redline | 447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe
Size

1.5MB
MD5

71bad59f83e0357a0d4439950ba53eb8
SHA1

65c0440133e3d5550f0e040dc42566e130b33407
SHA256

447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892
SHA512

cd1b283763bb4e729eb800225a0fb0acb4520aea67cbcbd932e7f130f2b381b2cc63566b0501e6f20e2b240e537630a872bb8b7f279d19e5068abc37b3ef47cd
SSDEEP

24576:fy+LLMI2X3x6zqkY41h3ogkiu9DtjhykF9YrTSpWlwVFNrmVSooYh0N:qkL2nxaE41ZogFIDBckIf63LBo3

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e6f-41.dat	family_redline
behavioral1/files/0x0006000000022e6f-42.dat	family_redline
behavioral1/memory/2820-43-0x0000000000F40000-0x0000000000F7C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2292	ij7jz7Aw.exe
1120	kW8ti9ID.exe
4060	Sf4jN8HA.exe
4364	GX0qu0wc.exe
800	1za81Kv7.exe
2820	2Gr734of.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ij7jz7Aw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kW8ti9ID.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Sf4jN8HA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	GX0qu0wc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 392	800	1za81Kv7.exe	99

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5076	800	WerFault.exe	93
1408	392	WerFault.exe	99

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2292	4272	447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe	88
PID 4272 wrote to memory of 2292	4272	447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe	88
PID 4272 wrote to memory of 2292	4272	447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe	88
PID 2292 wrote to memory of 1120	2292	ij7jz7Aw.exe	90
PID 2292 wrote to memory of 1120	2292	ij7jz7Aw.exe	90
PID 2292 wrote to memory of 1120	2292	ij7jz7Aw.exe	90
PID 1120 wrote to memory of 4060	1120	kW8ti9ID.exe	91
PID 1120 wrote to memory of 4060	1120	kW8ti9ID.exe	91
PID 1120 wrote to memory of 4060	1120	kW8ti9ID.exe	91
PID 4060 wrote to memory of 4364	4060	Sf4jN8HA.exe	92
PID 4060 wrote to memory of 4364	4060	Sf4jN8HA.exe	92
PID 4060 wrote to memory of 4364	4060	Sf4jN8HA.exe	92
PID 4364 wrote to memory of 800	4364	GX0qu0wc.exe	93
PID 4364 wrote to memory of 800	4364	GX0qu0wc.exe	93
PID 4364 wrote to memory of 800	4364	GX0qu0wc.exe	93
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 800 wrote to memory of 392	800	1za81Kv7.exe	99
PID 4364 wrote to memory of 2820	4364	GX0qu0wc.exe	105
PID 4364 wrote to memory of 2820	4364	GX0qu0wc.exe	105
PID 4364 wrote to memory of 2820	4364	GX0qu0wc.exe	105

C:\Users\Admin\AppData\Local\Temp\447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe
"C:\Users\Admin\AppData\Local\Temp\447d63fe920891bf82767873eccbacc020d5fb609a6138a888e980b0ca25d892.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7jz7Aw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7jz7Aw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kW8ti9ID.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kW8ti9ID.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sf4jN8HA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sf4jN8HA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GX0qu0wc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GX0qu0wc.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1za81Kv7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1za81Kv7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 540
        8⤵
        Program crash
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 560
        7⤵
        Program crash
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gr734of.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gr734of.exe
        6⤵
        Executes dropped EXE
        
        PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 800 -ip 800
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 392 -ip 392
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7jz7Aw.exe

Filesize
1.3MB

MD5
fdc4d9813c6a32ad7be3808bbedce9b6

SHA1
ff0b549dcd43622d6af745a4ba03a06d04b9d9fd

SHA256
e13adc32347757c0feafe94386b689578539dc301114da1534d1538779d8b376

SHA512
d3e16acd153a5aa34ebcf787e8de1dc42cf7cd8ce7edb72f03c3b73a27ecde83d9bbf97dcac77b703a9b47b49ca8da274d3c539d4ff52c44a2d190c7f98d37ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ij7jz7Aw.exe

Filesize
1.3MB

MD5
fdc4d9813c6a32ad7be3808bbedce9b6

SHA1
ff0b549dcd43622d6af745a4ba03a06d04b9d9fd

SHA256
e13adc32347757c0feafe94386b689578539dc301114da1534d1538779d8b376

SHA512
d3e16acd153a5aa34ebcf787e8de1dc42cf7cd8ce7edb72f03c3b73a27ecde83d9bbf97dcac77b703a9b47b49ca8da274d3c539d4ff52c44a2d190c7f98d37ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kW8ti9ID.exe

Filesize
1.2MB

MD5
0b95d89b52b8d5cd88a8a7603ee78d37

SHA1
0c9514674dcdab1da1f7d8cd6c801da42beff033

SHA256
b12eb80bb6cbf4e8a48397437211f866de3d90ac7790d3c9b563acda1a0b754b

SHA512
843fa378875aaa620292b70455c623122783eed7b4fa082416d3c41945c90ef279acdf81bfc1f23aab3266113282772ed85a943345eff5bfc58556ae6ee76974

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kW8ti9ID.exe

Filesize
1.2MB

MD5
0b95d89b52b8d5cd88a8a7603ee78d37

SHA1
0c9514674dcdab1da1f7d8cd6c801da42beff033

SHA256
b12eb80bb6cbf4e8a48397437211f866de3d90ac7790d3c9b563acda1a0b754b

SHA512
843fa378875aaa620292b70455c623122783eed7b4fa082416d3c41945c90ef279acdf81bfc1f23aab3266113282772ed85a943345eff5bfc58556ae6ee76974

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sf4jN8HA.exe

Filesize
769KB

MD5
92b1a09252d0d8f685e808573630ce0f

SHA1
93f8baf1489e096813dd694aeeb85535aac626e3

SHA256
e3936f04b3f43709a843c820bd2a6099145e724ffb59191c8b0f0e9d5bb14303

SHA512
0e16203254fa0d84a8a4ea78655024ea5a850b730ee450b721dcd8fa4c90dc2099d408d6f50f9b1163bdc1b43e88be5622dc7d7fb98bdc08cfa2a2327329efee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sf4jN8HA.exe

Filesize
769KB

MD5
92b1a09252d0d8f685e808573630ce0f

SHA1
93f8baf1489e096813dd694aeeb85535aac626e3

SHA256
e3936f04b3f43709a843c820bd2a6099145e724ffb59191c8b0f0e9d5bb14303

SHA512
0e16203254fa0d84a8a4ea78655024ea5a850b730ee450b721dcd8fa4c90dc2099d408d6f50f9b1163bdc1b43e88be5622dc7d7fb98bdc08cfa2a2327329efee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GX0qu0wc.exe

Filesize
573KB

MD5
d5761915fee6cddc21e7896fe3a522bf

SHA1
df3d1897c678a21bfb98066a7f9ca872009eea71

SHA256
7180ecd127bd00a17426f340378bdf10d59ee4b66c5eadc0d1f10f009a86b256

SHA512
fd810d028c41e122031d622a09fc9cd0bd6f7960bc3f2f2af9f3ba4dc20eb3054785defddbbfb77bffc11e993616b3bb1bee79d232130fafe024c19d2750ed1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GX0qu0wc.exe

Filesize
573KB

MD5
d5761915fee6cddc21e7896fe3a522bf

SHA1
df3d1897c678a21bfb98066a7f9ca872009eea71

SHA256
7180ecd127bd00a17426f340378bdf10d59ee4b66c5eadc0d1f10f009a86b256

SHA512
fd810d028c41e122031d622a09fc9cd0bd6f7960bc3f2f2af9f3ba4dc20eb3054785defddbbfb77bffc11e993616b3bb1bee79d232130fafe024c19d2750ed1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1za81Kv7.exe

Filesize
1.1MB

MD5
7ccb3ffa545d4da278c259815d81f242

SHA1
1796c258488cae3571cd7dcd4671a6c4262aac89

SHA256
72d272ea81e9399432ff5820a0f8877afbd97d0e2a9a80a70a6e54e7b1856385

SHA512
a19c2cb0019cb6e550ca9bc203a98bc10d12f447fe26797c7995de2a0b9e6e89fa3b511556604a6ca8167d115d6931db8c7b0e220af8fd352541ccdaadd83b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1za81Kv7.exe

Filesize
1.1MB

MD5
7ccb3ffa545d4da278c259815d81f242

SHA1
1796c258488cae3571cd7dcd4671a6c4262aac89

SHA256
72d272ea81e9399432ff5820a0f8877afbd97d0e2a9a80a70a6e54e7b1856385

SHA512
a19c2cb0019cb6e550ca9bc203a98bc10d12f447fe26797c7995de2a0b9e6e89fa3b511556604a6ca8167d115d6931db8c7b0e220af8fd352541ccdaadd83b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gr734of.exe

Filesize
219KB

MD5
d027e238f3689827f112f9267f820c3d

SHA1
5c6324d5b22525dbd584e90da33fe7ce8b07d175

SHA256
1ebd632edd4e6b26f3de2350f3c8e3b925171c33554fcb86502daa90efdf2a8a

SHA512
81e90b275cee8474133c88e1ddfc704e70c004c051a9dd7d758b031ebb4a313dd1a874abf7a85bc2382f948eb69edc2f9e4dc83fe69d86f8af2fa59d4ef968c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gr734of.exe

Filesize
219KB

MD5
d027e238f3689827f112f9267f820c3d

SHA1
5c6324d5b22525dbd584e90da33fe7ce8b07d175

SHA256
1ebd632edd4e6b26f3de2350f3c8e3b925171c33554fcb86502daa90efdf2a8a

SHA512
81e90b275cee8474133c88e1ddfc704e70c004c051a9dd7d758b031ebb4a313dd1a874abf7a85bc2382f948eb69edc2f9e4dc83fe69d86f8af2fa59d4ef968c7

Download Submit
memory/392-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-46-0x0000000007E50000-0x0000000007EE2000-memory.dmp

Filesize
584KB

Download
memory/2820-43-0x0000000000F40000-0x0000000000F7C000-memory.dmp

Filesize
240KB

Download
memory/2820-45-0x0000000008320000-0x00000000088C4000-memory.dmp

Filesize
5.6MB

Download
memory/2820-44-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/2820-47-0x0000000007FE0000-0x0000000007FF0000-memory.dmp

Filesize
64KB

Download
memory/2820-48-0x0000000007F00000-0x0000000007F0A000-memory.dmp

Filesize
40KB

Download
memory/2820-49-0x0000000008EF0000-0x0000000009508000-memory.dmp

Filesize
6.1MB

Download
memory/2820-50-0x00000000081F0000-0x00000000082FA000-memory.dmp

Filesize
1.0MB

Download
memory/2820-51-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/2820-52-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/2820-53-0x0000000008180000-0x00000000081CC000-memory.dmp

Filesize
304KB

Download
memory/2820-54-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/2820-55-0x0000000007FE0000-0x0000000007FF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads