redline | abe75a1220aab2d6ccf117f72f21159cc37b36a3112819e026a8193a6cc99a2b

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe
Size

1.5MB
MD5

10f1fd1abdb61d0d9b6c6825a1b0f4f5
SHA1

53bbb16bda921f2136de280de9034ae6e80fab81
SHA256

566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319
SHA512

033d08d69ce2073c993600b0ab1fbc84ebabf0e7b733e95f1e1ba475ff679c0d768a84c5ef32a763ef360bd71882252bd33a9b5ec633b864fbd3ac2caf759f8f
SSDEEP

24576:1yO8rCrutFCFzjyYMS3ko4WrLa3LB26TP6+LwSq5GTjULga:QtrGfFzjyYMTo4MWbB26ToSq5G

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022d87-41.dat	family_redline
behavioral1/files/0x0006000000022d87-42.dat	family_redline
behavioral1/memory/4696-43-0x0000000000C30000-0x0000000000C6E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3408	Uq7gT2KV.exe
860	WE3eY0UU.exe
1720	gW2MD8EO.exe
1648	py1Wp9IN.exe
2332	1MK91Oi8.exe
4696	2gw713HB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Uq7gT2KV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WE3eY0UU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gW2MD8EO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	py1Wp9IN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 4452	2332	1MK91Oi8.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4060	4452	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3408	2224	566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe	85
PID 2224 wrote to memory of 3408	2224	566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe	85
PID 2224 wrote to memory of 3408	2224	566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe	85
PID 3408 wrote to memory of 860	3408	Uq7gT2KV.exe	87
PID 3408 wrote to memory of 860	3408	Uq7gT2KV.exe	87
PID 3408 wrote to memory of 860	3408	Uq7gT2KV.exe	87
PID 860 wrote to memory of 1720	860	WE3eY0UU.exe	88
PID 860 wrote to memory of 1720	860	WE3eY0UU.exe	88
PID 860 wrote to memory of 1720	860	WE3eY0UU.exe	88
PID 1720 wrote to memory of 1648	1720	gW2MD8EO.exe	89
PID 1720 wrote to memory of 1648	1720	gW2MD8EO.exe	89
PID 1720 wrote to memory of 1648	1720	gW2MD8EO.exe	89
PID 1648 wrote to memory of 2332	1648	py1Wp9IN.exe	90
PID 1648 wrote to memory of 2332	1648	py1Wp9IN.exe	90
PID 1648 wrote to memory of 2332	1648	py1Wp9IN.exe	90
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 2332 wrote to memory of 4452	2332	1MK91Oi8.exe	92
PID 1648 wrote to memory of 4696	1648	py1Wp9IN.exe	94
PID 1648 wrote to memory of 4696	1648	py1Wp9IN.exe	94
PID 1648 wrote to memory of 4696	1648	py1Wp9IN.exe	94

C:\Users\Admin\AppData\Local\Temp\566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe
"C:\Users\Admin\AppData\Local\Temp\566423477686c57b22294736bf72fff582d7b0b96459926f7eca3ec710173319.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uq7gT2KV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uq7gT2KV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WE3eY0UU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WE3eY0UU.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gW2MD8EO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gW2MD8EO.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\py1Wp9IN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\py1Wp9IN.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MK91Oi8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MK91Oi8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 540
        8⤵
        Program crash
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gw713HB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gw713HB.exe
        6⤵
        Executes dropped EXE
        
        PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4452 -ip 4452
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uq7gT2KV.exe

Filesize
1.3MB

MD5
afd291f1b2477f3bf1f8887030ecaa29

SHA1
a860ea59f409e903102dc5350fb7cacfd6ea2a74

SHA256
edfaf7e3fdccf5c3c9d2c20d1702491f18773ddccf922d930ab7ecea8148c33a

SHA512
16611c2fdf0ca416a756900deb66bbc44271015013ef87eaa247ef1219b6dcda83b34a0fa0c8bd651adc0fde36ce18d305d5029a71f48646f49d9483838c6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uq7gT2KV.exe

Filesize
1.3MB

MD5
afd291f1b2477f3bf1f8887030ecaa29

SHA1
a860ea59f409e903102dc5350fb7cacfd6ea2a74

SHA256
edfaf7e3fdccf5c3c9d2c20d1702491f18773ddccf922d930ab7ecea8148c33a

SHA512
16611c2fdf0ca416a756900deb66bbc44271015013ef87eaa247ef1219b6dcda83b34a0fa0c8bd651adc0fde36ce18d305d5029a71f48646f49d9483838c6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WE3eY0UU.exe

Filesize
1.1MB

MD5
d478bf66b8273788327f25bb530188f7

SHA1
c9b4d72d5ee1d26514d445791aa462dac964f0e3

SHA256
dc5051b4b41524df3209f27bac3e0ede6ad73f00236cb26cb94f36df4855d146

SHA512
64c3031e1837ffb19f9b9cdc09090fadd72df220c73cd557e23893ddeb6e8b8bcbeda6bc5ca1845a81de438c9b0006f85c222d4343257b28cbc74079c7717b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WE3eY0UU.exe

Filesize
1.1MB

MD5
d478bf66b8273788327f25bb530188f7

SHA1
c9b4d72d5ee1d26514d445791aa462dac964f0e3

SHA256
dc5051b4b41524df3209f27bac3e0ede6ad73f00236cb26cb94f36df4855d146

SHA512
64c3031e1837ffb19f9b9cdc09090fadd72df220c73cd557e23893ddeb6e8b8bcbeda6bc5ca1845a81de438c9b0006f85c222d4343257b28cbc74079c7717b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gW2MD8EO.exe

Filesize
757KB

MD5
49428c358be538c00c239599d2de7730

SHA1
94ca8abb58a1eb00d7667f782dafc6daebb81e95

SHA256
b0ae63df425667fdd3c50eeec93186ac2e6513821e8421542cfb095f0886d912

SHA512
762644c853dfaac2909a25db23b653748c5dd601dabcf684315a2bbc01b01139b864f1bdaea022554a925c2e52455c0c687f360a37dbf177130edb627a7939cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gW2MD8EO.exe

Filesize
757KB

MD5
49428c358be538c00c239599d2de7730

SHA1
94ca8abb58a1eb00d7667f782dafc6daebb81e95

SHA256
b0ae63df425667fdd3c50eeec93186ac2e6513821e8421542cfb095f0886d912

SHA512
762644c853dfaac2909a25db23b653748c5dd601dabcf684315a2bbc01b01139b864f1bdaea022554a925c2e52455c0c687f360a37dbf177130edb627a7939cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\py1Wp9IN.exe

Filesize
561KB

MD5
f05d61cbf45c124c053ac37787ccab6b

SHA1
bb4fd64170dbadbe6da0325839cf7e33af3c2057

SHA256
c86ac99309cc18091652f4e483a8a63717eee36d0251bca4fd8ca55e938f26a8

SHA512
9cb1d1ca1d4c4b2f0d83799c4591e337062903e1744e2f2761a34d80015c0d9c692dd024a9da9de85d22fd01b6b909fd5b634e8605320349b07bf6bf07bdaf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\py1Wp9IN.exe

Filesize
561KB

MD5
f05d61cbf45c124c053ac37787ccab6b

SHA1
bb4fd64170dbadbe6da0325839cf7e33af3c2057

SHA256
c86ac99309cc18091652f4e483a8a63717eee36d0251bca4fd8ca55e938f26a8

SHA512
9cb1d1ca1d4c4b2f0d83799c4591e337062903e1744e2f2761a34d80015c0d9c692dd024a9da9de85d22fd01b6b909fd5b634e8605320349b07bf6bf07bdaf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MK91Oi8.exe

Filesize
1.1MB

MD5
dcd9c4bdfee2c160389b768e64cdf661

SHA1
f693629bdb5c0f66ad72c0ef8ecc00e9cba40be9

SHA256
ec973dd8bf6f8341e1b983f472ef944d6e4b27a4f16de8b9256fb5c8e44cb066

SHA512
8a1e4f0f117d78eb6b1a259986786495bc1599541eaa0731ceaf567341d41ea10475775856d2ad7fea23ca14ce826c5231fed4fab69d0ecdfe9092c7c0a09889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MK91Oi8.exe

Filesize
1.1MB

MD5
dcd9c4bdfee2c160389b768e64cdf661

SHA1
f693629bdb5c0f66ad72c0ef8ecc00e9cba40be9

SHA256
ec973dd8bf6f8341e1b983f472ef944d6e4b27a4f16de8b9256fb5c8e44cb066

SHA512
8a1e4f0f117d78eb6b1a259986786495bc1599541eaa0731ceaf567341d41ea10475775856d2ad7fea23ca14ce826c5231fed4fab69d0ecdfe9092c7c0a09889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gw713HB.exe

Filesize
222KB

MD5
807c5729873254932e6ef3b6d7c77473

SHA1
b34b07dac010941dae6bc47bafd06b86a7069a79

SHA256
b108605792d6fef15342289b272955300a68ed5e05cdc4430ed9e568baedb3a6

SHA512
6c8e0d0447b2aeed43fc7d88ec08d44b1208a974464dd561771244063f77488b72589420c509c1feb3ba9853dbee13cf772d0f9e79b419ccea2fc8a2299fbb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gw713HB.exe

Filesize
222KB

MD5
807c5729873254932e6ef3b6d7c77473

SHA1
b34b07dac010941dae6bc47bafd06b86a7069a79

SHA256
b108605792d6fef15342289b272955300a68ed5e05cdc4430ed9e568baedb3a6

SHA512
6c8e0d0447b2aeed43fc7d88ec08d44b1208a974464dd561771244063f77488b72589420c509c1feb3ba9853dbee13cf772d0f9e79b419ccea2fc8a2299fbb2f

Download Submit
memory/4452-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-48-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/4696-44-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-45-0x0000000007FD0000-0x0000000008574000-memory.dmp

Filesize
5.6MB

Download
memory/4696-46-0x0000000007AC0000-0x0000000007B52000-memory.dmp

Filesize
584KB

Download
memory/4696-47-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/4696-43-0x0000000000C30000-0x0000000000C6E000-memory.dmp

Filesize
248KB

Download
memory/4696-49-0x0000000008BA0000-0x00000000091B8000-memory.dmp

Filesize
6.1MB

Download
memory/4696-50-0x0000000008580000-0x000000000868A000-memory.dmp

Filesize
1.0MB

Download
memory/4696-51-0x0000000007CC0000-0x0000000007CD2000-memory.dmp

Filesize
72KB

Download
memory/4696-52-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/4696-53-0x0000000007E70000-0x0000000007EBC000-memory.dmp

Filesize
304KB

Download
memory/4696-54-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-55-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads