redline | aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845

Analysis

max time kernel
135s
max time network
153s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
03-11-2023 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe
Size

1.7MB
MD5

2a85ef79f993449122181e13799bd986
SHA1

9633fc5ff27c2c7c8c5b572896cdd5678a508e02
SHA256

aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845
SHA512

6281818e9718321a55c1fd701aa7c9ba4d0f30b145164a56e15b04a72d127dd909daeca7fc5cbac4cb44f428434e94309011d9edd9e5bf8df51714e79b1984c6
SSDEEP

24576:QyM+qM+p4abCyV3vMyiAfwRLpVV2CGigx1CEPWLcBQ8ezmlNlpRd3moc0:XtdBoPkHFeKgDCrLcBQ5cLp2o

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001abd0-41.dat	family_redline
behavioral1/files/0x000600000001abd0-43.dat	family_redline
behavioral1/memory/2552-45-0x0000000000B00000-0x0000000000B3C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4932	pK9QA2Fh.exe
3332	Sy5lz4TH.exe
3452	jT1Xq9MC.exe
2656	kk2Up4Vk.exe
752	1Eg97Jn7.exe
2552	2Ou950Lv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Sy5lz4TH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jT1Xq9MC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kk2Up4Vk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pK9QA2Fh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 752 set thread context of 4520	752	1Eg97Jn7.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	4520	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4932	644	aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe	71
PID 644 wrote to memory of 4932	644	aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe	71
PID 644 wrote to memory of 4932	644	aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe	71
PID 4932 wrote to memory of 3332	4932	pK9QA2Fh.exe	72
PID 4932 wrote to memory of 3332	4932	pK9QA2Fh.exe	72
PID 4932 wrote to memory of 3332	4932	pK9QA2Fh.exe	72
PID 3332 wrote to memory of 3452	3332	Sy5lz4TH.exe	73
PID 3332 wrote to memory of 3452	3332	Sy5lz4TH.exe	73
PID 3332 wrote to memory of 3452	3332	Sy5lz4TH.exe	73
PID 3452 wrote to memory of 2656	3452	jT1Xq9MC.exe	74
PID 3452 wrote to memory of 2656	3452	jT1Xq9MC.exe	74
PID 3452 wrote to memory of 2656	3452	jT1Xq9MC.exe	74
PID 2656 wrote to memory of 752	2656	kk2Up4Vk.exe	75
PID 2656 wrote to memory of 752	2656	kk2Up4Vk.exe	75
PID 2656 wrote to memory of 752	2656	kk2Up4Vk.exe	75
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 752 wrote to memory of 4520	752	1Eg97Jn7.exe	76
PID 2656 wrote to memory of 2552	2656	kk2Up4Vk.exe	77
PID 2656 wrote to memory of 2552	2656	kk2Up4Vk.exe	77
PID 2656 wrote to memory of 2552	2656	kk2Up4Vk.exe	77

C:\Users\Admin\AppData\Local\Temp\aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe
"C:\Users\Admin\AppData\Local\Temp\aa2c995858557c0cbe47de3a080f269acce3997e3a894a394560876034204845.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pK9QA2Fh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pK9QA2Fh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sy5lz4TH.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sy5lz4TH.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Xq9MC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Xq9MC.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kk2Up4Vk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kk2Up4Vk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Eg97Jn7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Eg97Jn7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 568
        8⤵
        Program crash
        
        PID:4844
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ou950Lv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ou950Lv.exe
        6⤵
        Executes dropped EXE
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pK9QA2Fh.exe

Filesize
1.6MB

MD5
4c91635bf63c1378aabb1f160bc337f1

SHA1
b5bf0b5c2f27a557970c30fd878671aff01366a5

SHA256
629f14a35799c15c16f3ce552ecb1a3f6ad42cfb06bc45a447d4363adbc703f2

SHA512
825c9b46c80a65ccdfc134193eda18983f1ea1d1d12a868ce0de81acff68b026d80f1a30244337d420c212e8eda29c2c6af7323f79241f4b851a16c3bb041180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pK9QA2Fh.exe

Filesize
1.6MB

MD5
4c91635bf63c1378aabb1f160bc337f1

SHA1
b5bf0b5c2f27a557970c30fd878671aff01366a5

SHA256
629f14a35799c15c16f3ce552ecb1a3f6ad42cfb06bc45a447d4363adbc703f2

SHA512
825c9b46c80a65ccdfc134193eda18983f1ea1d1d12a868ce0de81acff68b026d80f1a30244337d420c212e8eda29c2c6af7323f79241f4b851a16c3bb041180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sy5lz4TH.exe

Filesize
1.4MB

MD5
009521c5cce840b7defa05361f320a98

SHA1
a42874f560c877461c8e59dcc52fc9381c2c0015

SHA256
97af17bacac7bf36694f341e8b1b9cb605a0e0b2da6facd9a8fa60a0d32a6fed

SHA512
b264cb9352ef9bbae46a5730d5cb2ee4b081c1419c08797b9858e8316685053ca172a7f439257acfbc79d011058a525530e46bae56dcb14400405ad5e1ecb3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sy5lz4TH.exe

Filesize
1.4MB

MD5
009521c5cce840b7defa05361f320a98

SHA1
a42874f560c877461c8e59dcc52fc9381c2c0015

SHA256
97af17bacac7bf36694f341e8b1b9cb605a0e0b2da6facd9a8fa60a0d32a6fed

SHA512
b264cb9352ef9bbae46a5730d5cb2ee4b081c1419c08797b9858e8316685053ca172a7f439257acfbc79d011058a525530e46bae56dcb14400405ad5e1ecb3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Xq9MC.exe

Filesize
884KB

MD5
bcfac64476d3355e108792c6cfae9f50

SHA1
36fde363d6e6d50228c5b252edfea8e3bdeb12e0

SHA256
21f6448fa080e3c22535152d1045216fe274c5e586a3dba705c07f48156b1a39

SHA512
f4588c5590f872d424b5fdc9ebc19a3ec9fd637599646fb85fe6b73c816edd49530b36afa72a0bc8d88f2dedf3f2b35320bd835fea605349786c9a168a45136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Xq9MC.exe

Filesize
884KB

MD5
bcfac64476d3355e108792c6cfae9f50

SHA1
36fde363d6e6d50228c5b252edfea8e3bdeb12e0

SHA256
21f6448fa080e3c22535152d1045216fe274c5e586a3dba705c07f48156b1a39

SHA512
f4588c5590f872d424b5fdc9ebc19a3ec9fd637599646fb85fe6b73c816edd49530b36afa72a0bc8d88f2dedf3f2b35320bd835fea605349786c9a168a45136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kk2Up4Vk.exe

Filesize
688KB

MD5
6fbdfebe8eaacb8287557001c3265edb

SHA1
5afce595df7cfc7cbb4f6779fdfbd0333c20bd53

SHA256
5c1d7f60e4ea878f4c1299dac22986055279cd393b069319fa90193b6e0d6490

SHA512
c6f1211c018e5e6c5f9772caa6a3eb4de661d1adbb399eb990d4585365ef2f51a1fc5853642edac8aa96c81925d6fdf40d413cf46b1065b2acb2935133334df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kk2Up4Vk.exe

Filesize
688KB

MD5
6fbdfebe8eaacb8287557001c3265edb

SHA1
5afce595df7cfc7cbb4f6779fdfbd0333c20bd53

SHA256
5c1d7f60e4ea878f4c1299dac22986055279cd393b069319fa90193b6e0d6490

SHA512
c6f1211c018e5e6c5f9772caa6a3eb4de661d1adbb399eb990d4585365ef2f51a1fc5853642edac8aa96c81925d6fdf40d413cf46b1065b2acb2935133334df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Eg97Jn7.exe

Filesize
1.8MB

MD5
3f9c4013f334bafbace6e353ff8dc72f

SHA1
b00ccad3add082bbbb24ce31eb2c27124cccbf40

SHA256
79c254c886c7bfd0404f8fe1aa00de46a043aeb9023648fa046e591593591c7c

SHA512
30f8b55f7fd715ee658d6ad02f940b246d190f547cadab1a2c52d4997dc2427146223b8069a9920635ba40604edb897fd7d86876785068290467f5864c5f80d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Eg97Jn7.exe

Filesize
1.8MB

MD5
3f9c4013f334bafbace6e353ff8dc72f

SHA1
b00ccad3add082bbbb24ce31eb2c27124cccbf40

SHA256
79c254c886c7bfd0404f8fe1aa00de46a043aeb9023648fa046e591593591c7c

SHA512
30f8b55f7fd715ee658d6ad02f940b246d190f547cadab1a2c52d4997dc2427146223b8069a9920635ba40604edb897fd7d86876785068290467f5864c5f80d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ou950Lv.exe

Filesize
219KB

MD5
c7c68a5634d01f124124150e05fd0a80

SHA1
e07537d3e8f6482901e4d161fc0fb8a48a470159

SHA256
9cf798e08bc87ed37c9d521968a8216eeb2719dc0e6854f9de71148d79e5984d

SHA512
77617feb8ff6a85c7e614441b8a0335cd9acf5b7dcc7e804f9383e84aa0cc022af1325bd5c421829980c00d5a8ab82a42a46945c4dc623696d7240a08076b9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ou950Lv.exe

Filesize
219KB

MD5
c7c68a5634d01f124124150e05fd0a80

SHA1
e07537d3e8f6482901e4d161fc0fb8a48a470159

SHA256
9cf798e08bc87ed37c9d521968a8216eeb2719dc0e6854f9de71148d79e5984d

SHA512
77617feb8ff6a85c7e614441b8a0335cd9acf5b7dcc7e804f9383e84aa0cc022af1325bd5c421829980c00d5a8ab82a42a46945c4dc623696d7240a08076b9d7

Download Submit
memory/2552-47-0x0000000007CE0000-0x00000000081DE000-memory.dmp

Filesize
5.0MB

Download
memory/2552-48-0x0000000007880000-0x0000000007912000-memory.dmp

Filesize
584KB

Download
memory/2552-55-0x0000000072D80000-0x000000007346E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-54-0x00000000081E0000-0x000000000822B000-memory.dmp

Filesize
300KB

Download
memory/2552-45-0x0000000000B00000-0x0000000000B3C000-memory.dmp

Filesize
240KB

Download
memory/2552-46-0x0000000072D80000-0x000000007346E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-53-0x0000000007B30000-0x0000000007B6E000-memory.dmp

Filesize
248KB

Download
memory/2552-52-0x0000000007AD0000-0x0000000007AE2000-memory.dmp

Filesize
72KB

Download
memory/2552-49-0x00000000079E0000-0x00000000079EA000-memory.dmp

Filesize
40KB

Download
memory/2552-50-0x00000000087F0000-0x0000000008DF6000-memory.dmp

Filesize
6.0MB

Download
memory/2552-51-0x0000000007BA0000-0x0000000007CAA000-memory.dmp

Filesize
1.0MB

Download
memory/4520-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads