redline | fb6a3cbde48f761e1594867e1d6d4f18cc25b00335c3d1182317e138d79aafdb

General

Target

hw7Yo5ND.exe
Size

759KB
MD5

bab1ff48ecae0b1a281bd0ba789d6ee7
SHA1

ca7429dd43749032040b8726e4fa26b97f04604e
SHA256

fb6a3cbde48f761e1594867e1d6d4f18cc25b00335c3d1182317e138d79aafdb
SHA512

af313f7085df2f8bfc3a2773ab9c67d8da4c9dbcbf19260ee9b81f5ec363c528bd70decd9ef8dabe4295f9c5b9c68e63109a65f9d69df10bb14c1a8ca0fe979b
SSDEEP

12288:xMr/y90q7MAHfIK0fESp4gFh1u39pdBMlsANg2hkRutRhNejsYj:yyDDBeXu39VKHHhYL

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001abc1-18.dat	family_redline
behavioral2/files/0x000600000001abc1-19.dat	family_redline
behavioral2/memory/4876-24-0x00000000009A0000-0x00000000009DE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
316	wU8dh8Mi.exe
2956	1nk27tB2.exe
4876	2eG018oW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hw7Yo5ND.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wU8dh8Mi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 1292	2956	1nk27tB2.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4072	1292	WerFault.exe	73

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 316	2096	hw7Yo5ND.exe	71
PID 2096 wrote to memory of 316	2096	hw7Yo5ND.exe	71
PID 2096 wrote to memory of 316	2096	hw7Yo5ND.exe	71
PID 316 wrote to memory of 2956	316	wU8dh8Mi.exe	72
PID 316 wrote to memory of 2956	316	wU8dh8Mi.exe	72
PID 316 wrote to memory of 2956	316	wU8dh8Mi.exe	72
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 2956 wrote to memory of 1292	2956	1nk27tB2.exe	73
PID 316 wrote to memory of 4876	316	wU8dh8Mi.exe	74
PID 316 wrote to memory of 4876	316	wU8dh8Mi.exe	74
PID 316 wrote to memory of 4876	316	wU8dh8Mi.exe	74

C:\Users\Admin\AppData\Local\Temp\hw7Yo5ND.exe
"C:\Users\Admin\AppData\Local\Temp\hw7Yo5ND.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 568
        5⤵
        Program crash
        
        PID:4072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe
    3⤵
    - Executes dropped EXE
    PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe

Filesize
562KB

MD5
a780efeac40cad16d03ccf30f2ffd0c6

SHA1
5ee15d66cb6178458b1a25e293fd5e5077e1b3d9

SHA256
0be9659e6e09699e082c11596f8ee470aa0102b0e5ed305084b66e882c429943

SHA512
619c42c8a563f5cd312e59c4e3d0e283036aea79c1a82bd2d85e2de0b161f6f160b2e6917f0342209a437cae73d7947295bc7dd9fcf533cb463d0900e9264237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wU8dh8Mi.exe

Filesize
562KB

MD5
a780efeac40cad16d03ccf30f2ffd0c6

SHA1
5ee15d66cb6178458b1a25e293fd5e5077e1b3d9

SHA256
0be9659e6e09699e082c11596f8ee470aa0102b0e5ed305084b66e882c429943

SHA512
619c42c8a563f5cd312e59c4e3d0e283036aea79c1a82bd2d85e2de0b161f6f160b2e6917f0342209a437cae73d7947295bc7dd9fcf533cb463d0900e9264237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nk27tB2.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe

Filesize
222KB

MD5
e1d43903e5396bc3b1d143cfadaf7693

SHA1
7b67e4585f63f4baaf4683b0e39e165d4a4e4e93

SHA256
a009fc393810bbad02dace622918c88c1991eb21b3a1a81f54ae535f76b72af9

SHA512
12dd9dea9823bcd4a5914a878ffca5c6e8a985686dc9723489a96aff8456abb17face1162ba98ff1d853468446f36cca08271000711950689847cf51590aa01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eG018oW.exe

Filesize
222KB

MD5
e1d43903e5396bc3b1d143cfadaf7693

SHA1
7b67e4585f63f4baaf4683b0e39e165d4a4e4e93

SHA256
a009fc393810bbad02dace622918c88c1991eb21b3a1a81f54ae535f76b72af9

SHA512
12dd9dea9823bcd4a5914a878ffca5c6e8a985686dc9723489a96aff8456abb17face1162ba98ff1d853468446f36cca08271000711950689847cf51590aa01a

Download Submit
memory/1292-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-24-0x00000000009A0000-0x00000000009DE000-memory.dmp

Filesize
248KB

Download
memory/4876-25-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4876-26-0x0000000007B90000-0x000000000808E000-memory.dmp

Filesize
5.0MB

Download
memory/4876-27-0x0000000007730000-0x00000000077C2000-memory.dmp

Filesize
584KB

Download
memory/4876-28-0x0000000007710000-0x000000000771A000-memory.dmp

Filesize
40KB

Download
memory/4876-29-0x00000000086A0000-0x0000000008CA6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-30-0x00000000081A0000-0x00000000082AA000-memory.dmp

Filesize
1.0MB

Download
memory/4876-31-0x0000000007AA0000-0x0000000007AB2000-memory.dmp

Filesize
72KB

Download
memory/4876-32-0x0000000007B10000-0x0000000007B4E000-memory.dmp

Filesize
248KB

Download
memory/4876-33-0x0000000008090000-0x00000000080DB000-memory.dmp

Filesize
300KB

Download
memory/4876-34-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads