redline | 601e143c91ecf3888c08e88952f8a33a5072be80dd9f683f286ff216e4949f70

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 17:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe
Size

1.5MB
MD5

c629ba55eb36aca092419edad8dd05d3
SHA1

a40b4083f9f4679badecac2665aad149acda5993
SHA256

4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f
SHA512

7fd500dff0559756d654a76f8c3fed39e26a10d3dacc348c4be7b526957afa0f7b0426a09a9f0e1b17837c1875f537aeb26db824985145ccbceafcf35178838a
SSDEEP

24576:PytL59nfjzlCsX8HC2NzvUFeCiANRlOI5CBvp6AGXUGTSHIUD51E:atL59foG8HCSvUFeRANRYwCT4XLiIUD

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e15-41.dat	family_redline
behavioral1/files/0x0006000000022e15-42.dat	family_redline
behavioral1/memory/5008-43-0x00000000000F0000-0x000000000012E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3984	cl9Ih1FG.exe
4952	Bq2sT0ba.exe
1744	Xk7SZ9EB.exe
2928	ud8Kx3BO.exe
4624	1uE56vq4.exe
5008	2TF736Be.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cl9Ih1FG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Bq2sT0ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Xk7SZ9EB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ud8Kx3BO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4624 set thread context of 1812	4624	1uE56vq4.exe	94

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4644	1812	WerFault.exe	94

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3984	3460	4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe	87
PID 3460 wrote to memory of 3984	3460	4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe	87
PID 3460 wrote to memory of 3984	3460	4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe	87
PID 3984 wrote to memory of 4952	3984	cl9Ih1FG.exe	89
PID 3984 wrote to memory of 4952	3984	cl9Ih1FG.exe	89
PID 3984 wrote to memory of 4952	3984	cl9Ih1FG.exe	89
PID 4952 wrote to memory of 1744	4952	Bq2sT0ba.exe	90
PID 4952 wrote to memory of 1744	4952	Bq2sT0ba.exe	90
PID 4952 wrote to memory of 1744	4952	Bq2sT0ba.exe	90
PID 1744 wrote to memory of 2928	1744	Xk7SZ9EB.exe	92
PID 1744 wrote to memory of 2928	1744	Xk7SZ9EB.exe	92
PID 1744 wrote to memory of 2928	1744	Xk7SZ9EB.exe	92
PID 2928 wrote to memory of 4624	2928	ud8Kx3BO.exe	93
PID 2928 wrote to memory of 4624	2928	ud8Kx3BO.exe	93
PID 2928 wrote to memory of 4624	2928	ud8Kx3BO.exe	93
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 4624 wrote to memory of 1812	4624	1uE56vq4.exe	94
PID 2928 wrote to memory of 5008	2928	ud8Kx3BO.exe	95
PID 2928 wrote to memory of 5008	2928	ud8Kx3BO.exe	95
PID 2928 wrote to memory of 5008	2928	ud8Kx3BO.exe	95

C:\Users\Admin\AppData\Local\Temp\4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe
"C:\Users\Admin\AppData\Local\Temp\4a1283a4a265030f72e946f7852501945b8ea0c4788d369d4c3354eedebc8b6f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cl9Ih1FG.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cl9Ih1FG.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bq2sT0ba.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bq2sT0ba.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk7SZ9EB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk7SZ9EB.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud8Kx3BO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud8Kx3BO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uE56vq4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uE56vq4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 540
        8⤵
        Program crash
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TF736Be.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TF736Be.exe
        6⤵
        Executes dropped EXE
        
        PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1812 -ip 1812
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cl9Ih1FG.exe

Filesize
1.3MB

MD5
5eb6197231feb2e0da03f857393ecaea

SHA1
0201041dbc7947c47145364c99ac3598b6483aa9

SHA256
673a084adf2b544e5fddd5a455ec1445838f5a0720e3cc792e463a445578a260

SHA512
d73dd379518ad2edf6cb0b075632e07005cfaf3aa6f5cdcef6242c8f5b4cbf664717088221adced2133c6c107b0d16dfe40ca9a7eef33f16082ea4e7921f95a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cl9Ih1FG.exe

Filesize
1.3MB

MD5
5eb6197231feb2e0da03f857393ecaea

SHA1
0201041dbc7947c47145364c99ac3598b6483aa9

SHA256
673a084adf2b544e5fddd5a455ec1445838f5a0720e3cc792e463a445578a260

SHA512
d73dd379518ad2edf6cb0b075632e07005cfaf3aa6f5cdcef6242c8f5b4cbf664717088221adced2133c6c107b0d16dfe40ca9a7eef33f16082ea4e7921f95a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bq2sT0ba.exe

Filesize
1.1MB

MD5
672bda2d09ec0166bd60475cbac623a9

SHA1
f567a24bf2c9b35453d2f947ecfffcfbd239cd89

SHA256
1d57d4b31077d44e3c1eb6b74c394b670e971512c6f9ae586d39a477ad7be907

SHA512
d5a1b5ac184e3625ae4c7db82140c76f23d8fa46a0ede38596170c9ca73b2828f9da0a66bbc6861ddef9a566683b01d29671315ff8a49a53657811535aa9de79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bq2sT0ba.exe

Filesize
1.1MB

MD5
672bda2d09ec0166bd60475cbac623a9

SHA1
f567a24bf2c9b35453d2f947ecfffcfbd239cd89

SHA256
1d57d4b31077d44e3c1eb6b74c394b670e971512c6f9ae586d39a477ad7be907

SHA512
d5a1b5ac184e3625ae4c7db82140c76f23d8fa46a0ede38596170c9ca73b2828f9da0a66bbc6861ddef9a566683b01d29671315ff8a49a53657811535aa9de79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk7SZ9EB.exe

Filesize
758KB

MD5
19541531251393dca0fce506042c2a35

SHA1
25e431454fce3f54e6a2c30271c870d2cc7699e1

SHA256
b6b7b955b50cef610c03dd080cff39ce923e4e1deed568f21d810304f31a0ab0

SHA512
769666d7ece8914e806d85b13e50b8045b206f5d6bdc28054cdf570c300e99d9d8ee28c8668869b54fd539cce24d4c0a293918046fc57f973dbdbf930efca0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xk7SZ9EB.exe

Filesize
758KB

MD5
19541531251393dca0fce506042c2a35

SHA1
25e431454fce3f54e6a2c30271c870d2cc7699e1

SHA256
b6b7b955b50cef610c03dd080cff39ce923e4e1deed568f21d810304f31a0ab0

SHA512
769666d7ece8914e806d85b13e50b8045b206f5d6bdc28054cdf570c300e99d9d8ee28c8668869b54fd539cce24d4c0a293918046fc57f973dbdbf930efca0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud8Kx3BO.exe

Filesize
561KB

MD5
2b5b66ee827ff7add1a4bbc5c1f2d316

SHA1
2d14be2ff7a502807757010e395cc0d2180ce2d6

SHA256
9c119a636443844464c93432c4f7793b21aeef46f81990349b6e8075929a0922

SHA512
104d4b40321a6a7a7f9085b5e547baf62d701840cb755905288bd5d8a150c33b31333bff90abc8e7ab11bd2895103cd135abe0dbe209920a543daeafecf5ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud8Kx3BO.exe

Filesize
561KB

MD5
2b5b66ee827ff7add1a4bbc5c1f2d316

SHA1
2d14be2ff7a502807757010e395cc0d2180ce2d6

SHA256
9c119a636443844464c93432c4f7793b21aeef46f81990349b6e8075929a0922

SHA512
104d4b40321a6a7a7f9085b5e547baf62d701840cb755905288bd5d8a150c33b31333bff90abc8e7ab11bd2895103cd135abe0dbe209920a543daeafecf5ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uE56vq4.exe

Filesize
1.1MB

MD5
d841179e4770c6b1e94ac6f02ee3c3ec

SHA1
e98f8df8787f0c9a4055268092f1216f492bb179

SHA256
ec512024a8f06bc8b9b7e94f378d6b5fc635f0a4d97a2b57612aeb050e43cd63

SHA512
cf00f551e78d954f2f1d1a6da5e9b9a9e4cac99a29e937c5f6d1e0470dd5cbfc4994e4e1da41aa84d2257142e7460919cea447ddd8ce4e78d332c2d3c68b99e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uE56vq4.exe

Filesize
1.1MB

MD5
d841179e4770c6b1e94ac6f02ee3c3ec

SHA1
e98f8df8787f0c9a4055268092f1216f492bb179

SHA256
ec512024a8f06bc8b9b7e94f378d6b5fc635f0a4d97a2b57612aeb050e43cd63

SHA512
cf00f551e78d954f2f1d1a6da5e9b9a9e4cac99a29e937c5f6d1e0470dd5cbfc4994e4e1da41aa84d2257142e7460919cea447ddd8ce4e78d332c2d3c68b99e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TF736Be.exe

Filesize
222KB

MD5
842542d107021fb58ed9301655ef46a3

SHA1
a7dd59848e9548162e024d88e346ba6b6eb873f9

SHA256
fc47e3db5b186978e54c9eb9c30f1b153c99af8d3c84bc626e9918c756f2e921

SHA512
208afe16616c72f0fb62546de5914cee3c889ddefcc491845253abe2efc11847f80e31ba73c6ea9d620445845975db7f3ae10ba0690828e871ccd7e6449f423a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2TF736Be.exe

Filesize
222KB

MD5
842542d107021fb58ed9301655ef46a3

SHA1
a7dd59848e9548162e024d88e346ba6b6eb873f9

SHA256
fc47e3db5b186978e54c9eb9c30f1b153c99af8d3c84bc626e9918c756f2e921

SHA512
208afe16616c72f0fb62546de5914cee3c889ddefcc491845253abe2efc11847f80e31ba73c6ea9d620445845975db7f3ae10ba0690828e871ccd7e6449f423a

Download Submit
memory/1812-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-48-0x0000000006F80000-0x0000000006F8A000-memory.dmp

Filesize
40KB

Download
memory/5008-44-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-45-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/5008-46-0x0000000006E70000-0x0000000006F02000-memory.dmp

Filesize
584KB

Download
memory/5008-47-0x0000000006FF0000-0x0000000007000000-memory.dmp

Filesize
64KB

Download
memory/5008-43-0x00000000000F0000-0x000000000012E000-memory.dmp

Filesize
248KB

Download
memory/5008-49-0x0000000007F10000-0x0000000008528000-memory.dmp

Filesize
6.1MB

Download
memory/5008-50-0x0000000007A00000-0x0000000007B0A000-memory.dmp

Filesize
1.0MB

Download
memory/5008-51-0x0000000007290000-0x00000000072A2000-memory.dmp

Filesize
72KB

Download
memory/5008-52-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/5008-53-0x0000000007B10000-0x0000000007B5C000-memory.dmp

Filesize
304KB

Download
memory/5008-54-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-55-0x0000000006FF0000-0x0000000007000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads