redline | db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe
Size

1.7MB
MD5

524c2296f91592fdbf9613097fd3ffef
SHA1

8956a58914d10440da304a48104367b55d8cef52
SHA256

db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61
SHA512

f08355c2d05a877aba3356c2ee94542b25d43171da31985cd73192dd62827f7853c561142fbcef7bc6f24fd496b8bb2d68240a335e3c4e8a57dff721fedb0949
SSDEEP

24576:vyly6xAzo/WWbndHstt1C2ztutHUsAMd7LezZs8zUmeTousswiGyg5/OMJxyIWia:6lnyoJnNstQtH7Xd7szzUFLss4OMLy7

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022df9-41.dat	family_redline
behavioral1/files/0x0006000000022df9-42.dat	family_redline
behavioral1/memory/3800-43-0x0000000000410000-0x000000000044C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3480	fv9xc8Gs.exe
2756	ev3jk6Tp.exe
1104	mW4CY4Gh.exe
2572	GS3dG5nt.exe
2636	1wG11Gk0.exe
3800	2UJ502tG.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	GS3dG5nt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fv9xc8Gs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ev3jk6Tp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mW4CY4Gh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 3880	2636	1wG11Gk0.exe	94

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	3880	WerFault.exe	94

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 3480	1360	db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe	86
PID 1360 wrote to memory of 3480	1360	db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe	86
PID 1360 wrote to memory of 3480	1360	db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe	86
PID 3480 wrote to memory of 2756	3480	fv9xc8Gs.exe	88
PID 3480 wrote to memory of 2756	3480	fv9xc8Gs.exe	88
PID 3480 wrote to memory of 2756	3480	fv9xc8Gs.exe	88
PID 2756 wrote to memory of 1104	2756	ev3jk6Tp.exe	90
PID 2756 wrote to memory of 1104	2756	ev3jk6Tp.exe	90
PID 2756 wrote to memory of 1104	2756	ev3jk6Tp.exe	90
PID 1104 wrote to memory of 2572	1104	mW4CY4Gh.exe	91
PID 1104 wrote to memory of 2572	1104	mW4CY4Gh.exe	91
PID 1104 wrote to memory of 2572	1104	mW4CY4Gh.exe	91
PID 2572 wrote to memory of 2636	2572	GS3dG5nt.exe	93
PID 2572 wrote to memory of 2636	2572	GS3dG5nt.exe	93
PID 2572 wrote to memory of 2636	2572	GS3dG5nt.exe	93
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2636 wrote to memory of 3880	2636	1wG11Gk0.exe	94
PID 2572 wrote to memory of 3800	2572	GS3dG5nt.exe	96
PID 2572 wrote to memory of 3800	2572	GS3dG5nt.exe	96
PID 2572 wrote to memory of 3800	2572	GS3dG5nt.exe	96

C:\Users\Admin\AppData\Local\Temp\db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe
"C:\Users\Admin\AppData\Local\Temp\db1cf22ad5c121fddac7a006b4e9eb189a245cebea1e166a4a0e5e70035bdb61.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fv9xc8Gs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fv9xc8Gs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev3jk6Tp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev3jk6Tp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mW4CY4Gh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mW4CY4Gh.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GS3dG5nt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GS3dG5nt.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wG11Gk0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wG11Gk0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 184
        8⤵
        Program crash
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UJ502tG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UJ502tG.exe
        6⤵
        Executes dropped EXE
        
        PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3880 -ip 3880
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fv9xc8Gs.exe

Filesize
1.6MB

MD5
b90c5473943851d33ab1adea7aeca764

SHA1
1dacc8c62474c4cd867408faff735d62d66ac93f

SHA256
98454d0bc7747d83e09c35ac626392d9f52c2b0c9796b27cbb0e4140a7963257

SHA512
2c594f01f25402ce4f8ec925b9e1b889f738ee3c95d3cfeb7f367a74cb42e00ea12b366d85ad1b7fc524582ac6a4e1a0010266b13bb47faecc0d13c44d6a045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fv9xc8Gs.exe

Filesize
1.6MB

MD5
b90c5473943851d33ab1adea7aeca764

SHA1
1dacc8c62474c4cd867408faff735d62d66ac93f

SHA256
98454d0bc7747d83e09c35ac626392d9f52c2b0c9796b27cbb0e4140a7963257

SHA512
2c594f01f25402ce4f8ec925b9e1b889f738ee3c95d3cfeb7f367a74cb42e00ea12b366d85ad1b7fc524582ac6a4e1a0010266b13bb47faecc0d13c44d6a045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev3jk6Tp.exe

Filesize
1.4MB

MD5
f4e4a3157729c8cc78dfe91315214ceb

SHA1
5dd3d7fbd3be79bfec336f9b374d87a037215438

SHA256
030ab8eba08feca90a5b2998f8de5cba312bb435690a58bb0c7892f2b64b2e45

SHA512
e5dd6790393dcf194aa864acfba5d7d4890578677035d9ec354ba548dc937a879153ba119203cad9bed387fa37d2464499c77d4ea57f2e6d638fa2a556cd2a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev3jk6Tp.exe

Filesize
1.4MB

MD5
f4e4a3157729c8cc78dfe91315214ceb

SHA1
5dd3d7fbd3be79bfec336f9b374d87a037215438

SHA256
030ab8eba08feca90a5b2998f8de5cba312bb435690a58bb0c7892f2b64b2e45

SHA512
e5dd6790393dcf194aa864acfba5d7d4890578677035d9ec354ba548dc937a879153ba119203cad9bed387fa37d2464499c77d4ea57f2e6d638fa2a556cd2a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mW4CY4Gh.exe

Filesize
883KB

MD5
e012d596d2b110109e7b46acb418e0e6

SHA1
6e6fc5c7502c95f58ee8b63dd8f0ba018f848e2d

SHA256
2958dc90cca181d8487c8db3ba21cfe6e1e00c0d617275528bc0771719d5784e

SHA512
cbd4c339fec395f87814c29a27b03c8f3d117789e447bf1816785593b92f2490be626baae15fb392b1c73a248ef3f5c4905f7f2d3a1d01f25057b1c9ee414def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mW4CY4Gh.exe

Filesize
883KB

MD5
e012d596d2b110109e7b46acb418e0e6

SHA1
6e6fc5c7502c95f58ee8b63dd8f0ba018f848e2d

SHA256
2958dc90cca181d8487c8db3ba21cfe6e1e00c0d617275528bc0771719d5784e

SHA512
cbd4c339fec395f87814c29a27b03c8f3d117789e447bf1816785593b92f2490be626baae15fb392b1c73a248ef3f5c4905f7f2d3a1d01f25057b1c9ee414def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GS3dG5nt.exe

Filesize
688KB

MD5
0ddba8ad6d01cbd6f648a1450b757e34

SHA1
72bf9cdbbfe85765499dfe1b1ea63010d5bc3b86

SHA256
d8b99d00ca3225ba0738e171ea580154a9658a1e0c1886df07bf0943a89bf0eb

SHA512
cc974719f9877581df3be52b50d5020f42c41946123500bf32cece5091a67ebe0a62f0ee86879da7b09d66f91d2b4054af46b6fdc386a789373f299fd6594366

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GS3dG5nt.exe

Filesize
688KB

MD5
0ddba8ad6d01cbd6f648a1450b757e34

SHA1
72bf9cdbbfe85765499dfe1b1ea63010d5bc3b86

SHA256
d8b99d00ca3225ba0738e171ea580154a9658a1e0c1886df07bf0943a89bf0eb

SHA512
cc974719f9877581df3be52b50d5020f42c41946123500bf32cece5091a67ebe0a62f0ee86879da7b09d66f91d2b4054af46b6fdc386a789373f299fd6594366

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wG11Gk0.exe

Filesize
1.8MB

MD5
64309252cd2b9cd86db027a1d455ccf8

SHA1
8c0048a67f6fc9cdfe27d1e11ec6337a26b12639

SHA256
d6bbd0ed0c114d616d20cb595ca35379c33865d5f7238730fa5e46db7d9443b5

SHA512
d9f3384544b1502d363c173639ff0c9ad0d77cf0b56c19fbdf78ba9c4d95cf1172d9d45d1fd61bedc0d025f95d56a124fd783d206e51f61743c6a4baf73d51c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wG11Gk0.exe

Filesize
1.8MB

MD5
64309252cd2b9cd86db027a1d455ccf8

SHA1
8c0048a67f6fc9cdfe27d1e11ec6337a26b12639

SHA256
d6bbd0ed0c114d616d20cb595ca35379c33865d5f7238730fa5e46db7d9443b5

SHA512
d9f3384544b1502d363c173639ff0c9ad0d77cf0b56c19fbdf78ba9c4d95cf1172d9d45d1fd61bedc0d025f95d56a124fd783d206e51f61743c6a4baf73d51c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UJ502tG.exe

Filesize
219KB

MD5
f014de100cf7c4e08d1c961776582cab

SHA1
52f78bf6a71631455f7195c8d2b1c12a306f44fb

SHA256
282f27aad7f8efac71e918a744ca3da6bfa94c1a7cdb43ff928c61f64857c99a

SHA512
20d413ba9cde719356b6c2567dbe8309fc25a59081d1cec43f8be7cfd8fc99b753fe16783f6a814246fcf2bcfe50318d249d7bb93d35e8efaeca7f5f6f7d07f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UJ502tG.exe

Filesize
219KB

MD5
f014de100cf7c4e08d1c961776582cab

SHA1
52f78bf6a71631455f7195c8d2b1c12a306f44fb

SHA256
282f27aad7f8efac71e918a744ca3da6bfa94c1a7cdb43ff928c61f64857c99a

SHA512
20d413ba9cde719356b6c2567dbe8309fc25a59081d1cec43f8be7cfd8fc99b753fe16783f6a814246fcf2bcfe50318d249d7bb93d35e8efaeca7f5f6f7d07f0

Download Submit
memory/3800-46-0x00000000072E0000-0x0000000007372000-memory.dmp

Filesize
584KB

Download
memory/3800-48-0x00000000073E0000-0x00000000073EA000-memory.dmp

Filesize
40KB

Download
memory/3800-55-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3800-54-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/3800-43-0x0000000000410000-0x000000000044C000-memory.dmp

Filesize
240KB

Download
memory/3800-44-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/3800-45-0x00000000077B0000-0x0000000007D54000-memory.dmp

Filesize
5.6MB

Download
memory/3800-53-0x0000000007D60000-0x0000000007DAC000-memory.dmp

Filesize
304KB

Download
memory/3800-52-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/3800-49-0x0000000008380000-0x0000000008998000-memory.dmp

Filesize
6.1MB

Download
memory/3800-47-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3800-50-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/3800-51-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/3880-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads