redline | fb6a3cbde48f761e1594867e1d6d4f18cc25b00335c3d1182317e138d79aafdb

Analysis

max time kernel
291s
max time network
300s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
30/10/2023, 05:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

hw7Yo5ND.exe
Size

759KB
MD5

bab1ff48ecae0b1a281bd0ba789d6ee7
SHA1

ca7429dd43749032040b8726e4fa26b97f04604e
SHA256

fb6a3cbde48f761e1594867e1d6d4f18cc25b00335c3d1182317e138d79aafdb
SHA512

af313f7085df2f8bfc3a2773ab9c67d8da4c9dbcbf19260ee9b81f5ec363c528bd70decd9ef8dabe4295f9c5b9c68e63109a65f9d69df10bb14c1a8ca0fe979b
SSDEEP

12288:xMr/y90q7MAHfIK0fESp4gFh1u39pdBMlsANg2hkRutRhNejsYj:yyDDBeXu39VKHHhYL

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015e3c-41.dat	family_redline
behavioral1/files/0x0007000000015e3c-36.dat	family_redline
behavioral1/files/0x0007000000015e3c-44.dat	family_redline
behavioral1/files/0x0007000000015e3c-43.dat	family_redline
behavioral1/memory/2796-45-0x0000000001240000-0x000000000127E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2572	wU8dh8Mi.exe
3064	1nk27tB2.exe
2796	2eG018oW.exe

Loads dropped DLL 7 IoCs

pid	Process
1984	hw7Yo5ND.exe
2572	wU8dh8Mi.exe
2572	wU8dh8Mi.exe
2572	wU8dh8Mi.exe
3064	1nk27tB2.exe
2572	wU8dh8Mi.exe
2796	2eG018oW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wU8dh8Mi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hw7Yo5ND.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2776	3064	1nk27tB2.exe	30

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 1984 wrote to memory of 2572	1984	hw7Yo5ND.exe	28
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 2572 wrote to memory of 3064	2572	wU8dh8Mi.exe	29
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 3064 wrote to memory of 2776	3064	1nk27tB2.exe	30
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31
PID 2572 wrote to memory of 2796	2572	wU8dh8Mi.exe	31

C:\Users\Admin\AppData\Local\Temp\hw7Yo5ND.exe
"C:\Users\Admin\AppData\Local\Temp\hw7Yo5ND.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe

Filesize
562KB

MD5
a780efeac40cad16d03ccf30f2ffd0c6

SHA1
5ee15d66cb6178458b1a25e293fd5e5077e1b3d9

SHA256
0be9659e6e09699e082c11596f8ee470aa0102b0e5ed305084b66e882c429943

SHA512
619c42c8a563f5cd312e59c4e3d0e283036aea79c1a82bd2d85e2de0b161f6f160b2e6917f0342209a437cae73d7947295bc7dd9fcf533cb463d0900e9264237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe

Filesize
562KB

MD5
a780efeac40cad16d03ccf30f2ffd0c6

SHA1
5ee15d66cb6178458b1a25e293fd5e5077e1b3d9

SHA256
0be9659e6e09699e082c11596f8ee470aa0102b0e5ed305084b66e882c429943

SHA512
619c42c8a563f5cd312e59c4e3d0e283036aea79c1a82bd2d85e2de0b161f6f160b2e6917f0342209a437cae73d7947295bc7dd9fcf533cb463d0900e9264237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe

Filesize
222KB

MD5
e1d43903e5396bc3b1d143cfadaf7693

SHA1
7b67e4585f63f4baaf4683b0e39e165d4a4e4e93

SHA256
a009fc393810bbad02dace622918c88c1991eb21b3a1a81f54ae535f76b72af9

SHA512
12dd9dea9823bcd4a5914a878ffca5c6e8a985686dc9723489a96aff8456abb17face1162ba98ff1d853468446f36cca08271000711950689847cf51590aa01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe

Filesize
222KB

MD5
e1d43903e5396bc3b1d143cfadaf7693

SHA1
7b67e4585f63f4baaf4683b0e39e165d4a4e4e93

SHA256
a009fc393810bbad02dace622918c88c1991eb21b3a1a81f54ae535f76b72af9

SHA512
12dd9dea9823bcd4a5914a878ffca5c6e8a985686dc9723489a96aff8456abb17face1162ba98ff1d853468446f36cca08271000711950689847cf51590aa01a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe

Filesize
562KB

MD5
a780efeac40cad16d03ccf30f2ffd0c6

SHA1
5ee15d66cb6178458b1a25e293fd5e5077e1b3d9

SHA256
0be9659e6e09699e082c11596f8ee470aa0102b0e5ed305084b66e882c429943

SHA512
619c42c8a563f5cd312e59c4e3d0e283036aea79c1a82bd2d85e2de0b161f6f160b2e6917f0342209a437cae73d7947295bc7dd9fcf533cb463d0900e9264237

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe

Filesize
562KB

MD5
a780efeac40cad16d03ccf30f2ffd0c6

SHA1
5ee15d66cb6178458b1a25e293fd5e5077e1b3d9

SHA256
0be9659e6e09699e082c11596f8ee470aa0102b0e5ed305084b66e882c429943

SHA512
619c42c8a563f5cd312e59c4e3d0e283036aea79c1a82bd2d85e2de0b161f6f160b2e6917f0342209a437cae73d7947295bc7dd9fcf533cb463d0900e9264237

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe

Filesize
222KB

MD5
e1d43903e5396bc3b1d143cfadaf7693

SHA1
7b67e4585f63f4baaf4683b0e39e165d4a4e4e93

SHA256
a009fc393810bbad02dace622918c88c1991eb21b3a1a81f54ae535f76b72af9

SHA512
12dd9dea9823bcd4a5914a878ffca5c6e8a985686dc9723489a96aff8456abb17face1162ba98ff1d853468446f36cca08271000711950689847cf51590aa01a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe

Filesize
222KB

MD5
e1d43903e5396bc3b1d143cfadaf7693

SHA1
7b67e4585f63f4baaf4683b0e39e165d4a4e4e93

SHA256
a009fc393810bbad02dace622918c88c1991eb21b3a1a81f54ae535f76b72af9

SHA512
12dd9dea9823bcd4a5914a878ffca5c6e8a985686dc9723489a96aff8456abb17face1162ba98ff1d853468446f36cca08271000711950689847cf51590aa01a

Download Submit
memory/2776-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-32-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-45-0x0000000001240000-0x000000000127E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads