redline | b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 23:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe
Size

1.5MB
MD5

0ab3e7dfee01f59791d6634754dcd5a9
SHA1

c78c9f440153f890ebacaecf79983a9192817fbf
SHA256

b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6
SHA512

ad182cf9bc1f03912cdcd14f4c7d0777f073aecd305bdf8f9a3f56dc9c3e7c9d98245ddb4804fb08cbffe56b32dc7d5246a5c143b356ef64a8cf9a31ddee7a8f
SSDEEP

24576:/y414X4HJZuz4EGrw3yNfBTuCEpaQVU1/dM2YCcfk42I5IMW0lFC9SwTizsxKXsW:KRX4HXuM/rBNfA1paIU1cCcM42Su0lEf

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022da3-41.dat	family_redline
behavioral1/files/0x0006000000022da3-39.dat	family_redline
behavioral1/memory/2556-43-0x0000000000280000-0x00000000002BE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3560	mn3vW1sp.exe
1724	Sb8CS9qs.exe
1700	fH6tF8jM.exe
440	gA9vF6Dk.exe
4548	1Qo33Cp0.exe
2556	2Fk946SZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mn3vW1sp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Sb8CS9qs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fH6tF8jM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gA9vF6Dk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4548 set thread context of 2056	4548	1Qo33Cp0.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1452	2056	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3560	4160	b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe	84
PID 4160 wrote to memory of 3560	4160	b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe	84
PID 4160 wrote to memory of 3560	4160	b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe	84
PID 3560 wrote to memory of 1724	3560	mn3vW1sp.exe	85
PID 3560 wrote to memory of 1724	3560	mn3vW1sp.exe	85
PID 3560 wrote to memory of 1724	3560	mn3vW1sp.exe	85
PID 1724 wrote to memory of 1700	1724	Sb8CS9qs.exe	86
PID 1724 wrote to memory of 1700	1724	Sb8CS9qs.exe	86
PID 1724 wrote to memory of 1700	1724	Sb8CS9qs.exe	86
PID 1700 wrote to memory of 440	1700	fH6tF8jM.exe	87
PID 1700 wrote to memory of 440	1700	fH6tF8jM.exe	87
PID 1700 wrote to memory of 440	1700	fH6tF8jM.exe	87
PID 440 wrote to memory of 4548	440	gA9vF6Dk.exe	88
PID 440 wrote to memory of 4548	440	gA9vF6Dk.exe	88
PID 440 wrote to memory of 4548	440	gA9vF6Dk.exe	88
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 4548 wrote to memory of 2056	4548	1Qo33Cp0.exe	90
PID 440 wrote to memory of 2556	440	gA9vF6Dk.exe	92
PID 440 wrote to memory of 2556	440	gA9vF6Dk.exe	92
PID 440 wrote to memory of 2556	440	gA9vF6Dk.exe	92

C:\Users\Admin\AppData\Local\Temp\b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe
"C:\Users\Admin\AppData\Local\Temp\b32bc506abf63ad16276675fc3fd3fa5a6c6389f0691258cb5cbefd853dc72a6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn3vW1sp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn3vW1sp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sb8CS9qs.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sb8CS9qs.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fH6tF8jM.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fH6tF8jM.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gA9vF6Dk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gA9vF6Dk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qo33Cp0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qo33Cp0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 540
        8⤵
        Program crash
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk946SZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk946SZ.exe
        6⤵
        Executes dropped EXE
        
        PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2056 -ip 2056
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn3vW1sp.exe

Filesize
1.3MB

MD5
f3366ea6afdb932dddccd12e83e95c76

SHA1
d805cf59271f5ff45685bcbf4c388a1d07213a44

SHA256
261347fdd49a1e528bd688d7549860b43c05b99674891f1f0c5201589ef103f0

SHA512
68840155eb127389cb832da565333808ce24c4fbd7cb779ca8654b63b10b363ab5891c8a45f4c2281ec3db45267de1c7dae8a378c4cc0eb887611d18ced32c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn3vW1sp.exe

Filesize
1.3MB

MD5
f3366ea6afdb932dddccd12e83e95c76

SHA1
d805cf59271f5ff45685bcbf4c388a1d07213a44

SHA256
261347fdd49a1e528bd688d7549860b43c05b99674891f1f0c5201589ef103f0

SHA512
68840155eb127389cb832da565333808ce24c4fbd7cb779ca8654b63b10b363ab5891c8a45f4c2281ec3db45267de1c7dae8a378c4cc0eb887611d18ced32c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sb8CS9qs.exe

Filesize
1.1MB

MD5
5c68811fe8a40715931660a81791fe74

SHA1
08485fcbbc44c2d8ff02ee39e75fbb0637d90207

SHA256
efd4713c6da8b8e65e0f887275e4e833afecbf20d2999ee75362d7464639a5ac

SHA512
4c608afef8a6da4c3c9747f84bbab9d71a450ca6a90ba3683c8f1d3a90ba883d00bb9c44ba869aec2764e5d75222c66ff5c7f1439913f1e08eb4f17717bd7fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sb8CS9qs.exe

Filesize
1.1MB

MD5
5c68811fe8a40715931660a81791fe74

SHA1
08485fcbbc44c2d8ff02ee39e75fbb0637d90207

SHA256
efd4713c6da8b8e65e0f887275e4e833afecbf20d2999ee75362d7464639a5ac

SHA512
4c608afef8a6da4c3c9747f84bbab9d71a450ca6a90ba3683c8f1d3a90ba883d00bb9c44ba869aec2764e5d75222c66ff5c7f1439913f1e08eb4f17717bd7fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fH6tF8jM.exe

Filesize
757KB

MD5
0969e392f928e8b95f4d513c313642ad

SHA1
9d6bd194b84eb877ae2809486e7ccf06e7dd23e4

SHA256
87c87cde4210a8ffa748117691ca6157cf4c2c70f9ae2d1d4bff65f2783fcdbb

SHA512
40014da82162753e1bb1d5add5ea1b9daf987fa45214a67c9cd4dad820e2e40c0c36a1159f1771aa7a02864d07c7fd505390ad4fab6c7543020fa122a95f504f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fH6tF8jM.exe

Filesize
757KB

MD5
0969e392f928e8b95f4d513c313642ad

SHA1
9d6bd194b84eb877ae2809486e7ccf06e7dd23e4

SHA256
87c87cde4210a8ffa748117691ca6157cf4c2c70f9ae2d1d4bff65f2783fcdbb

SHA512
40014da82162753e1bb1d5add5ea1b9daf987fa45214a67c9cd4dad820e2e40c0c36a1159f1771aa7a02864d07c7fd505390ad4fab6c7543020fa122a95f504f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gA9vF6Dk.exe

Filesize
561KB

MD5
b3a86f7551900b73fcc2ab5c8423ce81

SHA1
c7578db15828fd659803bd531db991fdb8e34f95

SHA256
5f5c792e9ea853b7f579e53eefe7ca3b8ea6f8c0dc34a970f9bb440cb3befa8b

SHA512
c4700363458ef849a17553b8bd20d16332e7bf8a1398c1387abc93cf7d9daf1e95805d27177aeeb4ebc94df7506c477968377da5c7ff176b97dd1ba21d880a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gA9vF6Dk.exe

Filesize
561KB

MD5
b3a86f7551900b73fcc2ab5c8423ce81

SHA1
c7578db15828fd659803bd531db991fdb8e34f95

SHA256
5f5c792e9ea853b7f579e53eefe7ca3b8ea6f8c0dc34a970f9bb440cb3befa8b

SHA512
c4700363458ef849a17553b8bd20d16332e7bf8a1398c1387abc93cf7d9daf1e95805d27177aeeb4ebc94df7506c477968377da5c7ff176b97dd1ba21d880a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qo33Cp0.exe

Filesize
1.1MB

MD5
99afe55003da679287684597797f6b33

SHA1
b52239004fbd2ee61a1cbf27469334d6456ef364

SHA256
99f1959451b0fbced998dde5cab7c8efc5684d749636dc6cb8e8708383454cb4

SHA512
6c5218e6585af78eb8fe33e2d91065fa7343f7ad048dac1d6f1a3c087c23a73004b47f3a612dec9f2f033341459c9238c3e9c9c4570699be69da084f0b39892c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qo33Cp0.exe

Filesize
1.1MB

MD5
99afe55003da679287684597797f6b33

SHA1
b52239004fbd2ee61a1cbf27469334d6456ef364

SHA256
99f1959451b0fbced998dde5cab7c8efc5684d749636dc6cb8e8708383454cb4

SHA512
6c5218e6585af78eb8fe33e2d91065fa7343f7ad048dac1d6f1a3c087c23a73004b47f3a612dec9f2f033341459c9238c3e9c9c4570699be69da084f0b39892c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk946SZ.exe

Filesize
222KB

MD5
0a957ac614d7c82b6fc66804667d1a04

SHA1
b39169b3a13f55619613e2555b04a62f41279df1

SHA256
a508148c543536ea20b715f5637909ab9a4176c3fd3d86849a75a7da95b02fd7

SHA512
a214632fc17eec8d04cfa9d3ee821c5acb5b2c8570da2ce1d3b5d9883a42316692152b53ee063d7658fe8003af008b9117d11244083659b3256e6cfb1977c75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fk946SZ.exe

Filesize
222KB

MD5
0a957ac614d7c82b6fc66804667d1a04

SHA1
b39169b3a13f55619613e2555b04a62f41279df1

SHA256
a508148c543536ea20b715f5637909ab9a4176c3fd3d86849a75a7da95b02fd7

SHA512
a214632fc17eec8d04cfa9d3ee821c5acb5b2c8570da2ce1d3b5d9883a42316692152b53ee063d7658fe8003af008b9117d11244083659b3256e6cfb1977c75a

Download Submit
memory/2056-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-48-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/2556-44-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/2556-45-0x0000000007560000-0x0000000007B04000-memory.dmp

Filesize
5.6MB

Download
memory/2556-46-0x0000000007050000-0x00000000070E2000-memory.dmp

Filesize
584KB

Download
memory/2556-47-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2556-43-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2556-49-0x0000000008130000-0x0000000008748000-memory.dmp

Filesize
6.1MB

Download
memory/2556-50-0x0000000007B10000-0x0000000007C1A000-memory.dmp

Filesize
1.0MB

Download
memory/2556-51-0x0000000007420000-0x0000000007432000-memory.dmp

Filesize
72KB

Download
memory/2556-52-0x0000000007480000-0x00000000074BC000-memory.dmp

Filesize
240KB

Download
memory/2556-53-0x00000000074C0000-0x000000000750C000-memory.dmp

Filesize
304KB

Download
memory/2556-54-0x0000000073D80000-0x0000000074530000-memory.dmp

Filesize
7.7MB

Download
memory/2556-55-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads