redline | 0f4af09d614af139b34b972c69e89ce80826139e576928ff841e05818321ba8d

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe
Size

1.5MB
MD5

07bfc73fca915525fbdfcb74f0d676e0
SHA1

7c24c1eaa2336e1c045c1c5e74ab989876f32e50
SHA256

0f4af09d614af139b34b972c69e89ce80826139e576928ff841e05818321ba8d
SHA512

f726ca94b7d30edf8496920a8507545a44535c4298ebe2b63631d024566fb1c0e1a6802eb78d19f90879adfd00a0e8dc55dec3db37168b7ac295940248e8d5ba
SSDEEP

24576:6y13Mbqg7d+0TOzlhrF6QrOSiMO++RNg1bSxby/hFkSeSBe6:BQqg7UWUhrFMyOfR+1bIJTz

Score

10^/10

redline kedru infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022d08-41.dat	family_redline
behavioral1/files/0x0006000000022d08-42.dat	family_redline
behavioral1/memory/2380-44-0x0000000000930000-0x000000000096C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3912	ER2Br3vR.exe
2768	lQ1QV3MX.exe
1676	LO5sO1Qu.exe
4136	GY9vm5Jn.exe
3576	1uK34mz7.exe
2380	2CW116vK.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	GY9vm5Jn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ER2Br3vR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lQ1QV3MX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LO5sO1Qu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 3452	3576	1uK34mz7.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1796	3452	WerFault.exe	96

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 3912	3252	NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe	91
PID 3252 wrote to memory of 3912	3252	NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe	91
PID 3252 wrote to memory of 3912	3252	NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe	91
PID 3912 wrote to memory of 2768	3912	ER2Br3vR.exe	92
PID 3912 wrote to memory of 2768	3912	ER2Br3vR.exe	92
PID 3912 wrote to memory of 2768	3912	ER2Br3vR.exe	92
PID 2768 wrote to memory of 1676	2768	lQ1QV3MX.exe	93
PID 2768 wrote to memory of 1676	2768	lQ1QV3MX.exe	93
PID 2768 wrote to memory of 1676	2768	lQ1QV3MX.exe	93
PID 1676 wrote to memory of 4136	1676	LO5sO1Qu.exe	94
PID 1676 wrote to memory of 4136	1676	LO5sO1Qu.exe	94
PID 1676 wrote to memory of 4136	1676	LO5sO1Qu.exe	94
PID 4136 wrote to memory of 3576	4136	GY9vm5Jn.exe	95
PID 4136 wrote to memory of 3576	4136	GY9vm5Jn.exe	95
PID 4136 wrote to memory of 3576	4136	GY9vm5Jn.exe	95
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 3576 wrote to memory of 3452	3576	1uK34mz7.exe	96
PID 4136 wrote to memory of 2380	4136	GY9vm5Jn.exe	97
PID 4136 wrote to memory of 2380	4136	GY9vm5Jn.exe	97
PID 4136 wrote to memory of 2380	4136	GY9vm5Jn.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.07bfc73fca915525fbdfcb74f0d676e0_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER2Br3vR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER2Br3vR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lQ1QV3MX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lQ1QV3MX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LO5sO1Qu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LO5sO1Qu.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY9vm5Jn.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY9vm5Jn.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uK34mz7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uK34mz7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 540
        8⤵
        Program crash
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CW116vK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CW116vK.exe
        6⤵
        Executes dropped EXE
        
        PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3452 -ip 3452
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER2Br3vR.exe

Filesize
1.3MB

MD5
4898e0cf3b222787fcfb396c550a6d9a

SHA1
7e105b4c6d754ed3853c795abcbf33b6196ace5e

SHA256
2ea3650923b0c06c69db7153f708b4d56516ec53848537eb040efe5b63b0053c

SHA512
8cd56792688aa64d57892df26f651a78b11b89d3d6befac4246c4dec134091eac28961a531d436043abd245bdf98ebd474246d8e939a4889f796a2ac68e86cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER2Br3vR.exe

Filesize
1.3MB

MD5
4898e0cf3b222787fcfb396c550a6d9a

SHA1
7e105b4c6d754ed3853c795abcbf33b6196ace5e

SHA256
2ea3650923b0c06c69db7153f708b4d56516ec53848537eb040efe5b63b0053c

SHA512
8cd56792688aa64d57892df26f651a78b11b89d3d6befac4246c4dec134091eac28961a531d436043abd245bdf98ebd474246d8e939a4889f796a2ac68e86cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lQ1QV3MX.exe

Filesize
1.1MB

MD5
a8965dd9245cb266eb130cb517d47b4e

SHA1
50dcd0234206235ac45ad6fe0e280bad924bb561

SHA256
bd6393eaeffe0e984f7a193af449d2168ab57fefdaba330c51d442d20477f64f

SHA512
37f64869977da9c01013ad0d0c4ee81fed5955b2bfecf05c0b4306fac67681b97a045612defe84d93cde07e61ebe2dd74bb37b8f08b178fce8455a7499d510d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lQ1QV3MX.exe

Filesize
1.1MB

MD5
a8965dd9245cb266eb130cb517d47b4e

SHA1
50dcd0234206235ac45ad6fe0e280bad924bb561

SHA256
bd6393eaeffe0e984f7a193af449d2168ab57fefdaba330c51d442d20477f64f

SHA512
37f64869977da9c01013ad0d0c4ee81fed5955b2bfecf05c0b4306fac67681b97a045612defe84d93cde07e61ebe2dd74bb37b8f08b178fce8455a7499d510d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LO5sO1Qu.exe

Filesize
753KB

MD5
60946505991016ff525b86b8edfbd17e

SHA1
a12d841347d7cd0bf875d1185d9390343aa0c394

SHA256
71948607fe49a6ea0873bd3cb185e2f2dd4a48960dd222ad4285c4503cd34ea8

SHA512
7f500d84367b09039c98a411120a6890a5e00bbbd3794f0604bb9857ea968f3410d833939c8576af0258318d6c0805608a9f462de00a7fb7a9446f3dd8149591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LO5sO1Qu.exe

Filesize
753KB

MD5
60946505991016ff525b86b8edfbd17e

SHA1
a12d841347d7cd0bf875d1185d9390343aa0c394

SHA256
71948607fe49a6ea0873bd3cb185e2f2dd4a48960dd222ad4285c4503cd34ea8

SHA512
7f500d84367b09039c98a411120a6890a5e00bbbd3794f0604bb9857ea968f3410d833939c8576af0258318d6c0805608a9f462de00a7fb7a9446f3dd8149591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY9vm5Jn.exe

Filesize
558KB

MD5
2fdddcfff62faa130fac485cbf25e3f2

SHA1
23e8e42796b97d391ed821cf608ca665f26cecad

SHA256
c514c38d289d17ba460236b7063101c2bdae7ac1fdbaa914edb7728180443115

SHA512
db437c1462ba0bb5942aec9d87fb0b3749a1be29f7cdc25c95491681dcdee8bdeeb74042d1d650ffacdee68b1f5e3192e8c1114830f88d4218f59f69de5b1481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\GY9vm5Jn.exe

Filesize
558KB

MD5
2fdddcfff62faa130fac485cbf25e3f2

SHA1
23e8e42796b97d391ed821cf608ca665f26cecad

SHA256
c514c38d289d17ba460236b7063101c2bdae7ac1fdbaa914edb7728180443115

SHA512
db437c1462ba0bb5942aec9d87fb0b3749a1be29f7cdc25c95491681dcdee8bdeeb74042d1d650ffacdee68b1f5e3192e8c1114830f88d4218f59f69de5b1481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uK34mz7.exe

Filesize
1.0MB

MD5
62d3c2b68a4240e60af10de18686641b

SHA1
2e935e69cad70cfdadb509288c7615715ea1ece4

SHA256
218064d27cb940fe8b24e42fb73e5bae3d575d0b0991001119276982f8eefd17

SHA512
9a7d49ecd89c125b0531ec06a8d27b8156a4e5eafbb15662a2afeb14dd7b8cc31da6b34fdf946d173491f47116ff21f102a7cbc9ae723e90448d9e8bcd495684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uK34mz7.exe

Filesize
1.0MB

MD5
62d3c2b68a4240e60af10de18686641b

SHA1
2e935e69cad70cfdadb509288c7615715ea1ece4

SHA256
218064d27cb940fe8b24e42fb73e5bae3d575d0b0991001119276982f8eefd17

SHA512
9a7d49ecd89c125b0531ec06a8d27b8156a4e5eafbb15662a2afeb14dd7b8cc31da6b34fdf946d173491f47116ff21f102a7cbc9ae723e90448d9e8bcd495684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CW116vK.exe

Filesize
219KB

MD5
ac33ae5cd68ef74812709ff301a78f0e

SHA1
2957f137ab4f1152336f706e5bf38bf364b03e53

SHA256
429edb4bf1365e63e5531e39b8cd93d9216882498d09da0111330a975f5e1f1e

SHA512
3ece0cb00b8ae314b74024b5b3da36501d648b241ca30a9b422ddbd3a5bf31044f01bbb2a1fd3f7b11329f6c2058ade331f086a644ef072be2ee16199c0c5eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CW116vK.exe

Filesize
219KB

MD5
ac33ae5cd68ef74812709ff301a78f0e

SHA1
2957f137ab4f1152336f706e5bf38bf364b03e53

SHA256
429edb4bf1365e63e5531e39b8cd93d9216882498d09da0111330a975f5e1f1e

SHA512
3ece0cb00b8ae314b74024b5b3da36501d648b241ca30a9b422ddbd3a5bf31044f01bbb2a1fd3f7b11329f6c2058ade331f086a644ef072be2ee16199c0c5eca

Download Submit
memory/2380-46-0x0000000007780000-0x0000000007812000-memory.dmp

Filesize
584KB

Download
memory/2380-43-0x0000000073F50000-0x0000000074700000-memory.dmp

Filesize
7.7MB

Download
memory/2380-47-0x00000000078C0000-0x00000000078D0000-memory.dmp

Filesize
64KB

Download
memory/2380-55-0x00000000078C0000-0x00000000078D0000-memory.dmp

Filesize
64KB

Download
memory/2380-48-0x0000000007710000-0x000000000771A000-memory.dmp

Filesize
40KB

Download
memory/2380-44-0x0000000000930000-0x000000000096C000-memory.dmp

Filesize
240KB

Download
memory/2380-45-0x0000000007C90000-0x0000000008234000-memory.dmp

Filesize
5.6MB

Download
memory/2380-49-0x0000000008860000-0x0000000008E78000-memory.dmp

Filesize
6.1MB

Download
memory/2380-54-0x0000000073F50000-0x0000000074700000-memory.dmp

Filesize
7.7MB

Download
memory/2380-53-0x0000000007A40000-0x0000000007A8C000-memory.dmp

Filesize
304KB

Download
memory/2380-52-0x0000000007A00000-0x0000000007A3C000-memory.dmp

Filesize
240KB

Download
memory/2380-50-0x0000000008240000-0x000000000834A000-memory.dmp

Filesize
1.0MB

Download
memory/2380-51-0x0000000007880000-0x0000000007892000-memory.dmp

Filesize
72KB

Download
memory/3452-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads