redline | ab418b18842fc981af48d2a725fabde40f9c7973cf2345ea2d7f7811837654e7

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe
Size

1.5MB
MD5

d29c714e866ed10440e064dd8aeaa4ef
SHA1

d6817ebae12e13631457d6b7c5f6b6b161ae3904
SHA256

5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca
SHA512

e7555e20cc1660d3ada11a279236e6c6db0d803a83c9277e9c3df31a6eb2d7be74cea2b947ed8325a67ecd91c27c3a6d9cf08bf62a6bad2ae9e057e9146feab3
SSDEEP

24576:WyC3trZbQNBtY1o7QgMgdJiVM7MkY5ahPB9BRZbpAYTlH3AAW3xO:liEOXuqa1plvN3A7

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e6d-41.dat	family_redline
behavioral1/files/0x0006000000022e6d-42.dat	family_redline
behavioral1/memory/1392-44-0x0000000000810000-0x000000000084C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3632	Lw2Ea5Da.exe
2232	PM2KS8kx.exe
2028	JY6bq2xy.exe
2300	SA7xO8GS.exe
4216	1hF91ff7.exe
1392	2Bx519GU.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lw2Ea5Da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PM2KS8kx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	JY6bq2xy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	SA7xO8GS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4216 set thread context of 3720	4216	1hF91ff7.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2536	3720	WerFault.exe	95
1956	3720	WerFault.exe	95

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3632	3092	5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe	89
PID 3092 wrote to memory of 3632	3092	5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe	89
PID 3092 wrote to memory of 3632	3092	5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe	89
PID 3632 wrote to memory of 2232	3632	Lw2Ea5Da.exe	90
PID 3632 wrote to memory of 2232	3632	Lw2Ea5Da.exe	90
PID 3632 wrote to memory of 2232	3632	Lw2Ea5Da.exe	90
PID 2232 wrote to memory of 2028	2232	PM2KS8kx.exe	91
PID 2232 wrote to memory of 2028	2232	PM2KS8kx.exe	91
PID 2232 wrote to memory of 2028	2232	PM2KS8kx.exe	91
PID 2028 wrote to memory of 2300	2028	JY6bq2xy.exe	92
PID 2028 wrote to memory of 2300	2028	JY6bq2xy.exe	92
PID 2028 wrote to memory of 2300	2028	JY6bq2xy.exe	92
PID 2300 wrote to memory of 4216	2300	SA7xO8GS.exe	93
PID 2300 wrote to memory of 4216	2300	SA7xO8GS.exe	93
PID 2300 wrote to memory of 4216	2300	SA7xO8GS.exe	93
PID 4216 wrote to memory of 5104	4216	1hF91ff7.exe	94
PID 4216 wrote to memory of 5104	4216	1hF91ff7.exe	94
PID 4216 wrote to memory of 5104	4216	1hF91ff7.exe	94
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 4216 wrote to memory of 3720	4216	1hF91ff7.exe	95
PID 2300 wrote to memory of 1392	2300	SA7xO8GS.exe	98
PID 2300 wrote to memory of 1392	2300	SA7xO8GS.exe	98
PID 2300 wrote to memory of 1392	2300	SA7xO8GS.exe	98
PID 3720 wrote to memory of 2536	3720	AppLaunch.exe	100
PID 3720 wrote to memory of 2536	3720	AppLaunch.exe	100
PID 3720 wrote to memory of 2536	3720	AppLaunch.exe	100

C:\Users\Admin\AppData\Local\Temp\5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe
"C:\Users\Admin\AppData\Local\Temp\5fd8fbc35bae4dd4bf2f6564ac6838cc730c9a220b144c4b710fe0d165ba7bca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ea5Da.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ea5Da.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PM2KS8kx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PM2KS8kx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JY6bq2xy.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JY6bq2xy.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SA7xO8GS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SA7xO8GS.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hF91ff7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hF91ff7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 540
        8⤵
        Program crash
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 540
        8⤵
        Program crash
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bx519GU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bx519GU.exe
        6⤵
        Executes dropped EXE
        
        PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3720 -ip 3720
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ea5Da.exe

Filesize
1.3MB

MD5
8626c25fae1cc602b041bb4897cde23c

SHA1
262f17d86f741d7e557fe57ed745f91a89c283d6

SHA256
7a83177648fee351c443b961defd9052075a67ffe7ce1324ac074068130bd907

SHA512
1c37f6ba082a7d1ce26a17de7f3eb993ed1fcaa919fee7e9f58514ac90ca69313b25501849c82131c97c185f96a07eb440c07e027c370bb784e931c7194d52c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ea5Da.exe

Filesize
1.3MB

MD5
8626c25fae1cc602b041bb4897cde23c

SHA1
262f17d86f741d7e557fe57ed745f91a89c283d6

SHA256
7a83177648fee351c443b961defd9052075a67ffe7ce1324ac074068130bd907

SHA512
1c37f6ba082a7d1ce26a17de7f3eb993ed1fcaa919fee7e9f58514ac90ca69313b25501849c82131c97c185f96a07eb440c07e027c370bb784e931c7194d52c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PM2KS8kx.exe

Filesize
1.1MB

MD5
6229029d44a73ab6481a8b381b8a159d

SHA1
655c2b6a63a8d8fb2da6bfc5a220a9bc335859d9

SHA256
da1d14dd9db01022fde6cd18fd8f30bf306d523f34116487d6a7502b0adc2c34

SHA512
b787decf0d307c0355edd69aaf5fcbec5c236899587b8aa1e237562b37397d4d950f2c1d6dabc7f546a1e66a8c3aa848440c5c22ff3f878be9cf0a9001994006

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PM2KS8kx.exe

Filesize
1.1MB

MD5
6229029d44a73ab6481a8b381b8a159d

SHA1
655c2b6a63a8d8fb2da6bfc5a220a9bc335859d9

SHA256
da1d14dd9db01022fde6cd18fd8f30bf306d523f34116487d6a7502b0adc2c34

SHA512
b787decf0d307c0355edd69aaf5fcbec5c236899587b8aa1e237562b37397d4d950f2c1d6dabc7f546a1e66a8c3aa848440c5c22ff3f878be9cf0a9001994006

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JY6bq2xy.exe

Filesize
754KB

MD5
37f319430d85338237fad5782a9a2bfc

SHA1
60dc224701169b282390fcf0f481747e6efc472a

SHA256
93c66d8742851bfb5011f88876a272b3feccc27169e5620039ea9c7c700fa4b1

SHA512
bd92edc353eb1212c522c64f2013cf0f1fd1806f123f279130d2b3daa1c6dc562984dac3699ca49dd957ba7e929e0aa175ca23f7e09fd0f20b4378ebff812326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JY6bq2xy.exe

Filesize
754KB

MD5
37f319430d85338237fad5782a9a2bfc

SHA1
60dc224701169b282390fcf0f481747e6efc472a

SHA256
93c66d8742851bfb5011f88876a272b3feccc27169e5620039ea9c7c700fa4b1

SHA512
bd92edc353eb1212c522c64f2013cf0f1fd1806f123f279130d2b3daa1c6dc562984dac3699ca49dd957ba7e929e0aa175ca23f7e09fd0f20b4378ebff812326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SA7xO8GS.exe

Filesize
558KB

MD5
6db5aa873aa7853513318c48cd566ff8

SHA1
06c4fa721a85b7605d050f9887b8d8984c891857

SHA256
2f272433920c9a3fb76647972fee37646a48b8078dc671621dd8c7597d4d357d

SHA512
6379faf639507a00337beba2dce8a1a5c9df3e12f5ed661f8da5930337392624a6263bd3ac72416b7acc662a57264c70c8b441407caef09efacb275bfae0d9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SA7xO8GS.exe

Filesize
558KB

MD5
6db5aa873aa7853513318c48cd566ff8

SHA1
06c4fa721a85b7605d050f9887b8d8984c891857

SHA256
2f272433920c9a3fb76647972fee37646a48b8078dc671621dd8c7597d4d357d

SHA512
6379faf639507a00337beba2dce8a1a5c9df3e12f5ed661f8da5930337392624a6263bd3ac72416b7acc662a57264c70c8b441407caef09efacb275bfae0d9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hF91ff7.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hF91ff7.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bx519GU.exe

Filesize
219KB

MD5
54118cca04b072adbc934930909d0e21

SHA1
2895ffaeacf947168e757f894e9935f616114279

SHA256
5bda4e55a3dfd0492bb00592f586fe3a94e4672fc95dfdce663039bc5b133ce0

SHA512
f13021dd4a796f93ab4651523fe17ad0b126942585923d6bc181e9ded37746d49443f6a81904c85532b771231b8547f0ef9e1e761e12b330d206d949acf66a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Bx519GU.exe

Filesize
219KB

MD5
54118cca04b072adbc934930909d0e21

SHA1
2895ffaeacf947168e757f894e9935f616114279

SHA256
5bda4e55a3dfd0492bb00592f586fe3a94e4672fc95dfdce663039bc5b133ce0

SHA512
f13021dd4a796f93ab4651523fe17ad0b126942585923d6bc181e9ded37746d49443f6a81904c85532b771231b8547f0ef9e1e761e12b330d206d949acf66a10

Download Submit
memory/1392-46-0x0000000007590000-0x0000000007622000-memory.dmp

Filesize
584KB

Download
memory/1392-48-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/1392-55-0x00000000077D0000-0x00000000077E0000-memory.dmp

Filesize
64KB

Download
memory/1392-54-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/1392-43-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/1392-44-0x0000000000810000-0x000000000084C000-memory.dmp

Filesize
240KB

Download
memory/1392-45-0x0000000007AA0000-0x0000000008044000-memory.dmp

Filesize
5.6MB

Download
memory/1392-53-0x0000000007A50000-0x0000000007A9C000-memory.dmp

Filesize
304KB

Download
memory/1392-52-0x00000000078D0000-0x000000000790C000-memory.dmp

Filesize
240KB

Download
memory/1392-49-0x0000000008670000-0x0000000008C88000-memory.dmp

Filesize
6.1MB

Download
memory/1392-47-0x00000000077D0000-0x00000000077E0000-memory.dmp

Filesize
64KB

Download
memory/1392-50-0x0000000007940000-0x0000000007A4A000-memory.dmp

Filesize
1.0MB

Download
memory/1392-51-0x0000000007870000-0x0000000007882000-memory.dmp

Filesize
72KB

Download
memory/3720-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads