redline | c4250eab48d9405545214da261a19ccd6e3e4652a5bde20d9e585bf9e80f2201

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9e94ef1b931f68f722a69465756bbe30.exe
Size

758KB
MD5

9e94ef1b931f68f722a69465756bbe30
SHA1

f32835ba07cd05bbc2311939ce3b4117f67f21ab
SHA256

c4250eab48d9405545214da261a19ccd6e3e4652a5bde20d9e585bf9e80f2201
SHA512

890469d459e8743b9dbda8b23cf140b4f650c3a6de8c8727f80fa0f776f95102c65d1d1f7076fb21a92c816ca090bae141e104ba1a6b8f6c4102355d45739b40
SSDEEP

12288:qMrwy90iGvdod+IPeKys3IGolDC9VCXmp9EosFw1ODY8h8wlxxUa0bfKN:yyV0dbe3d4DDsVWNosF1Y8h8wtiq

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e34-20.dat	family_redline
behavioral1/files/0x0006000000022e34-21.dat	family_redline
behavioral1/memory/3064-22-0x0000000000A10000-0x0000000000A4E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3024	zM0Xm0bU.exe
1948	1UM42uf1.exe
3064	2nV349DO.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.9e94ef1b931f68f722a69465756bbe30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zM0Xm0bU.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 4276	1948	1UM42uf1.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
560	4276	WerFault.exe	93

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2900	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3024	4240	NEAS.9e94ef1b931f68f722a69465756bbe30.exe	86
PID 4240 wrote to memory of 3024	4240	NEAS.9e94ef1b931f68f722a69465756bbe30.exe	86
PID 4240 wrote to memory of 3024	4240	NEAS.9e94ef1b931f68f722a69465756bbe30.exe	86
PID 3024 wrote to memory of 1948	3024	zM0Xm0bU.exe	88
PID 3024 wrote to memory of 1948	3024	zM0Xm0bU.exe	88
PID 3024 wrote to memory of 1948	3024	zM0Xm0bU.exe	88
PID 1948 wrote to memory of 2024	1948	1UM42uf1.exe	91
PID 1948 wrote to memory of 2024	1948	1UM42uf1.exe	91
PID 1948 wrote to memory of 2024	1948	1UM42uf1.exe	91
PID 1948 wrote to memory of 4628	1948	1UM42uf1.exe	92
PID 1948 wrote to memory of 4628	1948	1UM42uf1.exe	92
PID 1948 wrote to memory of 4628	1948	1UM42uf1.exe	92
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 1948 wrote to memory of 4276	1948	1UM42uf1.exe	93
PID 3024 wrote to memory of 3064	3024	zM0Xm0bU.exe	94
PID 3024 wrote to memory of 3064	3024	zM0Xm0bU.exe	94
PID 3024 wrote to memory of 3064	3024	zM0Xm0bU.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.9e94ef1b931f68f722a69465756bbe30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9e94ef1b931f68f722a69465756bbe30.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zM0Xm0bU.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zM0Xm0bU.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UM42uf1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UM42uf1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 540
        5⤵
        Program crash
        
        PID:560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nV349DO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nV349DO.exe
    3⤵
    - Executes dropped EXE
    PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276
1⤵
PID:412

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
bab47716c83fec93500c9be9ac3a3fe4

SHA1
bd6996dfa53baa529914a586d12ac5455ec36f5c

SHA256
9742b75b3c30b80cbbef2721d5279a1046f507475176143c7a9ed07e0f3170cb

SHA512
a41e783593ad03bc4cfb9630f566c3a0a312b7d23626bfe0f7eadfbbc1730460b86fcf840c08d017b0eace1a56dd25e70f9a9396bfbffc7b732a7060c31efff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zM0Xm0bU.exe

Filesize
562KB

MD5
bb4821e16408061fd669b608ba7914e6

SHA1
2a82f9a9d07bcec6d6a05514a492d6f58c9746f7

SHA256
730c808381a1f128a4f6f1004ea0156e2c76731f7cdb44781b8f2286024427a1

SHA512
7eafb112c9a36207ac01e99185474190334901d196f7fcdcc74f0a4d1e043e9a7aace065a3a46dbd4d854df8ba92593847a00a7517947b11c6df1d6c62144f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zM0Xm0bU.exe

Filesize
562KB

MD5
bb4821e16408061fd669b608ba7914e6

SHA1
2a82f9a9d07bcec6d6a05514a492d6f58c9746f7

SHA256
730c808381a1f128a4f6f1004ea0156e2c76731f7cdb44781b8f2286024427a1

SHA512
7eafb112c9a36207ac01e99185474190334901d196f7fcdcc74f0a4d1e043e9a7aace065a3a46dbd4d854df8ba92593847a00a7517947b11c6df1d6c62144f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UM42uf1.exe

Filesize
1.1MB

MD5
a07c046be4d31f27ce12d25923953f66

SHA1
f7647894a3eff651fd9b5c58bdef50dd753ac3f0

SHA256
b0de5b7b284346e3d289e11608df560463a4235371a357caba7500af40d6eca8

SHA512
1877bf0fc1a1d477cdeec7a06ead33d8a113c877a9ed371ad966c9b405ff0354ffa5c49a138b86eed31e9fe4c92342ce9c693abc88174833f85f2a4720eeca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1UM42uf1.exe

Filesize
1.1MB

MD5
a07c046be4d31f27ce12d25923953f66

SHA1
f7647894a3eff651fd9b5c58bdef50dd753ac3f0

SHA256
b0de5b7b284346e3d289e11608df560463a4235371a357caba7500af40d6eca8

SHA512
1877bf0fc1a1d477cdeec7a06ead33d8a113c877a9ed371ad966c9b405ff0354ffa5c49a138b86eed31e9fe4c92342ce9c693abc88174833f85f2a4720eeca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nV349DO.exe

Filesize
222KB

MD5
d1b3b07728c3768f9c0871c4cc6e0738

SHA1
ef37d8cb41d26dedcaf6c9645dc343f0fdf7b567

SHA256
b567bc4b9b529a67ea1c785cfe0541df26c68b037219f58d0a00baca429903b9

SHA512
69f31b063e7b6e5a737c0fc4ab32d8af62fa844e9f80e316b1c82c79d80274993857d5c0629456c243ea7d48fbbea0bfb889112ec35687c8d655119c3a09061f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nV349DO.exe

Filesize
222KB

MD5
d1b3b07728c3768f9c0871c4cc6e0738

SHA1
ef37d8cb41d26dedcaf6c9645dc343f0fdf7b567

SHA256
b567bc4b9b529a67ea1c785cfe0541df26c68b037219f58d0a00baca429903b9

SHA512
69f31b063e7b6e5a737c0fc4ab32d8af62fa844e9f80e316b1c82c79d80274993857d5c0629456c243ea7d48fbbea0bfb889112ec35687c8d655119c3a09061f

Download Submit
memory/2900-81-0x000001B0FE020000-0x000001B0FE021000-memory.dmp

Filesize
4KB

Download
memory/2900-76-0x000001B0FE600000-0x000001B0FE601000-memory.dmp

Filesize
4KB

Download
memory/2900-101-0x000001B0FE160000-0x000001B0FE161000-memory.dmp

Filesize
4KB

Download
memory/2900-102-0x000001B0FE160000-0x000001B0FE161000-memory.dmp

Filesize
4KB

Download
memory/2900-103-0x000001B0FE270000-0x000001B0FE271000-memory.dmp

Filesize
4KB

Download
memory/2900-87-0x000001B0FDF50000-0x000001B0FDF51000-memory.dmp

Filesize
4KB

Download
memory/2900-84-0x000001B0FE010000-0x000001B0FE011000-memory.dmp

Filesize
4KB

Download
memory/2900-71-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-79-0x000001B0FE010000-0x000001B0FE011000-memory.dmp

Filesize
4KB

Download
memory/2900-78-0x000001B0FE020000-0x000001B0FE021000-memory.dmp

Filesize
4KB

Download
memory/2900-77-0x000001B0FE600000-0x000001B0FE601000-memory.dmp

Filesize
4KB

Download
memory/2900-99-0x000001B0FE150000-0x000001B0FE151000-memory.dmp

Filesize
4KB

Download
memory/2900-75-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-74-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-73-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-72-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-35-0x000001B0F9D40000-0x000001B0F9D50000-memory.dmp

Filesize
64KB

Download
memory/2900-51-0x000001B0F9E40000-0x000001B0F9E50000-memory.dmp

Filesize
64KB

Download
memory/2900-67-0x000001B0FE3D0000-0x000001B0FE3D1000-memory.dmp

Filesize
4KB

Download
memory/2900-68-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-69-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/2900-70-0x000001B0FE400000-0x000001B0FE401000-memory.dmp

Filesize
4KB

Download
memory/3064-23-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/3064-34-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-33-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/3064-32-0x0000000007C60000-0x0000000007CAC000-memory.dmp

Filesize
304KB

Download
memory/3064-31-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/3064-30-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/3064-29-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

Filesize
1.0MB

Download
memory/3064-28-0x0000000008A90000-0x00000000090A8000-memory.dmp

Filesize
6.1MB

Download
memory/3064-27-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/3064-26-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-25-0x0000000007910000-0x00000000079A2000-memory.dmp

Filesize
584KB

Download
memory/3064-24-0x0000000007EC0000-0x0000000008464000-memory.dmp

Filesize
5.6MB

Download
memory/3064-22-0x0000000000A10000-0x0000000000A4E000-memory.dmp

Filesize
248KB

Download
memory/4276-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads