redline | c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe
Size

1.7MB
MD5

a9dbc0677ae135e8809063a8a0e53125
SHA1

e25473f24fad3c29c1db998fd1c80f4fbd5f7a9d
SHA256

c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0
SHA512

e95cefeeb9b1fd4dc5aa738d44caa1cdda3b23361d2973553f21512c2d011ef8481f1189c2ba0fbe11cf3c1b48554aa242bf7d5a2c68e4ffc6a388641bbb791c
SSDEEP

24576:3y6FdKQTorUSe/C5hxViMGIspHMZPoRGrTpKvzf18rjY7xlJ4h0DhyVPJ:C6jK+ooSekVidLspoRYKvzWrjXWUP

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022e19-41.dat	family_redline
behavioral1/files/0x0006000000022e19-42.dat	family_redline
behavioral1/memory/404-43-0x0000000000E40000-0x0000000000E7C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1740	Sl5sW6Av.exe
4816	MF7zb8gG.exe
2884	LD7aM9br.exe
2628	QA2uS4DE.exe
4424	1Nu70Cf6.exe
404	2hB872nJ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LD7aM9br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QA2uS4DE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Sl5sW6Av.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	MF7zb8gG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 1240	4424	1Nu70Cf6.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4148	1240	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1740	2568	c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe	87
PID 2568 wrote to memory of 1740	2568	c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe	87
PID 2568 wrote to memory of 1740	2568	c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe	87
PID 1740 wrote to memory of 4816	1740	Sl5sW6Av.exe	89
PID 1740 wrote to memory of 4816	1740	Sl5sW6Av.exe	89
PID 1740 wrote to memory of 4816	1740	Sl5sW6Av.exe	89
PID 4816 wrote to memory of 2884	4816	MF7zb8gG.exe	91
PID 4816 wrote to memory of 2884	4816	MF7zb8gG.exe	91
PID 4816 wrote to memory of 2884	4816	MF7zb8gG.exe	91
PID 2884 wrote to memory of 2628	2884	LD7aM9br.exe	92
PID 2884 wrote to memory of 2628	2884	LD7aM9br.exe	92
PID 2884 wrote to memory of 2628	2884	LD7aM9br.exe	92
PID 2628 wrote to memory of 4424	2628	QA2uS4DE.exe	94
PID 2628 wrote to memory of 4424	2628	QA2uS4DE.exe	94
PID 2628 wrote to memory of 4424	2628	QA2uS4DE.exe	94
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 4424 wrote to memory of 1240	4424	1Nu70Cf6.exe	95
PID 2628 wrote to memory of 404	2628	QA2uS4DE.exe	96
PID 2628 wrote to memory of 404	2628	QA2uS4DE.exe	96
PID 2628 wrote to memory of 404	2628	QA2uS4DE.exe	96

C:\Users\Admin\AppData\Local\Temp\c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe
"C:\Users\Admin\AppData\Local\Temp\c599b74cf46f4d7ed772e5371ee3a02627e1bd9f0d3d294ccb4d744a5f34abb0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sl5sW6Av.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sl5sW6Av.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF7zb8gG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF7zb8gG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LD7aM9br.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LD7aM9br.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QA2uS4DE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QA2uS4DE.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nu70Cf6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nu70Cf6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 540
        8⤵
        Program crash
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hB872nJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hB872nJ.exe
        6⤵
        Executes dropped EXE
        
        PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1240 -ip 1240
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sl5sW6Av.exe

Filesize
1.6MB

MD5
984ae3571ba59bc3716e0cd94a573e97

SHA1
e1ec2a50014793d97961dbe33685df41b90bb343

SHA256
7e473a4a7ad0672decb9355fa657328af6932fbf5b73d24a001191c44702398c

SHA512
a66c60d01b4810e14b7e05ff22691e3c7cb54c549e19ca52d9237306e11d46da751c6c668119a86ba5616ea9c178a8d8f6f75e48415fe8b811f55f4f39e6aa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sl5sW6Av.exe

Filesize
1.6MB

MD5
984ae3571ba59bc3716e0cd94a573e97

SHA1
e1ec2a50014793d97961dbe33685df41b90bb343

SHA256
7e473a4a7ad0672decb9355fa657328af6932fbf5b73d24a001191c44702398c

SHA512
a66c60d01b4810e14b7e05ff22691e3c7cb54c549e19ca52d9237306e11d46da751c6c668119a86ba5616ea9c178a8d8f6f75e48415fe8b811f55f4f39e6aa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF7zb8gG.exe

Filesize
1.4MB

MD5
ec02ea94e6e92b8b29b6f8b4544be5d9

SHA1
51c177dce5d55cd6e8776fc8b881e09504ee035c

SHA256
c36f9d5be6e5d7838dc1952a14bc839a6845e772890950438addade91408833b

SHA512
e002f2a6617351b1f07cba0dcf64669f1b197cbd815af0bc1cca88c14f9ee4394db1eefc055515723f0bdd9008eccff11e942dd8831ad93046b46e948289e4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF7zb8gG.exe

Filesize
1.4MB

MD5
ec02ea94e6e92b8b29b6f8b4544be5d9

SHA1
51c177dce5d55cd6e8776fc8b881e09504ee035c

SHA256
c36f9d5be6e5d7838dc1952a14bc839a6845e772890950438addade91408833b

SHA512
e002f2a6617351b1f07cba0dcf64669f1b197cbd815af0bc1cca88c14f9ee4394db1eefc055515723f0bdd9008eccff11e942dd8831ad93046b46e948289e4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LD7aM9br.exe

Filesize
882KB

MD5
eac8c4875011826787030ce752364d2d

SHA1
f6c1e0be05cebdfd085dcb5424630845b4cef222

SHA256
10aa8adfab2307e1ca6c5b59bc18093b66790b63582dc1531af2eb9f9d441138

SHA512
cb2d8afe43756992d6f274f3cc9541c34113bd014ba85a8ee185e34f20483f5b86ed201ee4ad85c2f60e3ed6f1123a9696f8d222f2d814463f6f928092be0cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LD7aM9br.exe

Filesize
882KB

MD5
eac8c4875011826787030ce752364d2d

SHA1
f6c1e0be05cebdfd085dcb5424630845b4cef222

SHA256
10aa8adfab2307e1ca6c5b59bc18093b66790b63582dc1531af2eb9f9d441138

SHA512
cb2d8afe43756992d6f274f3cc9541c34113bd014ba85a8ee185e34f20483f5b86ed201ee4ad85c2f60e3ed6f1123a9696f8d222f2d814463f6f928092be0cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QA2uS4DE.exe

Filesize
687KB

MD5
699139652ad920fd2369c2ef57c4f844

SHA1
9ee6c7f9e6b07bfb0fe43450b6cbb5b7d2c8ea1e

SHA256
b1b2e5f5c2a031033ac9e7df23f4a9b10e4a46e0986d848695842e4a0d8fb0c9

SHA512
2a811ba63eb0f2b538d2e18b8278c58d47d68f16af8b7ded1da8ce7821be90921972eb731d7725ca77843d97666d82fe05695e0397f88c50a71d253a4fcc4305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QA2uS4DE.exe

Filesize
687KB

MD5
699139652ad920fd2369c2ef57c4f844

SHA1
9ee6c7f9e6b07bfb0fe43450b6cbb5b7d2c8ea1e

SHA256
b1b2e5f5c2a031033ac9e7df23f4a9b10e4a46e0986d848695842e4a0d8fb0c9

SHA512
2a811ba63eb0f2b538d2e18b8278c58d47d68f16af8b7ded1da8ce7821be90921972eb731d7725ca77843d97666d82fe05695e0397f88c50a71d253a4fcc4305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nu70Cf6.exe

Filesize
1.8MB

MD5
fd669ba8685fd7a6a0c4edc87c5ef575

SHA1
5f63e5f00933637494018ad6ab1a7f6ac5332529

SHA256
bbc8af537db3c971081a3dff70bf706c7b90b8bfab5cf28704e2de84c368d085

SHA512
3d41a427f149b595d2990182f4818faca5869514b3b0532f534357a3c9cb6748bd6d222c6df09710a340ac1645412383023f8276a55b5c1ea8dc889c99330cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nu70Cf6.exe

Filesize
1.8MB

MD5
fd669ba8685fd7a6a0c4edc87c5ef575

SHA1
5f63e5f00933637494018ad6ab1a7f6ac5332529

SHA256
bbc8af537db3c971081a3dff70bf706c7b90b8bfab5cf28704e2de84c368d085

SHA512
3d41a427f149b595d2990182f4818faca5869514b3b0532f534357a3c9cb6748bd6d222c6df09710a340ac1645412383023f8276a55b5c1ea8dc889c99330cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hB872nJ.exe

Filesize
219KB

MD5
e06b983d2bd77edd8e3f1100902d770e

SHA1
2c628f756c639f3f98deac30505ca8dd2210a256

SHA256
d6ec99a64729fd088b614eb7d677b61697f3f5f8e80a4c231355ccd0feb90117

SHA512
6dbec02bfbdadccbbe98243967440f1b71e443c4da869eb4d17d04bc2acd21ebf84a2c95f880027b3dc1ca22ed049d4f3cb1065e9fbf31856a309f20dc6fb2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hB872nJ.exe

Filesize
219KB

MD5
e06b983d2bd77edd8e3f1100902d770e

SHA1
2c628f756c639f3f98deac30505ca8dd2210a256

SHA256
d6ec99a64729fd088b614eb7d677b61697f3f5f8e80a4c231355ccd0feb90117

SHA512
6dbec02bfbdadccbbe98243967440f1b71e443c4da869eb4d17d04bc2acd21ebf84a2c95f880027b3dc1ca22ed049d4f3cb1065e9fbf31856a309f20dc6fb2d3

Download Submit
memory/404-46-0x0000000007C40000-0x0000000007CD2000-memory.dmp

Filesize
584KB

Download
memory/404-48-0x0000000007C20000-0x0000000007C2A000-memory.dmp

Filesize
40KB

Download
memory/404-55-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/404-54-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download
memory/404-44-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download
memory/404-43-0x0000000000E40000-0x0000000000E7C000-memory.dmp

Filesize
240KB

Download
memory/404-45-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/404-53-0x0000000007F60000-0x0000000007FAC000-memory.dmp

Filesize
304KB

Download
memory/404-52-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/404-49-0x0000000008CE0000-0x00000000092F8000-memory.dmp

Filesize
6.1MB

Download
memory/404-47-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/404-50-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/404-51-0x0000000007DB0000-0x0000000007DC2000-memory.dmp

Filesize
72KB

Download
memory/1240-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads