e8e98785991a7c338ee79f1f59fe60b9bce0a0814efa2c0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EA9Cy3Rt.exe

Filesize
871KB

MD5
bbab50c2243efb788ff759154983f52e

SHA1
be71fe59597516e857d426085c1a540d79f0c2bf

SHA256
6dcba2f79884ed867904c6fbc789e84ec48e039ab70e9fcedf84051154dcedf9

SHA512
aadb847ec959ea5ec8ea01eb6d39e499e3e975ddc6419bc3611b68afe1f31a6349a3f247582d298e8e98785991a7c338ee79f1f59fe60b9bce0a0814efa2c0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dw7mK7LP.exe

Filesize
675KB

MD5
835e4bc3352406e5993f009ab920c4bc

SHA1
cffc4da68691f51b1e8b477da565822b924b665d

SHA256
2bd907a8ea391e6aaf4b8593a2efb8046a2887239b79099e22d62f66105a93db

SHA512
2140b3feb27dda7df1b35c4d11ed7332215566e87fa7ebfdd3e560c761ffc571b7a2dba170ccf78d5962c2b5c47ce27a323c6ca58e349f0a20f839f0813feb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dw7mK7LP.exe

Filesize
675KB

MD5
835e4bc3352406e5993f009ab920c4bc

SHA1
cffc4da68691f51b1e8b477da565822b924b665d

SHA256
2bd907a8ea391e6aaf4b8593a2efb8046a2887239b79099e22d62f66105a93db

SHA512
2140b3feb27dda7df1b35c4d11ed7332215566e87fa7ebfdd3e560c761ffc571b7a2dba170ccf78d5962c2b5c47ce27a323c6ca58e349f0a20f839f0813feb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MP94vJ0.exe

Filesize
1.8MB

MD5
55d3507f18e2f4b729e2d39b42ed30f7

SHA1
1e0e1f566dc8332c78ab12e7bd3228530e3f9a7d

SHA256
7a64de4e9ba61ab53f06e9ca11804a1855928bf2062ce7002f7942075fc9feae

SHA512
a546e95c790e6f0c7945b6f063107ce796bffd7bb1e3151820e9e1d50aeb5818ac56af8696dbae0c4042c96795f5ac178a6bf97517b10a94e6f945606c885afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MP94vJ0.exe

Filesize
1.8MB

MD5
55d3507f18e2f4b729e2d39b42ed30f7

SHA1
1e0e1f566dc8332c78ab12e7bd3228530e3f9a7d

SHA256
7a64de4e9ba61ab53f06e9ca11804a1855928bf2062ce7002f7942075fc9feae

SHA512
a546e95c790e6f0c7945b6f063107ce796bffd7bb1e3151820e9e1d50aeb5818ac56af8696dbae0c4042c96795f5ac178a6bf97517b10a94e6f945606c885afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qi221mQ.exe

Filesize
221KB

MD5
0407bd8c7a22b786c704b4c995f21490

SHA1
5ed4e5f9cb17931ec8d3141a49d5348753f92829

SHA256
4a8608385375f2e5ddf06cdf63e3fde936ad94ee7d0d4e01ba5361c9e68daf4f

SHA512
b749a1682482e08c900b7f750604df54cee425553b742a1d86bcd4040de22e56514953c80547820fc00c171e775249aeb0b3f94a6497cda4ecfc1da4a7ac8891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qi221mQ.exe

Filesize
221KB

MD5
0407bd8c7a22b786c704b4c995f21490

SHA1
5ed4e5f9cb17931ec8d3141a49d5348753f92829

SHA256
4a8608385375f2e5ddf06cdf63e3fde936ad94ee7d0d4e01ba5361c9e68daf4f

SHA512
b749a1682482e08c900b7f750604df54cee425553b742a1d86bcd4040de22e56514953c80547820fc00c171e775249aeb0b3f94a6497cda4ecfc1da4a7ac8891

Download Submit
memory/1268-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1268-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1268-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1268-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3696-47-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/3696-44-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3696-45-0x0000000007AA0000-0x0000000008044000-memory.dmp

Filesize
5.6MB

Download
memory/3696-46-0x0000000007590000-0x0000000007622000-memory.dmp

Filesize
584KB

Download
memory/3696-43-0x0000000000650000-0x000000000068E000-memory.dmp

Filesize
248KB

Download
memory/3696-48-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/3696-49-0x0000000008670000-0x0000000008C88000-memory.dmp

Filesize
6.1MB

Download
memory/3696-50-0x00000000078D0000-0x00000000079DA000-memory.dmp

Filesize
1.0MB

Download
memory/3696-51-0x00000000077F0000-0x0000000007802000-memory.dmp

Filesize
72KB

Download
memory/3696-52-0x0000000007850000-0x000000000788C000-memory.dmp

Filesize
240KB

Download
memory/3696-53-0x00000000079E0000-0x0000000007A2C000-memory.dmp

Filesize
304KB

Download
memory/3696-54-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3696-55-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads