redline | 0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c

Analysis

max time kernel
135s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
30/10/2023, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe
Size

1.5MB
MD5

b3015fd8b27e2f47b38c8efdf41fc031
SHA1

bf7891af166728cac6aabc68b836a29f97ffc253
SHA256

0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c
SHA512

f8ef1f0b5ffba1d162b7b2e8ea374c651ef85ed2b122775b570ea355d1f730a98f3bc251f5165fb13663f0c5522c7c7e646700c03be817f8c7234b440c427542
SSDEEP

24576:Syelj60Gze+aOFpoAtG/FyCiACpmEWXL4Z+Qg2E/mPdPt0TxlnRP/UyK258jSbUQ:5IjGFppYMxWMM/mP5ennRPvKjSY

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001abe0-43.dat	family_redline
behavioral1/files/0x000600000001abe0-44.dat	family_redline
behavioral1/memory/1864-45-0x0000000000220000-0x000000000025E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3352	IT8RR0UG.exe
4928	xh1KB0vj.exe
5004	VR8Cb0dG.exe
2780	aX3bu0rf.exe
4592	1MN31GO7.exe
1864	2IL363eR.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	IT8RR0UG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xh1KB0vj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	VR8Cb0dG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aX3bu0rf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4592 set thread context of 2356	4592	1MN31GO7.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4120	2356	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3352	1016	0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe	71
PID 1016 wrote to memory of 3352	1016	0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe	71
PID 1016 wrote to memory of 3352	1016	0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe	71
PID 3352 wrote to memory of 4928	3352	IT8RR0UG.exe	72
PID 3352 wrote to memory of 4928	3352	IT8RR0UG.exe	72
PID 3352 wrote to memory of 4928	3352	IT8RR0UG.exe	72
PID 4928 wrote to memory of 5004	4928	xh1KB0vj.exe	73
PID 4928 wrote to memory of 5004	4928	xh1KB0vj.exe	73
PID 4928 wrote to memory of 5004	4928	xh1KB0vj.exe	73
PID 5004 wrote to memory of 2780	5004	VR8Cb0dG.exe	74
PID 5004 wrote to memory of 2780	5004	VR8Cb0dG.exe	74
PID 5004 wrote to memory of 2780	5004	VR8Cb0dG.exe	74
PID 2780 wrote to memory of 4592	2780	aX3bu0rf.exe	75
PID 2780 wrote to memory of 4592	2780	aX3bu0rf.exe	75
PID 2780 wrote to memory of 4592	2780	aX3bu0rf.exe	75
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 4592 wrote to memory of 2356	4592	1MN31GO7.exe	76
PID 2780 wrote to memory of 1864	2780	aX3bu0rf.exe	77
PID 2780 wrote to memory of 1864	2780	aX3bu0rf.exe	77
PID 2780 wrote to memory of 1864	2780	aX3bu0rf.exe	77

C:\Users\Admin\AppData\Local\Temp\0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe
"C:\Users\Admin\AppData\Local\Temp\0bfe958b9380da04be2722f96abfa7bf0d7561401a528865e297a7b2edbb852c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IT8RR0UG.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IT8RR0UG.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xh1KB0vj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xh1KB0vj.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VR8Cb0dG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VR8Cb0dG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aX3bu0rf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aX3bu0rf.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MN31GO7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MN31GO7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 568
        8⤵
        Program crash
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IL363eR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IL363eR.exe
        6⤵
        Executes dropped EXE
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IT8RR0UG.exe

Filesize
1.3MB

MD5
79ef7522137a3342f558f2098bbaf3da

SHA1
163ff742f3e2c0aae2eb09774e0d917fefd96747

SHA256
8868a50b827c5f4cc6c69b7cfc845a006dba360b45a0346ac022bbfdbbbbdba9

SHA512
6f9d5794c0d85a34a01ef670527c265489d5c566036dd88575248b83eb0706f37d0e8fac1109de3604f027c2e2f7ed75eaf152b1e36e8e2b28da82aa7d647f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IT8RR0UG.exe

Filesize
1.3MB

MD5
79ef7522137a3342f558f2098bbaf3da

SHA1
163ff742f3e2c0aae2eb09774e0d917fefd96747

SHA256
8868a50b827c5f4cc6c69b7cfc845a006dba360b45a0346ac022bbfdbbbbdba9

SHA512
6f9d5794c0d85a34a01ef670527c265489d5c566036dd88575248b83eb0706f37d0e8fac1109de3604f027c2e2f7ed75eaf152b1e36e8e2b28da82aa7d647f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xh1KB0vj.exe

Filesize
1.1MB

MD5
3be82ecb9bca306f351e7fa4a472124b

SHA1
f81169dd4b6a02517596375cad3306217f7401f2

SHA256
e75482258b36fced4866045335b14a0f18de62dec3e05ea2b35daf737030ce03

SHA512
d0c51566d4eb8eb51588d6350ec22ec0ec129000479a5d3722751e1b14e69ec0bf6c381175d7e8b055576deb0e35925f522c2b33b78418eee5d05c00271db0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xh1KB0vj.exe

Filesize
1.1MB

MD5
3be82ecb9bca306f351e7fa4a472124b

SHA1
f81169dd4b6a02517596375cad3306217f7401f2

SHA256
e75482258b36fced4866045335b14a0f18de62dec3e05ea2b35daf737030ce03

SHA512
d0c51566d4eb8eb51588d6350ec22ec0ec129000479a5d3722751e1b14e69ec0bf6c381175d7e8b055576deb0e35925f522c2b33b78418eee5d05c00271db0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VR8Cb0dG.exe

Filesize
758KB

MD5
104d6b49acfb7c2e6ab9626f36515294

SHA1
9ad2ee1da761b12dc2fd519a50a9c7010417444b

SHA256
6af9f6b18d6bcdc5cd152ecbe490ab836fc67415baaceddf3fe7d5aa0bf18d4a

SHA512
9d4851f0503e91c7b12fda0e790a47cfbeda966ac5fbc146dc4190b892684b3d8d4ecb3001c3d6e790c685b30edf7aa19d8245eab963829f8dc626eca8d7353e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VR8Cb0dG.exe

Filesize
758KB

MD5
104d6b49acfb7c2e6ab9626f36515294

SHA1
9ad2ee1da761b12dc2fd519a50a9c7010417444b

SHA256
6af9f6b18d6bcdc5cd152ecbe490ab836fc67415baaceddf3fe7d5aa0bf18d4a

SHA512
9d4851f0503e91c7b12fda0e790a47cfbeda966ac5fbc146dc4190b892684b3d8d4ecb3001c3d6e790c685b30edf7aa19d8245eab963829f8dc626eca8d7353e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aX3bu0rf.exe

Filesize
561KB

MD5
647abf2ff212a56da4cbb688f4ae9cf9

SHA1
f459a4beec8b39a10bc8bd27fd5bd8c774a28e2a

SHA256
fd44861ab6a352814d17fcd8c2812d7a8fcaeb62f015b4fa85a52e75f2bd925d

SHA512
4daadf35292bb780ac810ef5a41b4e4b6b87886dce43ee539614da003e8d8ae4687638d3b638137b1a52b26ce155a3e3048a75a3745f7f7a7ab7c7f48daea17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aX3bu0rf.exe

Filesize
561KB

MD5
647abf2ff212a56da4cbb688f4ae9cf9

SHA1
f459a4beec8b39a10bc8bd27fd5bd8c774a28e2a

SHA256
fd44861ab6a352814d17fcd8c2812d7a8fcaeb62f015b4fa85a52e75f2bd925d

SHA512
4daadf35292bb780ac810ef5a41b4e4b6b87886dce43ee539614da003e8d8ae4687638d3b638137b1a52b26ce155a3e3048a75a3745f7f7a7ab7c7f48daea17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MN31GO7.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MN31GO7.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IL363eR.exe

Filesize
222KB

MD5
9b0bcb68d150c632c19e57bc49e2a22d

SHA1
083d6f8aa38f986c67fe26499504dc7ba9de7b3b

SHA256
ab86e30231b34140c68fd3ee8590c9efed0b7bb443143a2dc8ef173f77611ae6

SHA512
bc9ed3aa727f9191a1380ba331d50d005fcef9561b63420f4281d7578cd00ec876d5bacb11ad89d279d7b84bcad4ac29d5cb0efb6042a38e3d8ee1a654096fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2IL363eR.exe

Filesize
222KB

MD5
9b0bcb68d150c632c19e57bc49e2a22d

SHA1
083d6f8aa38f986c67fe26499504dc7ba9de7b3b

SHA256
ab86e30231b34140c68fd3ee8590c9efed0b7bb443143a2dc8ef173f77611ae6

SHA512
bc9ed3aa727f9191a1380ba331d50d005fcef9561b63420f4281d7578cd00ec876d5bacb11ad89d279d7b84bcad4ac29d5cb0efb6042a38e3d8ee1a654096fcf

Download Submit
memory/1864-47-0x0000000007480000-0x000000000797E000-memory.dmp

Filesize
5.0MB

Download
memory/1864-48-0x0000000007020000-0x00000000070B2000-memory.dmp

Filesize
584KB

Download
memory/1864-55-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1864-54-0x00000000072C0000-0x000000000730B000-memory.dmp

Filesize
300KB

Download
memory/1864-45-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1864-46-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1864-53-0x0000000007230000-0x000000000726E000-memory.dmp

Filesize
248KB

Download
memory/1864-52-0x00000000071D0000-0x00000000071E2000-memory.dmp

Filesize
72KB

Download
memory/1864-49-0x0000000006F90000-0x0000000006F9A000-memory.dmp

Filesize
40KB

Download
memory/1864-50-0x0000000007F90000-0x0000000008596000-memory.dmp

Filesize
6.0MB

Download
memory/1864-51-0x0000000007980000-0x0000000007A8A000-memory.dmp

Filesize
1.0MB

Download
memory/2356-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads