redline | 490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 04:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe
Size

1.5MB
MD5

f15584fe8b4fb3624fed6bedab1f8214
SHA1

1945fc68d33ab24844fecac36a1c896470067a9a
SHA256

490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1
SHA512

d44829488777ce829f31fc4521028054ced709cd25206f95077318013456db5aaef73328faecc24cf868fb26994ced3258dde0cfcf2ac493c9fa3a7467fba3a2
SSDEEP

24576:dyKOBroH2OqUBgamcvdJ6S+3ljiWoUjjDjtJx3Eyc9Yu3rK:4KOBrJOp7mKdE7leWnRUf9Yu

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022cf1-41.dat	family_redline
behavioral1/files/0x0006000000022cf1-42.dat	family_redline
behavioral1/memory/2340-44-0x0000000000BE0000-0x0000000000C1E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1772	bG6tx7AL.exe
572	cU5Gu9Lm.exe
2172	yg9Lj6Mu.exe
2684	pc0WK9Jl.exe
4600	1LM35qL0.exe
2340	2jg705Nl.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pc0WK9Jl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bG6tx7AL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cU5Gu9Lm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	yg9Lj6Mu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 4544	4600	1LM35qL0.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	4544	WerFault.exe	96

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1772	3596	490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe	89
PID 3596 wrote to memory of 1772	3596	490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe	89
PID 3596 wrote to memory of 1772	3596	490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe	89
PID 1772 wrote to memory of 572	1772	bG6tx7AL.exe	91
PID 1772 wrote to memory of 572	1772	bG6tx7AL.exe	91
PID 1772 wrote to memory of 572	1772	bG6tx7AL.exe	91
PID 572 wrote to memory of 2172	572	cU5Gu9Lm.exe	93
PID 572 wrote to memory of 2172	572	cU5Gu9Lm.exe	93
PID 572 wrote to memory of 2172	572	cU5Gu9Lm.exe	93
PID 2172 wrote to memory of 2684	2172	yg9Lj6Mu.exe	94
PID 2172 wrote to memory of 2684	2172	yg9Lj6Mu.exe	94
PID 2172 wrote to memory of 2684	2172	yg9Lj6Mu.exe	94
PID 2684 wrote to memory of 4600	2684	pc0WK9Jl.exe	95
PID 2684 wrote to memory of 4600	2684	pc0WK9Jl.exe	95
PID 2684 wrote to memory of 4600	2684	pc0WK9Jl.exe	95
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 4600 wrote to memory of 4544	4600	1LM35qL0.exe	96
PID 2684 wrote to memory of 2340	2684	pc0WK9Jl.exe	98
PID 2684 wrote to memory of 2340	2684	pc0WK9Jl.exe	98
PID 2684 wrote to memory of 2340	2684	pc0WK9Jl.exe	98

C:\Users\Admin\AppData\Local\Temp\490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe
"C:\Users\Admin\AppData\Local\Temp\490a06c09c0e1c35c58f333721fa59eb039910a752c9c11bcec543d5ed9860f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bG6tx7AL.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bG6tx7AL.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cU5Gu9Lm.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cU5Gu9Lm.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yg9Lj6Mu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yg9Lj6Mu.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pc0WK9Jl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pc0WK9Jl.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LM35qL0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LM35qL0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 540
        8⤵
        Program crash
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jg705Nl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jg705Nl.exe
        6⤵
        Executes dropped EXE
        
        PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 4544
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bG6tx7AL.exe

Filesize
1.3MB

MD5
bb3a45ada3f44ba4f0169983065c9369

SHA1
136ede4cbc5860d7e655d8e6cebbd0d29d262b12

SHA256
fe9c3a73f4e7ad1fbd790b309cb00935e2100280aa561a33a9393bd9fb53f270

SHA512
46cc0ba18848cc778054c59277af783aacc51d0d8365cbb37e74061f64a79e11523e2fc404601a6591408afb724ab1ba05caa2ce9c770a2f5105b5a3a93d8348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bG6tx7AL.exe

Filesize
1.3MB

MD5
bb3a45ada3f44ba4f0169983065c9369

SHA1
136ede4cbc5860d7e655d8e6cebbd0d29d262b12

SHA256
fe9c3a73f4e7ad1fbd790b309cb00935e2100280aa561a33a9393bd9fb53f270

SHA512
46cc0ba18848cc778054c59277af783aacc51d0d8365cbb37e74061f64a79e11523e2fc404601a6591408afb724ab1ba05caa2ce9c770a2f5105b5a3a93d8348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cU5Gu9Lm.exe

Filesize
1.1MB

MD5
f76df84021e346537084ee5179357ae0

SHA1
62d332d14e66072fa3438d45866ec3e3dd95c94a

SHA256
577c860cab0fecbe4e4c82b6782aa3f8fa177882776530155a169959ca7ad88c

SHA512
bdf9cc7b5b6184469bdfbc23d4a5c48e2dce110866eafc1408c02cf28ecb656a64a4961fc7d230077eb43ebc3dcd1c3d6c92de7b80d2d444656e38564bd72778

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cU5Gu9Lm.exe

Filesize
1.1MB

MD5
f76df84021e346537084ee5179357ae0

SHA1
62d332d14e66072fa3438d45866ec3e3dd95c94a

SHA256
577c860cab0fecbe4e4c82b6782aa3f8fa177882776530155a169959ca7ad88c

SHA512
bdf9cc7b5b6184469bdfbc23d4a5c48e2dce110866eafc1408c02cf28ecb656a64a4961fc7d230077eb43ebc3dcd1c3d6c92de7b80d2d444656e38564bd72778

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yg9Lj6Mu.exe

Filesize
758KB

MD5
0a25ee5c1d7db8e346097bbafe367271

SHA1
294815f942400c088e09b791395b28c19d859b35

SHA256
a3aca0104b7b4c1adfb3ef6471c392766e24be5fec165e86a4ec6116580bf6db

SHA512
17f03ac0bb594b98d6bf6027d8774e1d6fb441900a91ceff397b69af8a7261c6ce4706802adb2559dd21f0fd5ca77d512e51628d2e3dad272fadf1d7799a3552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yg9Lj6Mu.exe

Filesize
758KB

MD5
0a25ee5c1d7db8e346097bbafe367271

SHA1
294815f942400c088e09b791395b28c19d859b35

SHA256
a3aca0104b7b4c1adfb3ef6471c392766e24be5fec165e86a4ec6116580bf6db

SHA512
17f03ac0bb594b98d6bf6027d8774e1d6fb441900a91ceff397b69af8a7261c6ce4706802adb2559dd21f0fd5ca77d512e51628d2e3dad272fadf1d7799a3552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pc0WK9Jl.exe

Filesize
562KB

MD5
68182c210e29f07a6362da482c143065

SHA1
e289736581f4934dabf45813329f8b8643d32199

SHA256
99046d6040466913e8bbf8b6770852eb8cef9098f3216a6f289a0e7d417194f5

SHA512
38826abb9c79279bcd8c429ce8fa4bfee10b2d4b25383d791aabfa58130f4292692fd600d06404d780e75eaa0eabec069512e702c12f8a59961ee598f764581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pc0WK9Jl.exe

Filesize
562KB

MD5
68182c210e29f07a6362da482c143065

SHA1
e289736581f4934dabf45813329f8b8643d32199

SHA256
99046d6040466913e8bbf8b6770852eb8cef9098f3216a6f289a0e7d417194f5

SHA512
38826abb9c79279bcd8c429ce8fa4bfee10b2d4b25383d791aabfa58130f4292692fd600d06404d780e75eaa0eabec069512e702c12f8a59961ee598f764581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LM35qL0.exe

Filesize
1.1MB

MD5
02ee4bf18297358b0eef9651c8614e35

SHA1
c861134316e7097a436715d0249b2a39d8c9f9eb

SHA256
bf838563053d005cc8a7752e269da202f0703b6fcc8d0f57227b1cc2d66aa055

SHA512
cfdacea5cda39d6843647b2eb34a03a477e855bddc8b677f7bf368a7a8507043fd932a65655f0f1d883ee60d824de7c79e507bc63e62fd027307bc5d46977975

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LM35qL0.exe

Filesize
1.1MB

MD5
02ee4bf18297358b0eef9651c8614e35

SHA1
c861134316e7097a436715d0249b2a39d8c9f9eb

SHA256
bf838563053d005cc8a7752e269da202f0703b6fcc8d0f57227b1cc2d66aa055

SHA512
cfdacea5cda39d6843647b2eb34a03a477e855bddc8b677f7bf368a7a8507043fd932a65655f0f1d883ee60d824de7c79e507bc63e62fd027307bc5d46977975

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jg705Nl.exe

Filesize
222KB

MD5
c7994312f860b8df0f291e248f8072fe

SHA1
40971a48e37d103af646089e70745d9ad7db522f

SHA256
dd599d630f4bb71e7c89753ce03eff39ad7d5a1a07509c0ef67db7c7a0f6a26f

SHA512
9fbdea153ba6560081709d7810263371676b04782f5bff1d1c0c05c6a9a8d9b57fec56c3e539b8711d0dbdecec9770b698e7e074cb3e7384c9ff1d8df957d211

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jg705Nl.exe

Filesize
222KB

MD5
c7994312f860b8df0f291e248f8072fe

SHA1
40971a48e37d103af646089e70745d9ad7db522f

SHA256
dd599d630f4bb71e7c89753ce03eff39ad7d5a1a07509c0ef67db7c7a0f6a26f

SHA512
9fbdea153ba6560081709d7810263371676b04782f5bff1d1c0c05c6a9a8d9b57fec56c3e539b8711d0dbdecec9770b698e7e074cb3e7384c9ff1d8df957d211

Download Submit
memory/2340-46-0x0000000007990000-0x0000000007A22000-memory.dmp

Filesize
584KB

Download
memory/2340-48-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/2340-55-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/2340-54-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2340-43-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2340-44-0x0000000000BE0000-0x0000000000C1E000-memory.dmp

Filesize
248KB

Download
memory/2340-45-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/2340-53-0x0000000007E20000-0x0000000007E6C000-memory.dmp

Filesize
304KB

Download
memory/2340-52-0x0000000007CA0000-0x0000000007CDC000-memory.dmp

Filesize
240KB

Download
memory/2340-49-0x0000000008B10000-0x0000000009128000-memory.dmp

Filesize
6.1MB

Download
memory/2340-47-0x0000000007B00000-0x0000000007B10000-memory.dmp

Filesize
64KB

Download
memory/2340-50-0x0000000007D10000-0x0000000007E1A000-memory.dmp

Filesize
1.0MB

Download
memory/2340-51-0x0000000007C40000-0x0000000007C52000-memory.dmp

Filesize
72KB

Download
memory/4544-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads