redline | 2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713

Analysis

max time kernel
292s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
03-11-2023 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe
Size

1.5MB
MD5

6bcbbf831380a47e6d269bb02befe194
SHA1

55a5c0863c3cc9297050bfb0bbe3a01ef90c4791
SHA256

2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713
SHA512

9ba12760780a93cddd7eb8de17f2330173b77415bb3c8f48a729ec98ecd7d44ad30c44173b5a4d8eddbae27ffae14f3e93b83fe185ef4ea5516644a46d58e057
SSDEEP

24576:0yP5r8rnF0TvAZ9Em95WAZuP+c7qpeZQJGumxmy6QiraZkfWAwkw1il:DP5rQC4Ymz/Xv9mxG1ra+fZdw

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001abaf-44.dat	family_redline
behavioral2/files/0x000600000001abaf-42.dat	family_redline
behavioral2/memory/1516-45-0x0000000000720000-0x000000000075C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4964	Rb4Nx8gO.exe
436	EP1ij1Md.exe
4328	zw3sp5uY.exe
784	Fe1DF1tc.exe
312	1wY65uE6.exe
1516	2vY140cR.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rb4Nx8gO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	EP1ij1Md.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zw3sp5uY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fe1DF1tc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 312 set thread context of 220	312	1wY65uE6.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	220	WerFault.exe	75

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4964	1216	2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe	70
PID 1216 wrote to memory of 4964	1216	2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe	70
PID 1216 wrote to memory of 4964	1216	2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe	70
PID 4964 wrote to memory of 436	4964	Rb4Nx8gO.exe	71
PID 4964 wrote to memory of 436	4964	Rb4Nx8gO.exe	71
PID 4964 wrote to memory of 436	4964	Rb4Nx8gO.exe	71
PID 436 wrote to memory of 4328	436	EP1ij1Md.exe	72
PID 436 wrote to memory of 4328	436	EP1ij1Md.exe	72
PID 436 wrote to memory of 4328	436	EP1ij1Md.exe	72
PID 4328 wrote to memory of 784	4328	zw3sp5uY.exe	73
PID 4328 wrote to memory of 784	4328	zw3sp5uY.exe	73
PID 4328 wrote to memory of 784	4328	zw3sp5uY.exe	73
PID 784 wrote to memory of 312	784	Fe1DF1tc.exe	74
PID 784 wrote to memory of 312	784	Fe1DF1tc.exe	74
PID 784 wrote to memory of 312	784	Fe1DF1tc.exe	74
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 312 wrote to memory of 220	312	1wY65uE6.exe	75
PID 784 wrote to memory of 1516	784	Fe1DF1tc.exe	78
PID 784 wrote to memory of 1516	784	Fe1DF1tc.exe	78
PID 784 wrote to memory of 1516	784	Fe1DF1tc.exe	78

C:\Users\Admin\AppData\Local\Temp\2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe
"C:\Users\Admin\AppData\Local\Temp\2a2d52a4b2b0e2b45ad671e6ce69ef23f63ebe3e772b50d1e0bca1424a483713.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rb4Nx8gO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rb4Nx8gO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EP1ij1Md.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EP1ij1Md.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zw3sp5uY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zw3sp5uY.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fe1DF1tc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fe1DF1tc.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wY65uE6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wY65uE6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 568
        8⤵
        Program crash
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vY140cR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vY140cR.exe
        6⤵
        Executes dropped EXE
        
        PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rb4Nx8gO.exe

Filesize
1.3MB

MD5
35c750dbd462c3c640e07a9fba96f565

SHA1
f92271b03962710b986e69fc17a12ff1472f4061

SHA256
6816e61fb973c4029602bc56232e9a32263b88822f341415401890f11d66b0ad

SHA512
0230ccd3685ab093ca510131d99d57ea18a4595e15c2352809d8d0a9447401d3b375c9e6d0daa0f46c32d8fea26aa61acc8955dfcae313e6558efe39af585842

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rb4Nx8gO.exe

Filesize
1.3MB

MD5
35c750dbd462c3c640e07a9fba96f565

SHA1
f92271b03962710b986e69fc17a12ff1472f4061

SHA256
6816e61fb973c4029602bc56232e9a32263b88822f341415401890f11d66b0ad

SHA512
0230ccd3685ab093ca510131d99d57ea18a4595e15c2352809d8d0a9447401d3b375c9e6d0daa0f46c32d8fea26aa61acc8955dfcae313e6558efe39af585842

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EP1ij1Md.exe

Filesize
1.1MB

MD5
ac3135ce03ca577a689cfffb88d3cb88

SHA1
24659d716defc7089d92116e3fdbf94086008bb5

SHA256
8c85e17daf8ee592437c405cba5187636a7374bc73a74c8950b1b42d0e583a20

SHA512
f6e76aa76277c721c8878df126bf13a39f129d5af398e5e16a98eadec2beb46b92eec5866ee61780c3b06441cac7e57bc7e83c3f71d1be0ce0637426a7bdcf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EP1ij1Md.exe

Filesize
1.1MB

MD5
ac3135ce03ca577a689cfffb88d3cb88

SHA1
24659d716defc7089d92116e3fdbf94086008bb5

SHA256
8c85e17daf8ee592437c405cba5187636a7374bc73a74c8950b1b42d0e583a20

SHA512
f6e76aa76277c721c8878df126bf13a39f129d5af398e5e16a98eadec2beb46b92eec5866ee61780c3b06441cac7e57bc7e83c3f71d1be0ce0637426a7bdcf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zw3sp5uY.exe

Filesize
753KB

MD5
ab848404044669ebe592f908a2c1f838

SHA1
dd623ac23f219050a851f8dedab168b4ce9211fe

SHA256
00d1c27ac249cb2d6208f865ec191cc8bbe179308abd49510fb4d3a1644d256c

SHA512
b9dce73fc865838f885f79a4ca447888cf7379f6e8e7e225437d10eb6ebe8baca206e08fcdfeda7806bc6b69f72e5daa4ad54e45f03f08457ec516009d8a4411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zw3sp5uY.exe

Filesize
753KB

MD5
ab848404044669ebe592f908a2c1f838

SHA1
dd623ac23f219050a851f8dedab168b4ce9211fe

SHA256
00d1c27ac249cb2d6208f865ec191cc8bbe179308abd49510fb4d3a1644d256c

SHA512
b9dce73fc865838f885f79a4ca447888cf7379f6e8e7e225437d10eb6ebe8baca206e08fcdfeda7806bc6b69f72e5daa4ad54e45f03f08457ec516009d8a4411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fe1DF1tc.exe

Filesize
558KB

MD5
202b12fd8aa334b14cf48b7c54d82e91

SHA1
33ff3acd954ad9566f70213540c2fbdd966d968c

SHA256
b4b880882739be916596ef4c7c8fc8d5c9ee05359c7eddea75531ae914c8f158

SHA512
a5c08192eba535085b39058b66fc3bf981898d381db431707633539ed60324f44f5cecc9719894f38a9327ef34befdca89e932f993ee781657c141476395f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fe1DF1tc.exe

Filesize
558KB

MD5
202b12fd8aa334b14cf48b7c54d82e91

SHA1
33ff3acd954ad9566f70213540c2fbdd966d968c

SHA256
b4b880882739be916596ef4c7c8fc8d5c9ee05359c7eddea75531ae914c8f158

SHA512
a5c08192eba535085b39058b66fc3bf981898d381db431707633539ed60324f44f5cecc9719894f38a9327ef34befdca89e932f993ee781657c141476395f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wY65uE6.exe

Filesize
1.0MB

MD5
ccc96ab285d6c44ab2c0e00b6db08858

SHA1
1caa1595ea5169962b7d875cc568835c4bba1d31

SHA256
d877a57fa56f63a72c36b52086577c1884db8af261820b1a71aeb43cbc7eef30

SHA512
1eafde3703ceb3a051eba1248266c81c86cf457083bcd6b469fcbc0a1d3a2bc8b029fe2ae6b423a8a197d1774c8bf78bf1ced00376bed032cfe0bb08db784268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wY65uE6.exe

Filesize
1.0MB

MD5
ccc96ab285d6c44ab2c0e00b6db08858

SHA1
1caa1595ea5169962b7d875cc568835c4bba1d31

SHA256
d877a57fa56f63a72c36b52086577c1884db8af261820b1a71aeb43cbc7eef30

SHA512
1eafde3703ceb3a051eba1248266c81c86cf457083bcd6b469fcbc0a1d3a2bc8b029fe2ae6b423a8a197d1774c8bf78bf1ced00376bed032cfe0bb08db784268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vY140cR.exe

Filesize
219KB

MD5
8fbcefe5e0ab6540381148d7e63ed70a

SHA1
4bb34d487923f3fd0e54daa33ba22945c5dceb87

SHA256
1b15a222383706636228923f325ae47228021934f7a80433417a474e31e45467

SHA512
55b39938c347f50cefc7b009c8032cee6fe782e5d329ee2fd868452e452c1f30fc1fe056ea435b74a4e9369a79503587f5cd4b22914c370475386bfd77065eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vY140cR.exe

Filesize
219KB

MD5
8fbcefe5e0ab6540381148d7e63ed70a

SHA1
4bb34d487923f3fd0e54daa33ba22945c5dceb87

SHA256
1b15a222383706636228923f325ae47228021934f7a80433417a474e31e45467

SHA512
55b39938c347f50cefc7b009c8032cee6fe782e5d329ee2fd868452e452c1f30fc1fe056ea435b74a4e9369a79503587f5cd4b22914c370475386bfd77065eeb

Download Submit
memory/220-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-47-0x0000000007900000-0x0000000007DFE000-memory.dmp

Filesize
5.0MB

Download
memory/1516-45-0x0000000000720000-0x000000000075C000-memory.dmp

Filesize
240KB

Download
memory/1516-46-0x0000000072D80000-0x000000007346E000-memory.dmp

Filesize
6.9MB

Download
memory/1516-48-0x00000000074E0000-0x0000000007572000-memory.dmp

Filesize
584KB

Download
memory/1516-49-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/1516-50-0x0000000008410000-0x0000000008A16000-memory.dmp

Filesize
6.0MB

Download
memory/1516-51-0x00000000077E0000-0x00000000078EA000-memory.dmp

Filesize
1.0MB

Download
memory/1516-52-0x00000000076E0000-0x00000000076F2000-memory.dmp

Filesize
72KB

Download
memory/1516-53-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/1516-54-0x0000000007780000-0x00000000077CB000-memory.dmp

Filesize
300KB

Download
memory/1516-55-0x0000000072D80000-0x000000007346E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads