redline | 83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf

Analysis

max time kernel
291s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
30/10/2023, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe
Size

1.5MB
MD5

04310ee5dff8c0090049f107335f2383
SHA1

7d91ccc94cb8410133326d77c7179d799c0a20a7
SHA256

83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf
SHA512

b58a1161269ba8278844a000b9383b9b10b556b9871ad96056615c24f2941c0be05912909384ce23636772a7d03e344fd827f01be1d625f02599b2a96a8c055a
SSDEEP

24576:myjbD5ZJ0cE1ZqNRjw+XAtt+XFh6FAur4WP7Xgx0ds44vrgb3euMvqQDm4IZXd:1jb9P/qZqfw+r7IYGx4vWOunsm4IZX

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001abec-41.dat	family_redline
behavioral2/files/0x000600000001abec-44.dat	family_redline
behavioral2/memory/4144-45-0x00000000006F0000-0x000000000072E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2296	qY4Mn7uV.exe
368	ql4AI4lx.exe
1428	PC1cQ4eU.exe
4692	Hc5rb7Tq.exe
1160	1WH82Ow5.exe
4144	2za053eb.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qY4Mn7uV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ql4AI4lx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	PC1cQ4eU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Hc5rb7Tq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 4388	1160	1WH82Ow5.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4172	4388	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2296	2716	83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe	72
PID 2716 wrote to memory of 2296	2716	83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe	72
PID 2716 wrote to memory of 2296	2716	83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe	72
PID 2296 wrote to memory of 368	2296	qY4Mn7uV.exe	73
PID 2296 wrote to memory of 368	2296	qY4Mn7uV.exe	73
PID 2296 wrote to memory of 368	2296	qY4Mn7uV.exe	73
PID 368 wrote to memory of 1428	368	ql4AI4lx.exe	74
PID 368 wrote to memory of 1428	368	ql4AI4lx.exe	74
PID 368 wrote to memory of 1428	368	ql4AI4lx.exe	74
PID 1428 wrote to memory of 4692	1428	PC1cQ4eU.exe	75
PID 1428 wrote to memory of 4692	1428	PC1cQ4eU.exe	75
PID 1428 wrote to memory of 4692	1428	PC1cQ4eU.exe	75
PID 4692 wrote to memory of 1160	4692	Hc5rb7Tq.exe	76
PID 4692 wrote to memory of 1160	4692	Hc5rb7Tq.exe	76
PID 4692 wrote to memory of 1160	4692	Hc5rb7Tq.exe	76
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 1160 wrote to memory of 4388	1160	1WH82Ow5.exe	77
PID 4692 wrote to memory of 4144	4692	Hc5rb7Tq.exe	78
PID 4692 wrote to memory of 4144	4692	Hc5rb7Tq.exe	78
PID 4692 wrote to memory of 4144	4692	Hc5rb7Tq.exe	78

C:\Users\Admin\AppData\Local\Temp\83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe
"C:\Users\Admin\AppData\Local\Temp\83d9e7c1c3b638aa1f8774ee5de4d03177b011f661dd5a626d2a3475cb0d3abf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY4Mn7uV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY4Mn7uV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql4AI4lx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql4AI4lx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PC1cQ4eU.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PC1cQ4eU.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hc5rb7Tq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hc5rb7Tq.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WH82Ow5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WH82Ow5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 568
        8⤵
        Program crash
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2za053eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2za053eb.exe
        6⤵
        Executes dropped EXE
        
        PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY4Mn7uV.exe

Filesize
1.3MB

MD5
de7d8d1ea9ec74fca10fd63873b1fde4

SHA1
4c951da991a818ce7f8abe42f63ffb431a852a47

SHA256
c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2

SHA512
e32819236f4147eae4ab734405e3a1807697cdfbd063587f42a5bb9914dd9f4bfc98f73a0b4e917da72bf0a2da8782a93fe0d151697a19db47d23d323e60f53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY4Mn7uV.exe

Filesize
1.3MB

MD5
de7d8d1ea9ec74fca10fd63873b1fde4

SHA1
4c951da991a818ce7f8abe42f63ffb431a852a47

SHA256
c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2

SHA512
e32819236f4147eae4ab734405e3a1807697cdfbd063587f42a5bb9914dd9f4bfc98f73a0b4e917da72bf0a2da8782a93fe0d151697a19db47d23d323e60f53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql4AI4lx.exe

Filesize
1.1MB

MD5
0fd35865f2ff38ef0b2a7557783a6796

SHA1
9260d128ca06bc9de01d04e639a0f18742d6e5e1

SHA256
53b1249e9d9afe8c9a6787f2d5c1a5eaebee6363f88c12becf24604881a2a8a0

SHA512
421cf57b5c8d8a5d5f65b1a06d70f03529197e1e8075c9054133b393aba0ff889e79329823ae2cca2e151b0ceb2e91c0d4009f41abf3634339324b23c6017b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ql4AI4lx.exe

Filesize
1.1MB

MD5
0fd35865f2ff38ef0b2a7557783a6796

SHA1
9260d128ca06bc9de01d04e639a0f18742d6e5e1

SHA256
53b1249e9d9afe8c9a6787f2d5c1a5eaebee6363f88c12becf24604881a2a8a0

SHA512
421cf57b5c8d8a5d5f65b1a06d70f03529197e1e8075c9054133b393aba0ff889e79329823ae2cca2e151b0ceb2e91c0d4009f41abf3634339324b23c6017b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PC1cQ4eU.exe

Filesize
758KB

MD5
822fc73dceef68450e63c8ffe3c7227d

SHA1
a581ff6b0c412b981c40d8b159b0fe18c7c4c0a2

SHA256
fb7b90b5efe166cd2ed9d64da672c47868db1d58888d322ed7f60dcbca0f3e00

SHA512
4308a9434c6ef593e881f5e29c066095e42301c148546a325817b215bafd350cbc62f745ba94221a7bfa767c67055c38e22f235aa795c6ae7b75864ca3a821d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PC1cQ4eU.exe

Filesize
758KB

MD5
822fc73dceef68450e63c8ffe3c7227d

SHA1
a581ff6b0c412b981c40d8b159b0fe18c7c4c0a2

SHA256
fb7b90b5efe166cd2ed9d64da672c47868db1d58888d322ed7f60dcbca0f3e00

SHA512
4308a9434c6ef593e881f5e29c066095e42301c148546a325817b215bafd350cbc62f745ba94221a7bfa767c67055c38e22f235aa795c6ae7b75864ca3a821d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hc5rb7Tq.exe

Filesize
561KB

MD5
fab733b539aa3c3ac0cddd441d7e8f37

SHA1
79cfc82ea52d2c4cc4cd64e1915c972649638ebc

SHA256
ef58253f199184ed57dde0b38b4cf772b5c81eaa8c9736b36f03f9fa06c7d745

SHA512
e85ea4acc23209df4ab0d2752e605417919779db685d4180ce474ab4ee71f0ec2f97f8f49c8c03cd144d3cccc723b4dc83405c52c8b7d64ec1aa211beb7896e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hc5rb7Tq.exe

Filesize
561KB

MD5
fab733b539aa3c3ac0cddd441d7e8f37

SHA1
79cfc82ea52d2c4cc4cd64e1915c972649638ebc

SHA256
ef58253f199184ed57dde0b38b4cf772b5c81eaa8c9736b36f03f9fa06c7d745

SHA512
e85ea4acc23209df4ab0d2752e605417919779db685d4180ce474ab4ee71f0ec2f97f8f49c8c03cd144d3cccc723b4dc83405c52c8b7d64ec1aa211beb7896e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WH82Ow5.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WH82Ow5.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2za053eb.exe

Filesize
222KB

MD5
d27718b2b8e3a68e34cdf5b8c5745c92

SHA1
3bcfe95420a8bb5f387ea2c4cd203f31880e9b82

SHA256
0fffc640bb6d1d8077798e39c9685d3acdd62278c9c9df306eab4982d9ddb894

SHA512
5ea1e77f86b2189895db6d33062ceb7adb7e39582281fe456ee806b8211a861364d3cbca641ebac3bc369d166ccded35ef6b8df6259bbd5366fcd5a6acd8b2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2za053eb.exe

Filesize
222KB

MD5
d27718b2b8e3a68e34cdf5b8c5745c92

SHA1
3bcfe95420a8bb5f387ea2c4cd203f31880e9b82

SHA256
0fffc640bb6d1d8077798e39c9685d3acdd62278c9c9df306eab4982d9ddb894

SHA512
5ea1e77f86b2189895db6d33062ceb7adb7e39582281fe456ee806b8211a861364d3cbca641ebac3bc369d166ccded35ef6b8df6259bbd5366fcd5a6acd8b2ad

Download Submit
memory/4144-52-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4144-51-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/4144-55-0x0000000072FF0000-0x00000000736DE000-memory.dmp

Filesize
6.9MB

Download
memory/4144-54-0x00000000078A0000-0x00000000078EB000-memory.dmp

Filesize
300KB

Download
memory/4144-45-0x00000000006F0000-0x000000000072E000-memory.dmp

Filesize
248KB

Download
memory/4144-46-0x0000000072FF0000-0x00000000736DE000-memory.dmp

Filesize
6.9MB

Download
memory/4144-53-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/4144-49-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/4144-47-0x0000000007980000-0x0000000007E7E000-memory.dmp

Filesize
5.0MB

Download
memory/4144-50-0x0000000008490000-0x0000000008A96000-memory.dmp

Filesize
6.0MB

Download
memory/4144-48-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/4388-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads