redline | 86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200

Analysis

max time kernel
137s
max time network
154s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24-10-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe
Size

1.7MB
MD5

c4c2833e658da2e7a1fdf8b49900fd83
SHA1

515d96a946a367b0f2c0d9e5ffa135598050b037
SHA256

86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200
SHA512

37ea8078e74c9c9fcfe81eec51f5b4388005e5c87d42286ef74a55620a5c44bb16e994cf6113491ebcbb0778e524c1daea23458dde1258cfac5c0cbdbc731608
SSDEEP

49152:R08tb0VXXFbuYs8W8D2m+ph8P5ypmp6wY:NboXFbtoO2mcioAm

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001abab-43.dat	family_redline
behavioral1/files/0x000600000001abab-44.dat	family_redline
behavioral1/memory/3900-46-0x0000000000EE0000-0x0000000000F1E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2872	Pc0fo8jY.exe
2144	Pg6IS4Lh.exe
4544	BR7HH0ex.exe
4360	VX1TM3wp.exe
2300	1TM96Rc3.exe
3900	2kK500If.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pc0fo8jY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Pg6IS4Lh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	BR7HH0ex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	VX1TM3wp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 4164	2300	1TM96Rc3.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4156	4164	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2872	3480	86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe	71
PID 3480 wrote to memory of 2872	3480	86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe	71
PID 3480 wrote to memory of 2872	3480	86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe	71
PID 2872 wrote to memory of 2144	2872	Pc0fo8jY.exe	72
PID 2872 wrote to memory of 2144	2872	Pc0fo8jY.exe	72
PID 2872 wrote to memory of 2144	2872	Pc0fo8jY.exe	72
PID 2144 wrote to memory of 4544	2144	Pg6IS4Lh.exe	73
PID 2144 wrote to memory of 4544	2144	Pg6IS4Lh.exe	73
PID 2144 wrote to memory of 4544	2144	Pg6IS4Lh.exe	73
PID 4544 wrote to memory of 4360	4544	BR7HH0ex.exe	74
PID 4544 wrote to memory of 4360	4544	BR7HH0ex.exe	74
PID 4544 wrote to memory of 4360	4544	BR7HH0ex.exe	74
PID 4360 wrote to memory of 2300	4360	VX1TM3wp.exe	75
PID 4360 wrote to memory of 2300	4360	VX1TM3wp.exe	75
PID 4360 wrote to memory of 2300	4360	VX1TM3wp.exe	75
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 2300 wrote to memory of 4164	2300	1TM96Rc3.exe	76
PID 4360 wrote to memory of 3900	4360	VX1TM3wp.exe	77
PID 4360 wrote to memory of 3900	4360	VX1TM3wp.exe	77
PID 4360 wrote to memory of 3900	4360	VX1TM3wp.exe	77

C:\Users\Admin\AppData\Local\Temp\86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe
"C:\Users\Admin\AppData\Local\Temp\86e702a3bf11baf010d534dcf0b72e7580961f4319c0065638a37016d6f2d200.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pc0fo8jY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pc0fo8jY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pg6IS4Lh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pg6IS4Lh.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BR7HH0ex.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BR7HH0ex.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VX1TM3wp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VX1TM3wp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TM96Rc3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TM96Rc3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 196
        8⤵
        Program crash
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kK500If.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kK500If.exe
        6⤵
        Executes dropped EXE
        
        PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pc0fo8jY.exe

Filesize
1.5MB

MD5
b007640b9ae4953190a45c850a272c59

SHA1
08c008e8c5846bf2f8f23b65794d65db90d5d691

SHA256
8ad70e3ad676de781cf02301048893eb86a577e529279b84df1e7c1112c92324

SHA512
1dcfa3fb341eb81a00447f37e3549f3a1f39588878e207eef0aafac736de793cde9922c15a159f5b1da12bc484db7fbb34b4fa1cac841b4b1f624385d8c18289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pc0fo8jY.exe

Filesize
1.5MB

MD5
b007640b9ae4953190a45c850a272c59

SHA1
08c008e8c5846bf2f8f23b65794d65db90d5d691

SHA256
8ad70e3ad676de781cf02301048893eb86a577e529279b84df1e7c1112c92324

SHA512
1dcfa3fb341eb81a00447f37e3549f3a1f39588878e207eef0aafac736de793cde9922c15a159f5b1da12bc484db7fbb34b4fa1cac841b4b1f624385d8c18289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pg6IS4Lh.exe

Filesize
1.4MB

MD5
8ad0c3f7d68b77f7da2649c755e8deae

SHA1
8bf790a6877af17a85b6e6b274872d3cd96c5916

SHA256
8cae6e8bd33dcaccaca2be6dfd78902e86300cea647010cc0b2e6e7dcec9353c

SHA512
ce925dcf2b27ef8a04543e9e11791365f6695c19d80c85a378605f2a72b79b91ba097bcb9e82cc4ae6e02a6ebbbb456cdecf491b67c8224473846c551220f41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pg6IS4Lh.exe

Filesize
1.4MB

MD5
8ad0c3f7d68b77f7da2649c755e8deae

SHA1
8bf790a6877af17a85b6e6b274872d3cd96c5916

SHA256
8cae6e8bd33dcaccaca2be6dfd78902e86300cea647010cc0b2e6e7dcec9353c

SHA512
ce925dcf2b27ef8a04543e9e11791365f6695c19d80c85a378605f2a72b79b91ba097bcb9e82cc4ae6e02a6ebbbb456cdecf491b67c8224473846c551220f41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BR7HH0ex.exe

Filesize
871KB

MD5
12f48242e246967594a645bdcdfaefb4

SHA1
66a3b2254d162c50cb529a2163ea15e7f5f1ce3b

SHA256
0279d6f32554195db1c52b169ecb606824441d940f9d1b8e7b5ff45233aa29ff

SHA512
65f203bf10cdd0a2e034141ab3436407a949479cd05f795c72d28d59194cbe28db952c52faba76de5502463c0a91daa14b4b47bc8b6b1f7f28f4d5163ac75908

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BR7HH0ex.exe

Filesize
871KB

MD5
12f48242e246967594a645bdcdfaefb4

SHA1
66a3b2254d162c50cb529a2163ea15e7f5f1ce3b

SHA256
0279d6f32554195db1c52b169ecb606824441d940f9d1b8e7b5ff45233aa29ff

SHA512
65f203bf10cdd0a2e034141ab3436407a949479cd05f795c72d28d59194cbe28db952c52faba76de5502463c0a91daa14b4b47bc8b6b1f7f28f4d5163ac75908

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VX1TM3wp.exe

Filesize
675KB

MD5
6fcbcc98ebbbe636a0fe0e54638c2620

SHA1
2d721ffb4b9dad939cd44b1723cbcb0af29cb8f1

SHA256
8824938b516f326c8fb474e2d13f12a648cbe7fc793dd565bd44ecc9fcbcec96

SHA512
74618716926b7f59431bd861eba3e3623d297db902e284ba14442cbebd1738cbe453e3c77cb5e67ca8fad4e2a92d5ede9e33542d39dcbb5af498b26966258fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VX1TM3wp.exe

Filesize
675KB

MD5
6fcbcc98ebbbe636a0fe0e54638c2620

SHA1
2d721ffb4b9dad939cd44b1723cbcb0af29cb8f1

SHA256
8824938b516f326c8fb474e2d13f12a648cbe7fc793dd565bd44ecc9fcbcec96

SHA512
74618716926b7f59431bd861eba3e3623d297db902e284ba14442cbebd1738cbe453e3c77cb5e67ca8fad4e2a92d5ede9e33542d39dcbb5af498b26966258fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TM96Rc3.exe

Filesize
1.8MB

MD5
55d3507f18e2f4b729e2d39b42ed30f7

SHA1
1e0e1f566dc8332c78ab12e7bd3228530e3f9a7d

SHA256
7a64de4e9ba61ab53f06e9ca11804a1855928bf2062ce7002f7942075fc9feae

SHA512
a546e95c790e6f0c7945b6f063107ce796bffd7bb1e3151820e9e1d50aeb5818ac56af8696dbae0c4042c96795f5ac178a6bf97517b10a94e6f945606c885afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TM96Rc3.exe

Filesize
1.8MB

MD5
55d3507f18e2f4b729e2d39b42ed30f7

SHA1
1e0e1f566dc8332c78ab12e7bd3228530e3f9a7d

SHA256
7a64de4e9ba61ab53f06e9ca11804a1855928bf2062ce7002f7942075fc9feae

SHA512
a546e95c790e6f0c7945b6f063107ce796bffd7bb1e3151820e9e1d50aeb5818ac56af8696dbae0c4042c96795f5ac178a6bf97517b10a94e6f945606c885afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kK500If.exe

Filesize
221KB

MD5
57bc3f29015a6cfa95e2ed5317bc58af

SHA1
1c9a0fb04acda54d5284c76373dc3c2408edd716

SHA256
7713f1b52bf485bbf1b02581551c90ccf137873a59655866e98e6ab1c0839c18

SHA512
e5a44d92f4aef9eb437fcb7b9758d211e43f4db07db7c6ae6ba200a581f7722baaf8e47d2775c547276d23f1a46557d30c90794e4044c0930b674889fabdaf2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kK500If.exe

Filesize
221KB

MD5
57bc3f29015a6cfa95e2ed5317bc58af

SHA1
1c9a0fb04acda54d5284c76373dc3c2408edd716

SHA256
7713f1b52bf485bbf1b02581551c90ccf137873a59655866e98e6ab1c0839c18

SHA512
e5a44d92f4aef9eb437fcb7b9758d211e43f4db07db7c6ae6ba200a581f7722baaf8e47d2775c547276d23f1a46557d30c90794e4044c0930b674889fabdaf2e

Download Submit
memory/3900-47-0x0000000008080000-0x000000000857E000-memory.dmp

Filesize
5.0MB

Download
memory/3900-48-0x0000000007C60000-0x0000000007CF2000-memory.dmp

Filesize
584KB

Download
memory/3900-55-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3900-54-0x0000000008020000-0x000000000806B000-memory.dmp

Filesize
300KB

Download
memory/3900-45-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3900-46-0x0000000000EE0000-0x0000000000F1E000-memory.dmp

Filesize
248KB

Download
memory/3900-53-0x0000000008580000-0x00000000085BE000-memory.dmp

Filesize
248KB

Download
memory/3900-52-0x0000000007FF0000-0x0000000008002000-memory.dmp

Filesize
72KB

Download
memory/3900-49-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/3900-50-0x0000000008B90000-0x0000000009196000-memory.dmp

Filesize
6.0MB

Download
memory/3900-51-0x0000000008690000-0x000000000879A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4164-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads