redline | 54b294bf57ec16d33d0da3840310fd8e04d0dc10fdca65fca4a4384d7705bc82

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe
Size

1.5MB
MD5

fd977f19978a0e2996d2979c57727b5b
SHA1

a9ea4a97babcb6a36a4350d69712b83f67cbdbac
SHA256

1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7
SHA512

50dd2013cf51e5da488bb3fd351133da500b4d0640b9c29bc6d6d1922ed7f48cabb898e85416876fec92917bc1f9059433c519fadb88460ecdef33ea81c03622
SSDEEP

24576:nywtGwTZaMd5sT9O+Iu69vT6D0O/yQDsRicKF61doEsf5pzPuYi37ZYo6rg+1Lb0:yOGwFbd5coS69eYO/Psi6/oEIbP2j6re

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022cf0-41.dat	family_redline
behavioral1/files/0x0006000000022cf0-42.dat	family_redline
behavioral1/memory/3992-44-0x0000000000590000-0x00000000005CE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2424	gW4Dr0aq.exe
3772	gE3IA9lj.exe
2924	mt8Iz3cW.exe
1016	Kq1ky0wH.exe
1600	1KJ60NI7.exe
3992	2rS094Bi.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gE3IA9lj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mt8Iz3cW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Kq1ky0wH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gW4Dr0aq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 4552	1600	1KJ60NI7.exe	97

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1064	4552	WerFault.exe	97

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2424	4440	1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe	88
PID 4440 wrote to memory of 2424	4440	1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe	88
PID 4440 wrote to memory of 2424	4440	1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe	88
PID 2424 wrote to memory of 3772	2424	gW4Dr0aq.exe	91
PID 2424 wrote to memory of 3772	2424	gW4Dr0aq.exe	91
PID 2424 wrote to memory of 3772	2424	gW4Dr0aq.exe	91
PID 3772 wrote to memory of 2924	3772	gE3IA9lj.exe	92
PID 3772 wrote to memory of 2924	3772	gE3IA9lj.exe	92
PID 3772 wrote to memory of 2924	3772	gE3IA9lj.exe	92
PID 2924 wrote to memory of 1016	2924	mt8Iz3cW.exe	93
PID 2924 wrote to memory of 1016	2924	mt8Iz3cW.exe	93
PID 2924 wrote to memory of 1016	2924	mt8Iz3cW.exe	93
PID 1016 wrote to memory of 1600	1016	Kq1ky0wH.exe	95
PID 1016 wrote to memory of 1600	1016	Kq1ky0wH.exe	95
PID 1016 wrote to memory of 1600	1016	Kq1ky0wH.exe	95
PID 1600 wrote to memory of 4572	1600	1KJ60NI7.exe	96
PID 1600 wrote to memory of 4572	1600	1KJ60NI7.exe	96
PID 1600 wrote to memory of 4572	1600	1KJ60NI7.exe	96
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1600 wrote to memory of 4552	1600	1KJ60NI7.exe	97
PID 1016 wrote to memory of 3992	1016	Kq1ky0wH.exe	98
PID 1016 wrote to memory of 3992	1016	Kq1ky0wH.exe	98
PID 1016 wrote to memory of 3992	1016	Kq1ky0wH.exe	98

C:\Users\Admin\AppData\Local\Temp\1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe
"C:\Users\Admin\AppData\Local\Temp\1045b3d3154be072bcb121415f0c1096b16d1b0f0e142484a3258b2f44c44da7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW4Dr0aq.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW4Dr0aq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE3IA9lj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE3IA9lj.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt8Iz3cW.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt8Iz3cW.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kq1ky0wH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kq1ky0wH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KJ60NI7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KJ60NI7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 540
        8⤵
        Program crash
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rS094Bi.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rS094Bi.exe
        6⤵
        Executes dropped EXE
        
        PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4552 -ip 4552
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW4Dr0aq.exe

Filesize
1.3MB

MD5
0a6860734e7bed12b72ccb15670c9b14

SHA1
91ea5d5dad8d7da97ebfb41bba6d9f2cf94ef380

SHA256
5814e939d0ecce4cda9032d049afcf46ce67a2c97e271c4886019820e27658c8

SHA512
f589f39c7cd7e48b78be38c7d76912e9f37e29f5224b16aa0b1fa01a06281f4802de3c60b470809b80c6b83ca2ec2d1603d8f7862fdc0f5fa3dfcb2418bb8709

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW4Dr0aq.exe

Filesize
1.3MB

MD5
0a6860734e7bed12b72ccb15670c9b14

SHA1
91ea5d5dad8d7da97ebfb41bba6d9f2cf94ef380

SHA256
5814e939d0ecce4cda9032d049afcf46ce67a2c97e271c4886019820e27658c8

SHA512
f589f39c7cd7e48b78be38c7d76912e9f37e29f5224b16aa0b1fa01a06281f4802de3c60b470809b80c6b83ca2ec2d1603d8f7862fdc0f5fa3dfcb2418bb8709

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE3IA9lj.exe

Filesize
1.1MB

MD5
ef209c47c6c7d8877dd6b0539ea4ceb8

SHA1
91673ced0a7c6e03ddd23f36ff76b2dffa7a03a4

SHA256
48c7b1fe121730a7b4f123d569e75f797d00918e5440235dfb3cf432f0f89e6c

SHA512
ce7fecf9a75945443435e46cd87c1d977dd37db6b372019bf6d638e63a10691171f127410a747f86edea6b158bde27292f8954e5a2bd9b4e630fc88b7b10d166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE3IA9lj.exe

Filesize
1.1MB

MD5
ef209c47c6c7d8877dd6b0539ea4ceb8

SHA1
91673ced0a7c6e03ddd23f36ff76b2dffa7a03a4

SHA256
48c7b1fe121730a7b4f123d569e75f797d00918e5440235dfb3cf432f0f89e6c

SHA512
ce7fecf9a75945443435e46cd87c1d977dd37db6b372019bf6d638e63a10691171f127410a747f86edea6b158bde27292f8954e5a2bd9b4e630fc88b7b10d166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt8Iz3cW.exe

Filesize
757KB

MD5
5dd1ccd74452a77fb96533722282dead

SHA1
c04292cd418adff64adce54a8a9e9129d76a2973

SHA256
4d339acfb558fbe4e3add552631b352c7831dc766ef436ebb9b348e712b8c5ee

SHA512
e0a8cd62bed376863ac90cfdac6da71f5e661faeb5386e0e3bec729c5fdb3637bab64ce02065abba3ffd0d38a07b1fffe520ed20647ca5454b7bea0f89c65da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt8Iz3cW.exe

Filesize
757KB

MD5
5dd1ccd74452a77fb96533722282dead

SHA1
c04292cd418adff64adce54a8a9e9129d76a2973

SHA256
4d339acfb558fbe4e3add552631b352c7831dc766ef436ebb9b348e712b8c5ee

SHA512
e0a8cd62bed376863ac90cfdac6da71f5e661faeb5386e0e3bec729c5fdb3637bab64ce02065abba3ffd0d38a07b1fffe520ed20647ca5454b7bea0f89c65da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kq1ky0wH.exe

Filesize
561KB

MD5
58dff667fb884d9354bc615cb5e2415b

SHA1
9151c71fe9c35df748cf1441850b60b1e1c7bf0e

SHA256
64c498df36c8cd857dda0866d7fee08c37b01911ade42c1b616701ed47cb7fc9

SHA512
246401ede70d8216e469d8f7cd3181acfdeccd00f496f435cf754af4975eedfdb6f0a007eafdd2f51faa00e7727a44cef2d1cf5fc012a36a7c44bbb69f15d359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kq1ky0wH.exe

Filesize
561KB

MD5
58dff667fb884d9354bc615cb5e2415b

SHA1
9151c71fe9c35df748cf1441850b60b1e1c7bf0e

SHA256
64c498df36c8cd857dda0866d7fee08c37b01911ade42c1b616701ed47cb7fc9

SHA512
246401ede70d8216e469d8f7cd3181acfdeccd00f496f435cf754af4975eedfdb6f0a007eafdd2f51faa00e7727a44cef2d1cf5fc012a36a7c44bbb69f15d359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KJ60NI7.exe

Filesize
1.1MB

MD5
11392bc0ad70b9b88465008d38ab2f8a

SHA1
8dba41dbae75e7efb5b41b760477b964e9656985

SHA256
fa822657d5d3a54e412868335d68d1acb9c00c1013dbbd9930b7138109a1946b

SHA512
bc842817ecc56d4898f4d2df230b840f5aec43d42fc8285680aeee2111df8f13c61bcafebb1054766bc21c7d94c686a8520b42c8b49214f094f498b002197091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KJ60NI7.exe

Filesize
1.1MB

MD5
11392bc0ad70b9b88465008d38ab2f8a

SHA1
8dba41dbae75e7efb5b41b760477b964e9656985

SHA256
fa822657d5d3a54e412868335d68d1acb9c00c1013dbbd9930b7138109a1946b

SHA512
bc842817ecc56d4898f4d2df230b840f5aec43d42fc8285680aeee2111df8f13c61bcafebb1054766bc21c7d94c686a8520b42c8b49214f094f498b002197091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rS094Bi.exe

Filesize
222KB

MD5
4df49bcaa9fb47350ea85063da52e6fe

SHA1
68480d8f1acb95a02271a3dd810d3d5891aeb222

SHA256
e1ac652dc3cf586f4af8f032d552e71b33a8acf86fc12138e163ea1540db9df1

SHA512
5ed93e3881d1f95fb50509c6455da1cf1e0c9f320b5baddab0cfd93774289fdfa4eef69cda60ab9f047c0cae1887e9ff81379ef52817d85fa7275eda2447477e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rS094Bi.exe

Filesize
222KB

MD5
4df49bcaa9fb47350ea85063da52e6fe

SHA1
68480d8f1acb95a02271a3dd810d3d5891aeb222

SHA256
e1ac652dc3cf586f4af8f032d552e71b33a8acf86fc12138e163ea1540db9df1

SHA512
5ed93e3881d1f95fb50509c6455da1cf1e0c9f320b5baddab0cfd93774289fdfa4eef69cda60ab9f047c0cae1887e9ff81379ef52817d85fa7275eda2447477e

Download Submit
memory/3992-46-0x0000000007310000-0x00000000073A2000-memory.dmp

Filesize
584KB

Download
memory/3992-48-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/3992-55-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3992-54-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/3992-43-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/3992-44-0x0000000000590000-0x00000000005CE000-memory.dmp

Filesize
248KB

Download
memory/3992-45-0x00000000077E0000-0x0000000007D84000-memory.dmp

Filesize
5.6MB

Download
memory/3992-53-0x0000000007D90000-0x0000000007DDC000-memory.dmp

Filesize
304KB

Download
memory/3992-52-0x0000000007650000-0x000000000768C000-memory.dmp

Filesize
240KB

Download
memory/3992-49-0x00000000083B0000-0x00000000089C8000-memory.dmp

Filesize
6.1MB

Download
memory/3992-47-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3992-50-0x00000000076C0000-0x00000000077CA000-memory.dmp

Filesize
1.0MB

Download
memory/3992-51-0x00000000075F0000-0x0000000007602000-memory.dmp

Filesize
72KB

Download
memory/4552-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads