redline | 391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a

Analysis

max time kernel
193s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe
Size

1.7MB
MD5

e1193f055ae2aa309a39592646d1a329
SHA1

a2c1b5c4ea097c543b7318ffc38215820c508958
SHA256

391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a
SHA512

1226d7e75fb1ee2e893ac8460a185052a55adc4f144d448278b93906a0106d8365ff895c1eed64efe280a46873871e6f745c3a72ceee70d62960c174b944bd1f
SSDEEP

49152:MixS2taMyYPiFX7y+tKSYvuusF7zttytZ4f/IHAnGELhappi:z9taMy7FW+tAofttytZ4fHGuaLi

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e17-40.dat	family_redline
behavioral1/files/0x0006000000022e17-42.dat	family_redline
behavioral1/memory/408-44-0x00000000003A0000-0x00000000003DC000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
924	Hd6py8GN.exe
632	kA7dL9vv.exe
1424	KY7eO0Cc.exe
1892	aS4Ob6ki.exe
3988	1cI12Fz6.exe
408	2fB327pW.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KY7eO0Cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aS4Ob6ki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hd6py8GN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kA7dL9vv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 3716	3988	1cI12Fz6.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4760	3716	WerFault.exe	95
4568	3716	WerFault.exe	95

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 924	4680	391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe	90
PID 4680 wrote to memory of 924	4680	391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe	90
PID 4680 wrote to memory of 924	4680	391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe	90
PID 924 wrote to memory of 632	924	Hd6py8GN.exe	91
PID 924 wrote to memory of 632	924	Hd6py8GN.exe	91
PID 924 wrote to memory of 632	924	Hd6py8GN.exe	91
PID 632 wrote to memory of 1424	632	kA7dL9vv.exe	92
PID 632 wrote to memory of 1424	632	kA7dL9vv.exe	92
PID 632 wrote to memory of 1424	632	kA7dL9vv.exe	92
PID 1424 wrote to memory of 1892	1424	KY7eO0Cc.exe	93
PID 1424 wrote to memory of 1892	1424	KY7eO0Cc.exe	93
PID 1424 wrote to memory of 1892	1424	KY7eO0Cc.exe	93
PID 1892 wrote to memory of 3988	1892	aS4Ob6ki.exe	94
PID 1892 wrote to memory of 3988	1892	aS4Ob6ki.exe	94
PID 1892 wrote to memory of 3988	1892	aS4Ob6ki.exe	94
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 3988 wrote to memory of 3716	3988	1cI12Fz6.exe	95
PID 1892 wrote to memory of 408	1892	aS4Ob6ki.exe	96
PID 1892 wrote to memory of 408	1892	aS4Ob6ki.exe	96
PID 1892 wrote to memory of 408	1892	aS4Ob6ki.exe	96
PID 3716 wrote to memory of 4760	3716	AppLaunch.exe	100
PID 3716 wrote to memory of 4760	3716	AppLaunch.exe	100
PID 3716 wrote to memory of 4760	3716	AppLaunch.exe	100

C:\Users\Admin\AppData\Local\Temp\391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe
"C:\Users\Admin\AppData\Local\Temp\391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd6py8GN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd6py8GN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kA7dL9vv.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kA7dL9vv.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY7eO0Cc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY7eO0Cc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aS4Ob6ki.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aS4Ob6ki.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cI12Fz6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cI12Fz6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 540
        8⤵
        Program crash
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 540
        8⤵
        Program crash
        
        PID:4568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fB327pW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fB327pW.exe
        6⤵
        Executes dropped EXE
        
        PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3716 -ip 3716
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd6py8GN.exe

Filesize
1.6MB

MD5
517e596a435f0be6250cbd7ee44cf491

SHA1
0b708075b6f71ef28ef51d1d85dda1f3bb3f5807

SHA256
abef328399df075d998330ff7848dca6443bfaafbb54964fbeae8af8d8d081a8

SHA512
5a5ff283b0f339701ea394d2063729799a2d6e2f784b2c6f3e9a9b7dbdb6a9b06b60949a8a90c339a98712f12d5c572ceda245da40cfcb87e892588a442a3ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd6py8GN.exe

Filesize
1.6MB

MD5
517e596a435f0be6250cbd7ee44cf491

SHA1
0b708075b6f71ef28ef51d1d85dda1f3bb3f5807

SHA256
abef328399df075d998330ff7848dca6443bfaafbb54964fbeae8af8d8d081a8

SHA512
5a5ff283b0f339701ea394d2063729799a2d6e2f784b2c6f3e9a9b7dbdb6a9b06b60949a8a90c339a98712f12d5c572ceda245da40cfcb87e892588a442a3ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kA7dL9vv.exe

Filesize
1.4MB

MD5
c067f987dbe89282c37cdf8df79500a7

SHA1
d0a98bcdc9f248de14815c6693dd0fca1339bccd

SHA256
adad3b325e408ceabb225c6f173f17f370a6ace118c2f8900668234bde23f7a0

SHA512
2e48c7708c4ed3ad8b2cb72477b38a48b2d94a166a5fe319ccfea4a4463e8d769b871c29fba9a06798f77345a29cbf1b5b7a9a4ca13de1a0202894e9761962f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kA7dL9vv.exe

Filesize
1.4MB

MD5
c067f987dbe89282c37cdf8df79500a7

SHA1
d0a98bcdc9f248de14815c6693dd0fca1339bccd

SHA256
adad3b325e408ceabb225c6f173f17f370a6ace118c2f8900668234bde23f7a0

SHA512
2e48c7708c4ed3ad8b2cb72477b38a48b2d94a166a5fe319ccfea4a4463e8d769b871c29fba9a06798f77345a29cbf1b5b7a9a4ca13de1a0202894e9761962f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY7eO0Cc.exe

Filesize
883KB

MD5
674e53069cbca1946e7b880db16654ae

SHA1
f18bca2b7ae3c31f7bd1029c943eff1974a143e6

SHA256
f8e484e014626210b21753f1e3cfcd245c41a842943250a6d0afed343d84aba6

SHA512
f09df02bf42012b73c6d7dc5414e4547fee09e0c3b010dd73be6f3e0b561585e256e93c6f1ff0cd5668a6fc92437d93881b3855f9fbd211c757774090fc03385

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY7eO0Cc.exe

Filesize
883KB

MD5
674e53069cbca1946e7b880db16654ae

SHA1
f18bca2b7ae3c31f7bd1029c943eff1974a143e6

SHA256
f8e484e014626210b21753f1e3cfcd245c41a842943250a6d0afed343d84aba6

SHA512
f09df02bf42012b73c6d7dc5414e4547fee09e0c3b010dd73be6f3e0b561585e256e93c6f1ff0cd5668a6fc92437d93881b3855f9fbd211c757774090fc03385

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aS4Ob6ki.exe

Filesize
688KB

MD5
5c453e32500e739fa95030b5eaa9b20a

SHA1
7a7129cf11729e305f480b25769d26e908dc285d

SHA256
1eece4a116167cb261beebe59a1610b8fc1807243c41a148936bfc0086edf145

SHA512
90292f34a50d4c24d83ab4866b3ce696d4d25e6800e9aa565321922af64e7bfc6fe15b794528834cdf8c23a8031f78b05b9b874e8d535c4f11e531568759a803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aS4Ob6ki.exe

Filesize
688KB

MD5
5c453e32500e739fa95030b5eaa9b20a

SHA1
7a7129cf11729e305f480b25769d26e908dc285d

SHA256
1eece4a116167cb261beebe59a1610b8fc1807243c41a148936bfc0086edf145

SHA512
90292f34a50d4c24d83ab4866b3ce696d4d25e6800e9aa565321922af64e7bfc6fe15b794528834cdf8c23a8031f78b05b9b874e8d535c4f11e531568759a803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cI12Fz6.exe

Filesize
1.8MB

MD5
08a49c18f0970e9ab5a0754a6fc2e2ef

SHA1
9ed697e03046f8af9aa247f9577aab60788576bd

SHA256
2b5f4b1d15153d71d7dc3356a20469344f16c1ff456efb2b54b101711ee359ab

SHA512
b73f76cd804ca62662911bf02e3c81abf5137baa0bc9a4203efabc56a7616b3ea852fb65d8a343811e05ac6dbebb2f2c890959a42c47e14075b8ef06d7478c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cI12Fz6.exe

Filesize
1.8MB

MD5
08a49c18f0970e9ab5a0754a6fc2e2ef

SHA1
9ed697e03046f8af9aa247f9577aab60788576bd

SHA256
2b5f4b1d15153d71d7dc3356a20469344f16c1ff456efb2b54b101711ee359ab

SHA512
b73f76cd804ca62662911bf02e3c81abf5137baa0bc9a4203efabc56a7616b3ea852fb65d8a343811e05ac6dbebb2f2c890959a42c47e14075b8ef06d7478c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fB327pW.exe

Filesize
219KB

MD5
6e8254e9ff11367731ca6b1562a583f9

SHA1
993af9af64f0ea9c9c0e513234844647f3457523

SHA256
d352874aea23916868b5a3741b3c676aabefb6e2d739c6ecca17592f1eaf09fe

SHA512
6aeac7e9310404f05edf80f202c938e60fb1b1c8318641311048069e476a9c19955bf7938b170cec97778039b5e0fc15491a70ab76eb4e9481f8b2d3eab9bf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fB327pW.exe

Filesize
219KB

MD5
6e8254e9ff11367731ca6b1562a583f9

SHA1
993af9af64f0ea9c9c0e513234844647f3457523

SHA256
d352874aea23916868b5a3741b3c676aabefb6e2d739c6ecca17592f1eaf09fe

SHA512
6aeac7e9310404f05edf80f202c938e60fb1b1c8318641311048069e476a9c19955bf7938b170cec97778039b5e0fc15491a70ab76eb4e9481f8b2d3eab9bf5d

Download Submit
memory/408-48-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/408-46-0x0000000007890000-0x0000000007E34000-memory.dmp

Filesize
5.6MB

Download
memory/408-54-0x0000000007E40000-0x0000000007E7C000-memory.dmp

Filesize
240KB

Download
memory/408-53-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/408-43-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/408-44-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/408-45-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/408-52-0x0000000007F50000-0x000000000805A000-memory.dmp

Filesize
1.0MB

Download
memory/408-47-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/408-51-0x0000000008460000-0x0000000008A78000-memory.dmp

Filesize
6.1MB

Download
memory/408-49-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/408-50-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/3716-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads