redline | bc81424dcbac9a64bbb4df9b49fab85de3c39d6be863e66615cabd21256c4e1e

Analysis

max time kernel
136s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0bac0420be35b276e08b820be46a1bf0.exe
Size

1.5MB
MD5

0bac0420be35b276e08b820be46a1bf0
SHA1

d37e8829fed1300c7186c97119ad2e174a2cbcba
SHA256

bc81424dcbac9a64bbb4df9b49fab85de3c39d6be863e66615cabd21256c4e1e
SHA512

2f266dfab7e23efcbdacaaefcebeb8c861bb91b6f1969cfda84b376771411b352b3a2e3ee126116388e92dafc656884896465488a700fa13b00c6983e544ab47
SSDEEP

24576:ty1SZWlXEhM2qVYCsSIs7DEt7RcR8T5ZK6wRcLKZjzOMDimn3s+3OLHP5T/aoU1S:IBlXOM1GCsPs7DEt7RxZK6wRxz7t8Q0q

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e59-41.dat	family_redline
behavioral1/files/0x0006000000022e59-42.dat	family_redline
behavioral1/memory/1840-44-0x0000000000EB0000-0x0000000000EEE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1340	DA7sq0qQ.exe
32	bF1wP6nr.exe
4360	Vt4tQ7VY.exe
4688	dO7tf7Ms.exe
1948	1YS15qe5.exe
1840	2GR811UV.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bF1wP6nr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Vt4tQ7VY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dO7tf7Ms.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.0bac0420be35b276e08b820be46a1bf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DA7sq0qQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 3344	1948	1YS15qe5.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2892	3344	WerFault.exe	95
2152	1948	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1340	4244	NEAS.0bac0420be35b276e08b820be46a1bf0.exe	89
PID 4244 wrote to memory of 1340	4244	NEAS.0bac0420be35b276e08b820be46a1bf0.exe	89
PID 4244 wrote to memory of 1340	4244	NEAS.0bac0420be35b276e08b820be46a1bf0.exe	89
PID 1340 wrote to memory of 32	1340	DA7sq0qQ.exe	90
PID 1340 wrote to memory of 32	1340	DA7sq0qQ.exe	90
PID 1340 wrote to memory of 32	1340	DA7sq0qQ.exe	90
PID 32 wrote to memory of 4360	32	bF1wP6nr.exe	91
PID 32 wrote to memory of 4360	32	bF1wP6nr.exe	91
PID 32 wrote to memory of 4360	32	bF1wP6nr.exe	91
PID 4360 wrote to memory of 4688	4360	Vt4tQ7VY.exe	92
PID 4360 wrote to memory of 4688	4360	Vt4tQ7VY.exe	92
PID 4360 wrote to memory of 4688	4360	Vt4tQ7VY.exe	92
PID 4688 wrote to memory of 1948	4688	dO7tf7Ms.exe	93
PID 4688 wrote to memory of 1948	4688	dO7tf7Ms.exe	93
PID 4688 wrote to memory of 1948	4688	dO7tf7Ms.exe	93
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 1948 wrote to memory of 3344	1948	1YS15qe5.exe	95
PID 4688 wrote to memory of 1840	4688	dO7tf7Ms.exe	106
PID 4688 wrote to memory of 1840	4688	dO7tf7Ms.exe	106
PID 4688 wrote to memory of 1840	4688	dO7tf7Ms.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.0bac0420be35b276e08b820be46a1bf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0bac0420be35b276e08b820be46a1bf0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DA7sq0qQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DA7sq0qQ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bF1wP6nr.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bF1wP6nr.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vt4tQ7VY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vt4tQ7VY.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dO7tf7Ms.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dO7tf7Ms.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YS15qe5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YS15qe5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 540
        8⤵
        Program crash
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 584
        7⤵
        Program crash
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GR811UV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GR811UV.exe
        6⤵
        Executes dropped EXE
        
        PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3344 -ip 3344
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1948 -ip 1948
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DA7sq0qQ.exe

Filesize
1.3MB

MD5
21d1bd88af4d12bc2312ee23b6d8a0f2

SHA1
0ca49782b547c8680b5281e4a1307349d2ea098f

SHA256
bf4b1ce2d46671feacbf171f4f1fccf858045151ae6c6f34d63331ff00381d16

SHA512
31bc02bf483565a7a19f31e803ca1f6faeed13c0d9d49e0fec19e50ba4f7ef8beeac589840bff779f400fa3a22adb2c1ba87a849b4168fe8060694db075d17df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DA7sq0qQ.exe

Filesize
1.3MB

MD5
21d1bd88af4d12bc2312ee23b6d8a0f2

SHA1
0ca49782b547c8680b5281e4a1307349d2ea098f

SHA256
bf4b1ce2d46671feacbf171f4f1fccf858045151ae6c6f34d63331ff00381d16

SHA512
31bc02bf483565a7a19f31e803ca1f6faeed13c0d9d49e0fec19e50ba4f7ef8beeac589840bff779f400fa3a22adb2c1ba87a849b4168fe8060694db075d17df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bF1wP6nr.exe

Filesize
1.2MB

MD5
9387a34f990ca5f25d1bc7fe58455eee

SHA1
28bcb1492e6452aed673b4ce03eb0fa420b74ccb

SHA256
28c9a7523dc489ef5a41d0d9181ce423dfb32cd61ff48226f7f33cc26f7efbff

SHA512
328c3068c062f492e8fba83ad5eb9d6ef967517068b3b895d4b9334c2fb70ac58d994ca74a12f09f76bc98fcabf25ec9613c20790adf06b4b0aeabbdc5616947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bF1wP6nr.exe

Filesize
1.2MB

MD5
9387a34f990ca5f25d1bc7fe58455eee

SHA1
28bcb1492e6452aed673b4ce03eb0fa420b74ccb

SHA256
28c9a7523dc489ef5a41d0d9181ce423dfb32cd61ff48226f7f33cc26f7efbff

SHA512
328c3068c062f492e8fba83ad5eb9d6ef967517068b3b895d4b9334c2fb70ac58d994ca74a12f09f76bc98fcabf25ec9613c20790adf06b4b0aeabbdc5616947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vt4tQ7VY.exe

Filesize
763KB

MD5
9009410a27680fedefa05c0518d9836f

SHA1
6f5714ad0953aea1e08e150e9848f69d5996b6d7

SHA256
11eb219eb0e3b1ec5c80157e1f393a991c0f481c9f633b0587a456d19089ff93

SHA512
87012bc5d3d31f5a0a4677c9624907e499286371499678259859c2f6bdb8661bc6a3ec3cdf9e74d81f0e0327aacd8b011fe60e02e2704d626260347fee5905e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vt4tQ7VY.exe

Filesize
763KB

MD5
9009410a27680fedefa05c0518d9836f

SHA1
6f5714ad0953aea1e08e150e9848f69d5996b6d7

SHA256
11eb219eb0e3b1ec5c80157e1f393a991c0f481c9f633b0587a456d19089ff93

SHA512
87012bc5d3d31f5a0a4677c9624907e499286371499678259859c2f6bdb8661bc6a3ec3cdf9e74d81f0e0327aacd8b011fe60e02e2704d626260347fee5905e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dO7tf7Ms.exe

Filesize
566KB

MD5
e872da3ccc6675ee413c805238a30239

SHA1
ca5f637ef70b5c2aa5ae2cf5d1258b25335124cc

SHA256
a93ccedebadcfde2703a8b76fa037613e0ba3f606d53a62a28a7a09cf0d6b3da

SHA512
fad92d6eab08d0922390df79bddbe8af3ca7b977ead107a32a2befb74bd0d853d9353d6cdd1de357c485db36034af7ac76ff09e56ea817dd7661eb5386691bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dO7tf7Ms.exe

Filesize
566KB

MD5
e872da3ccc6675ee413c805238a30239

SHA1
ca5f637ef70b5c2aa5ae2cf5d1258b25335124cc

SHA256
a93ccedebadcfde2703a8b76fa037613e0ba3f606d53a62a28a7a09cf0d6b3da

SHA512
fad92d6eab08d0922390df79bddbe8af3ca7b977ead107a32a2befb74bd0d853d9353d6cdd1de357c485db36034af7ac76ff09e56ea817dd7661eb5386691bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YS15qe5.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YS15qe5.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GR811UV.exe

Filesize
222KB

MD5
411863ee0ef9444f896042afb2f5a4b6

SHA1
9098fcb484daaa4d152f8b9d6b9b3d41a6faf4ca

SHA256
c29e92f644ea0c987681a157b1f7cca8a0036e320c23f3900b55853e541ff181

SHA512
a5ca8471aad65398e2efcef3221f67dfbbaaa8fd3c706429c4ca48ed7b418ebee9f9f5b2d10006fbfe973e6c5ae926ef117a7d6143b061f08c019a77df438e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GR811UV.exe

Filesize
222KB

MD5
411863ee0ef9444f896042afb2f5a4b6

SHA1
9098fcb484daaa4d152f8b9d6b9b3d41a6faf4ca

SHA256
c29e92f644ea0c987681a157b1f7cca8a0036e320c23f3900b55853e541ff181

SHA512
a5ca8471aad65398e2efcef3221f67dfbbaaa8fd3c706429c4ca48ed7b418ebee9f9f5b2d10006fbfe973e6c5ae926ef117a7d6143b061f08c019a77df438e19

Download Submit
memory/1840-46-0x0000000007D70000-0x0000000007E02000-memory.dmp

Filesize
584KB

Download
memory/1840-43-0x0000000073DA0000-0x0000000074550000-memory.dmp

Filesize
7.7MB

Download
memory/1840-47-0x0000000007EF0000-0x0000000007F00000-memory.dmp

Filesize
64KB

Download
memory/1840-55-0x0000000007EF0000-0x0000000007F00000-memory.dmp

Filesize
64KB

Download
memory/1840-48-0x0000000007E70000-0x0000000007E7A000-memory.dmp

Filesize
40KB

Download
memory/1840-44-0x0000000000EB0000-0x0000000000EEE000-memory.dmp

Filesize
248KB

Download
memory/1840-45-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/1840-49-0x0000000008E50000-0x0000000009468000-memory.dmp

Filesize
6.1MB

Download
memory/1840-54-0x0000000073DA0000-0x0000000074550000-memory.dmp

Filesize
7.7MB

Download
memory/1840-53-0x0000000008230000-0x000000000827C000-memory.dmp

Filesize
304KB

Download
memory/1840-52-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1840-50-0x0000000008120000-0x000000000822A000-memory.dmp

Filesize
1.0MB

Download
memory/1840-51-0x0000000008050000-0x0000000008062000-memory.dmp

Filesize
72KB

Download
memory/3344-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads