redline | 08f23e63ef45a3062061e105d972a26f30379b83357117359704e50ad3c00385

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe
Size

1.5MB
MD5

425d8c9efa48b19a888f7f165d2c32f0
SHA1

33a584dab98135bfb53e539fd46fe0721998674f
SHA256

08f23e63ef45a3062061e105d972a26f30379b83357117359704e50ad3c00385
SHA512

88461b37b10bf288dd973adde6da2f6bffb3fdcba4241fdcc08ca5d3dc2815aaddcf7b46208e65511cf6abf116d52d0331cc2f2bdd6d12e0067ede124f7b30d0
SSDEEP

24576:mylhonEBY+7MK/7XbBPEKHcuQWKNIP4aCY6FHpezj9UdZMSiO97:1lcGY+7MK/bBEKbxKNuCpRWj2

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022daa-41.dat	family_redline
behavioral1/files/0x0006000000022daa-42.dat	family_redline
behavioral1/memory/2496-43-0x00000000005F0000-0x000000000062E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2356	Si4SR7iQ.exe
2008	kn6Lv6zN.exe
3488	EX9zq3Ho.exe
2816	HQ2ER5na.exe
4404	1cJ14rw7.exe
2496	2Ql467Em.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Si4SR7iQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kn6Lv6zN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EX9zq3Ho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	HQ2ER5na.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4404 set thread context of 4184	4404	1cJ14rw7.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	4184	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2356	2972	NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe	84
PID 2972 wrote to memory of 2356	2972	NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe	84
PID 2972 wrote to memory of 2356	2972	NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe	84
PID 2356 wrote to memory of 2008	2356	Si4SR7iQ.exe	85
PID 2356 wrote to memory of 2008	2356	Si4SR7iQ.exe	85
PID 2356 wrote to memory of 2008	2356	Si4SR7iQ.exe	85
PID 2008 wrote to memory of 3488	2008	kn6Lv6zN.exe	86
PID 2008 wrote to memory of 3488	2008	kn6Lv6zN.exe	86
PID 2008 wrote to memory of 3488	2008	kn6Lv6zN.exe	86
PID 3488 wrote to memory of 2816	3488	EX9zq3Ho.exe	87
PID 3488 wrote to memory of 2816	3488	EX9zq3Ho.exe	87
PID 3488 wrote to memory of 2816	3488	EX9zq3Ho.exe	87
PID 2816 wrote to memory of 4404	2816	HQ2ER5na.exe	89
PID 2816 wrote to memory of 4404	2816	HQ2ER5na.exe	89
PID 2816 wrote to memory of 4404	2816	HQ2ER5na.exe	89
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 4404 wrote to memory of 4184	4404	1cJ14rw7.exe	92
PID 2816 wrote to memory of 2496	2816	HQ2ER5na.exe	93
PID 2816 wrote to memory of 2496	2816	HQ2ER5na.exe	93
PID 2816 wrote to memory of 2496	2816	HQ2ER5na.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.425d8c9efa48b19a888f7f165d2c32f0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HQ2ER5na.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HQ2ER5na.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cJ14rw7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cJ14rw7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 564
        8⤵
        Program crash
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ql467Em.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ql467Em.exe
        6⤵
        Executes dropped EXE
        
        PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4184 -ip 4184
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe

Filesize
1.3MB

MD5
f8d523ac387a03c88fd3e9cf8507d089

SHA1
0ccbb0bff3be94a64853bd6e15fb7b1d24f748f4

SHA256
207574395c76a75e27cb32f0d000053ffb84e44278c2e4fb4c42c1c8c297b459

SHA512
a269ae40ccd9fc867cbaff221f7621b24320babf46de72335bdceab05194461e32a1e77287f85c89a8f9bcbeeefa088ae4cc5e73ed173c7cd59e34569e02c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe

Filesize
1.3MB

MD5
f8d523ac387a03c88fd3e9cf8507d089

SHA1
0ccbb0bff3be94a64853bd6e15fb7b1d24f748f4

SHA256
207574395c76a75e27cb32f0d000053ffb84e44278c2e4fb4c42c1c8c297b459

SHA512
a269ae40ccd9fc867cbaff221f7621b24320babf46de72335bdceab05194461e32a1e77287f85c89a8f9bcbeeefa088ae4cc5e73ed173c7cd59e34569e02c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe

Filesize
1.1MB

MD5
0710c97d3448e872745e783251b7e0e5

SHA1
d63acc85f9c0e0bfa5009389229f701107d8d682

SHA256
14f40f7ef644381557cae2dabe233e93648057dc99b35941dee9ebe1003b2bac

SHA512
0d94045d058fc578a6e21363aacc6bb139a02b4abc2b684411f115b01e820da757ef8f9133d0912f00696131f142b251c58f5cc6e03065c0c20e0a732b0c3edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe

Filesize
1.1MB

MD5
0710c97d3448e872745e783251b7e0e5

SHA1
d63acc85f9c0e0bfa5009389229f701107d8d682

SHA256
14f40f7ef644381557cae2dabe233e93648057dc99b35941dee9ebe1003b2bac

SHA512
0d94045d058fc578a6e21363aacc6bb139a02b4abc2b684411f115b01e820da757ef8f9133d0912f00696131f142b251c58f5cc6e03065c0c20e0a732b0c3edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe

Filesize
758KB

MD5
bb1a0f45d15285f9a18115d3c509bd09

SHA1
6e173bb07c574adde886e7440100cc0b3cac5e4c

SHA256
00e351fab6131cdce40e776f08b186b41e4b3f76167cc51d56549918b712073e

SHA512
5cc97343d6bb24baf0b38c0245e395b0f9dd363750293b15c0013095eb440051ff52298848adb785a771c767a38224037aa4be01e412f70774c940479a64847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe

Filesize
758KB

MD5
bb1a0f45d15285f9a18115d3c509bd09

SHA1
6e173bb07c574adde886e7440100cc0b3cac5e4c

SHA256
00e351fab6131cdce40e776f08b186b41e4b3f76167cc51d56549918b712073e

SHA512
5cc97343d6bb24baf0b38c0245e395b0f9dd363750293b15c0013095eb440051ff52298848adb785a771c767a38224037aa4be01e412f70774c940479a64847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HQ2ER5na.exe

Filesize
562KB

MD5
4e91c367773562b5b400c44bde45a659

SHA1
0c7227dfddcba2e6a20a6bbb50091643c262bd16

SHA256
da3521157478d89e329f83cfc88112ed830220aa82cd47915516e9b0b812150d

SHA512
bdf75ee04e521090712ff871f1c3623caca602e6f8a06c891661fe0603995cb7333a902a1856324fc32588fbc394bed0b2cec4fdbfe67b4dd2072227bbd41de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HQ2ER5na.exe

Filesize
562KB

MD5
4e91c367773562b5b400c44bde45a659

SHA1
0c7227dfddcba2e6a20a6bbb50091643c262bd16

SHA256
da3521157478d89e329f83cfc88112ed830220aa82cd47915516e9b0b812150d

SHA512
bdf75ee04e521090712ff871f1c3623caca602e6f8a06c891661fe0603995cb7333a902a1856324fc32588fbc394bed0b2cec4fdbfe67b4dd2072227bbd41de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cJ14rw7.exe

Filesize
1.1MB

MD5
5c0f230733975ca9addb7fb932ba7fd8

SHA1
70332e6d8e29f8b334079fc914c6fc134453547e

SHA256
6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7

SHA512
5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cJ14rw7.exe

Filesize
1.1MB

MD5
5c0f230733975ca9addb7fb932ba7fd8

SHA1
70332e6d8e29f8b334079fc914c6fc134453547e

SHA256
6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7

SHA512
5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ql467Em.exe

Filesize
222KB

MD5
7a0ee5aa6aff36f538386caf58800029

SHA1
7a2cf540214633cc55f0ac9527832b1da9776a92

SHA256
6ed8c76c56591c552671f7a905b9ee9fe1331144aaf42873a551fcbec5d4d18a

SHA512
f6c6dcf0d2f4ec1659721eac4e1ce0b2ca57bd9059b5b0ddeb85175ed6ceb4ddc24066b3dbba6175ac0febb5ae113c3039203834809c7e114e887dd7ddd8658b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ql467Em.exe

Filesize
222KB

MD5
7a0ee5aa6aff36f538386caf58800029

SHA1
7a2cf540214633cc55f0ac9527832b1da9776a92

SHA256
6ed8c76c56591c552671f7a905b9ee9fe1331144aaf42873a551fcbec5d4d18a

SHA512
f6c6dcf0d2f4ec1659721eac4e1ce0b2ca57bd9059b5b0ddeb85175ed6ceb4ddc24066b3dbba6175ac0febb5ae113c3039203834809c7e114e887dd7ddd8658b

Download Submit
memory/2496-46-0x0000000007420000-0x00000000074B2000-memory.dmp

Filesize
584KB

Download
memory/2496-48-0x00000000073D0000-0x00000000073DA000-memory.dmp

Filesize
40KB

Download
memory/2496-55-0x0000000007560000-0x0000000007570000-memory.dmp

Filesize
64KB

Download
memory/2496-54-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2496-43-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download
memory/2496-44-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2496-45-0x0000000007930000-0x0000000007ED4000-memory.dmp

Filesize
5.6MB

Download
memory/2496-53-0x0000000007860000-0x00000000078AC000-memory.dmp

Filesize
304KB

Download
memory/2496-52-0x00000000076E0000-0x000000000771C000-memory.dmp

Filesize
240KB

Download
memory/2496-49-0x0000000008500000-0x0000000008B18000-memory.dmp

Filesize
6.1MB

Download
memory/2496-47-0x0000000007560000-0x0000000007570000-memory.dmp

Filesize
64KB

Download
memory/2496-50-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/2496-51-0x0000000007680000-0x0000000007692000-memory.dmp

Filesize
72KB

Download
memory/4184-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads