redline | 0da921990e3adf5f4e1e222e4de086733839772aabd9caa954600baa797968c4

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2023, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ed1352e066e59833c47b37735d002d6.exe
Size

1.5MB
MD5

9ed1352e066e59833c47b37735d002d6
SHA1

8c7519a69a08394040074542a69ffa9998744502
SHA256

0da921990e3adf5f4e1e222e4de086733839772aabd9caa954600baa797968c4
SHA512

2f74102b6a0187fe275894cb783918edbd23535b30a84e93b7571340bd9d0ee5c12b9ed07298e0e14745de2f145c5e2d88a5057dcd4ca20dbb6b3a70e3875e2b
SSDEEP

24576:oybbfe9uSpo+3YAggyr6AhgwyGMDckTdIxLkwiRjwEEcd/9c9Ln3aePBpV9yG:v3rSbgr60eVIxvi2tcd1CL1Bpy

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022cd8-41.dat	family_redline
behavioral2/files/0x0006000000022cd8-42.dat	family_redline
behavioral2/memory/2948-44-0x0000000000E80000-0x0000000000EBE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3828	zK1nm7Wt.exe
2756	tz5UX6xo.exe
4872	yl1HZ0vW.exe
5116	BF8iD5KM.exe
2748	1BZ62fQ0.exe
2948	2AX567YB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ed1352e066e59833c47b37735d002d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zK1nm7Wt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tz5UX6xo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	yl1HZ0vW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	BF8iD5KM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2332	2748	1BZ62fQ0.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	2332	WerFault.exe	92

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3828	3584	9ed1352e066e59833c47b37735d002d6.exe	85
PID 3584 wrote to memory of 3828	3584	9ed1352e066e59833c47b37735d002d6.exe	85
PID 3584 wrote to memory of 3828	3584	9ed1352e066e59833c47b37735d002d6.exe	85
PID 3828 wrote to memory of 2756	3828	zK1nm7Wt.exe	86
PID 3828 wrote to memory of 2756	3828	zK1nm7Wt.exe	86
PID 3828 wrote to memory of 2756	3828	zK1nm7Wt.exe	86
PID 2756 wrote to memory of 4872	2756	tz5UX6xo.exe	87
PID 2756 wrote to memory of 4872	2756	tz5UX6xo.exe	87
PID 2756 wrote to memory of 4872	2756	tz5UX6xo.exe	87
PID 4872 wrote to memory of 5116	4872	yl1HZ0vW.exe	88
PID 4872 wrote to memory of 5116	4872	yl1HZ0vW.exe	88
PID 4872 wrote to memory of 5116	4872	yl1HZ0vW.exe	88
PID 5116 wrote to memory of 2748	5116	BF8iD5KM.exe	89
PID 5116 wrote to memory of 2748	5116	BF8iD5KM.exe	89
PID 5116 wrote to memory of 2748	5116	BF8iD5KM.exe	89
PID 2748 wrote to memory of 4444	2748	1BZ62fQ0.exe	90
PID 2748 wrote to memory of 4444	2748	1BZ62fQ0.exe	90
PID 2748 wrote to memory of 4444	2748	1BZ62fQ0.exe	90
PID 2748 wrote to memory of 3444	2748	1BZ62fQ0.exe	91
PID 2748 wrote to memory of 3444	2748	1BZ62fQ0.exe	91
PID 2748 wrote to memory of 3444	2748	1BZ62fQ0.exe	91
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 2748 wrote to memory of 2332	2748	1BZ62fQ0.exe	92
PID 5116 wrote to memory of 2948	5116	BF8iD5KM.exe	94
PID 5116 wrote to memory of 2948	5116	BF8iD5KM.exe	94
PID 5116 wrote to memory of 2948	5116	BF8iD5KM.exe	94

C:\Users\Admin\AppData\Local\Temp\9ed1352e066e59833c47b37735d002d6.exe
"C:\Users\Admin\AppData\Local\Temp\9ed1352e066e59833c47b37735d002d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK1nm7Wt.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK1nm7Wt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz5UX6xo.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz5UX6xo.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yl1HZ0vW.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yl1HZ0vW.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BF8iD5KM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BF8iD5KM.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BZ62fQ0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BZ62fQ0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 564
        8⤵
        Program crash
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AX567YB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AX567YB.exe
        6⤵
        Executes dropped EXE
        
        PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2332 -ip 2332
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK1nm7Wt.exe

Filesize
1.3MB

MD5
a9233ce544385cb93f288f712b75a042

SHA1
79b0986014a5a75a63dccc9b8b5b5f0302fc36c4

SHA256
a4eea979428e2c6a1624bfd6fab115c3bd8d8bf839e6798118a705745672f0be

SHA512
a6b13eed90f6035ed05210ba9d3cbe2556867715907cb25784a8b801e2aed7c514d2168ecbaf26fd62600a4ebfadecae77e80148115b3b9f3fef823b3a17a4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zK1nm7Wt.exe

Filesize
1.3MB

MD5
a9233ce544385cb93f288f712b75a042

SHA1
79b0986014a5a75a63dccc9b8b5b5f0302fc36c4

SHA256
a4eea979428e2c6a1624bfd6fab115c3bd8d8bf839e6798118a705745672f0be

SHA512
a6b13eed90f6035ed05210ba9d3cbe2556867715907cb25784a8b801e2aed7c514d2168ecbaf26fd62600a4ebfadecae77e80148115b3b9f3fef823b3a17a4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz5UX6xo.exe

Filesize
1.1MB

MD5
8d417aad2c497943934efbca4d7ecf8c

SHA1
2885e6b01f2616b76fc1b245733e0057dfcfc99e

SHA256
32d38fee6243118017e47e5306a787a5b2e492879141d8b33fd65f3e30b96b4d

SHA512
db78a10ae5ce0794e58f04d85521eff9bb882f958414088cd5716426dfb90a08095043ab5cb605656cada9585b86e0829ec5097b529fedb15ee6171f0a09874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz5UX6xo.exe

Filesize
1.1MB

MD5
8d417aad2c497943934efbca4d7ecf8c

SHA1
2885e6b01f2616b76fc1b245733e0057dfcfc99e

SHA256
32d38fee6243118017e47e5306a787a5b2e492879141d8b33fd65f3e30b96b4d

SHA512
db78a10ae5ce0794e58f04d85521eff9bb882f958414088cd5716426dfb90a08095043ab5cb605656cada9585b86e0829ec5097b529fedb15ee6171f0a09874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yl1HZ0vW.exe

Filesize
758KB

MD5
eb3bd0dc49b96b3bb658dc452737bca0

SHA1
53ed9a22541cc4a3dce3f7b657f539884300f894

SHA256
90ed5fa68260a37bd28d0bc8b0f147745753b99b4ea34324ed3f367a88ef73c8

SHA512
014fe8a04f94993c3d6727fa3b7f9dd1b15f291b52bbc02c09041e22dc65a8cb52fe9dcb96e65c16b73bfd6fa8d85cb781fa16c7e3e8fec0d75e696952ac0d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yl1HZ0vW.exe

Filesize
758KB

MD5
eb3bd0dc49b96b3bb658dc452737bca0

SHA1
53ed9a22541cc4a3dce3f7b657f539884300f894

SHA256
90ed5fa68260a37bd28d0bc8b0f147745753b99b4ea34324ed3f367a88ef73c8

SHA512
014fe8a04f94993c3d6727fa3b7f9dd1b15f291b52bbc02c09041e22dc65a8cb52fe9dcb96e65c16b73bfd6fa8d85cb781fa16c7e3e8fec0d75e696952ac0d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BF8iD5KM.exe

Filesize
562KB

MD5
73b97a47de21fe07156e443272b507af

SHA1
b9164482b770bb6f2d65c51e26ca548640ff71d2

SHA256
b8bf194933e362141b133265790aa8cc6ea763f732d12e8dc667621d99989d38

SHA512
41c5cfcb955709b78e4927bab5a8fd58ac51328da3f1832b8f6426b70b4c2efc15f678cfc3ace9412afb820b7926a65508177be657f6f887e1fd5f50a380b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BF8iD5KM.exe

Filesize
562KB

MD5
73b97a47de21fe07156e443272b507af

SHA1
b9164482b770bb6f2d65c51e26ca548640ff71d2

SHA256
b8bf194933e362141b133265790aa8cc6ea763f732d12e8dc667621d99989d38

SHA512
41c5cfcb955709b78e4927bab5a8fd58ac51328da3f1832b8f6426b70b4c2efc15f678cfc3ace9412afb820b7926a65508177be657f6f887e1fd5f50a380b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BZ62fQ0.exe

Filesize
1.1MB

MD5
d3c743ab4ae5a52f729ce2a4b462edec

SHA1
0c0cad866dd08cbfe2d6202030604e48ce52525b

SHA256
51093b776620e241a233d0f739a1f1cb210e7cb19670208db74d3a3f1b2a1a48

SHA512
b810c5905a317565eddb93d8efc5f4b2f5f4bb2a8ace33f54ed5242c873d76a47fdc3cae2d7f614970ea8abef83576da6ee616e147b664bad50cd0c8f358e09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BZ62fQ0.exe

Filesize
1.1MB

MD5
d3c743ab4ae5a52f729ce2a4b462edec

SHA1
0c0cad866dd08cbfe2d6202030604e48ce52525b

SHA256
51093b776620e241a233d0f739a1f1cb210e7cb19670208db74d3a3f1b2a1a48

SHA512
b810c5905a317565eddb93d8efc5f4b2f5f4bb2a8ace33f54ed5242c873d76a47fdc3cae2d7f614970ea8abef83576da6ee616e147b664bad50cd0c8f358e09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AX567YB.exe

Filesize
221KB

MD5
0e9e0978119a278326ac3ea3cc123e81

SHA1
c9fab3f5551336d3da4868b508bb7e7b7547c6bf

SHA256
24f859dc8a8fa4a79ad413c3ef73d7c3cbd1aaac4e32cdfad1ad7b07f228bf9b

SHA512
fa82ea4688a97db3d9b8f09a40f444b6d1ada2cf28b6051138580ba98739a044726ab2fb30c6f1b59a98b0a329d7d6e86c94709475239ed3d1972d69b1a39bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AX567YB.exe

Filesize
221KB

MD5
0e9e0978119a278326ac3ea3cc123e81

SHA1
c9fab3f5551336d3da4868b508bb7e7b7547c6bf

SHA256
24f859dc8a8fa4a79ad413c3ef73d7c3cbd1aaac4e32cdfad1ad7b07f228bf9b

SHA512
fa82ea4688a97db3d9b8f09a40f444b6d1ada2cf28b6051138580ba98739a044726ab2fb30c6f1b59a98b0a329d7d6e86c94709475239ed3d1972d69b1a39bd9

Download Submit
memory/2332-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2332-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2332-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2332-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2948-46-0x0000000007C80000-0x0000000007D12000-memory.dmp

Filesize
584KB

Download
memory/2948-44-0x0000000000E80000-0x0000000000EBE000-memory.dmp

Filesize
248KB

Download
memory/2948-45-0x0000000008190000-0x0000000008734000-memory.dmp

Filesize
5.6MB

Download
memory/2948-43-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/2948-47-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/2948-48-0x0000000007E10000-0x0000000007E1A000-memory.dmp

Filesize
40KB

Download
memory/2948-49-0x0000000008D60000-0x0000000009378000-memory.dmp

Filesize
6.1MB

Download
memory/2948-50-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/2948-51-0x0000000007EE0000-0x0000000007EF2000-memory.dmp

Filesize
72KB

Download
memory/2948-52-0x0000000007F40000-0x0000000007F7C000-memory.dmp

Filesize
240KB

Download
memory/2948-53-0x00000000080C0000-0x000000000810C000-memory.dmp

Filesize
304KB

Download
memory/2948-54-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/2948-55-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads