redline | d1a00dae28f517e56d7386110ff80eea150f344964f965fa0a3fa9539fe0b91f

General

Target

NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe
Size

759KB
MD5

bc3507e3b2e3e27b11fdb259f5d44e90
SHA1

7d0e95a41159e47550aa755e55c429841a8e2d35
SHA256

d1a00dae28f517e56d7386110ff80eea150f344964f965fa0a3fa9539fe0b91f
SHA512

5e366bc9153737761a36436ac2dd2cdf5f8015b4744d6676b6f0dfff8e7c7cad7a399e8699dc35b085a5849ac7c72d7a4437001a6f9aa1013b210cd82c632e6d
SSDEEP

12288:NMrHy90MAxd4un4BQ/3GArUrAS32BLng+FxwnQRPI78UK93/2M3:Wy1o/KR3GgqCnQ/J9Pn3

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000022cd2-20.dat	family_redline
behavioral1/files/0x000a000000022cd2-21.dat	family_redline
behavioral1/memory/2092-23-0x0000000000880000-0x00000000008BE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2956	sz9UW9NO.exe
4832	1Ou59gS1.exe
2092	2Bu235yz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sz9UW9NO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 3540	4832	1Ou59gS1.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	3540	WerFault.exe	95

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2956	1164	NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe	91
PID 1164 wrote to memory of 2956	1164	NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe	91
PID 1164 wrote to memory of 2956	1164	NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe	91
PID 2956 wrote to memory of 4832	2956	sz9UW9NO.exe	92
PID 2956 wrote to memory of 4832	2956	sz9UW9NO.exe	92
PID 2956 wrote to memory of 4832	2956	sz9UW9NO.exe	92
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 4832 wrote to memory of 3540	4832	1Ou59gS1.exe	95
PID 2956 wrote to memory of 2092	2956	sz9UW9NO.exe	97
PID 2956 wrote to memory of 2092	2956	sz9UW9NO.exe	97
PID 2956 wrote to memory of 2092	2956	sz9UW9NO.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bc3507e3b2e3e27b11fdb259f5d44e90_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz9UW9NO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz9UW9NO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ou59gS1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ou59gS1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 540
        5⤵
        Program crash
        
        PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bu235yz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bu235yz.exe
    3⤵
    - Executes dropped EXE
    PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3540 -ip 3540
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz9UW9NO.exe

Filesize
562KB

MD5
5ed109b0509dcc8f00393f0a1ca1c910

SHA1
991dde0fd24c46165b7195ff57b7907d63f0f821

SHA256
31408be62f943fccf8589b9f6eae4369ec9f62f6bbf9e3f96c6eb376aa3845fd

SHA512
9103db942822b690fa863fc39880a6e82453bd7d68bb9a7af9af219e70b3b61306ef396b823f4926abf5063ca5ea8e782afe6ad0140af2195dce63a1132ba5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz9UW9NO.exe

Filesize
562KB

MD5
5ed109b0509dcc8f00393f0a1ca1c910

SHA1
991dde0fd24c46165b7195ff57b7907d63f0f821

SHA256
31408be62f943fccf8589b9f6eae4369ec9f62f6bbf9e3f96c6eb376aa3845fd

SHA512
9103db942822b690fa863fc39880a6e82453bd7d68bb9a7af9af219e70b3b61306ef396b823f4926abf5063ca5ea8e782afe6ad0140af2195dce63a1132ba5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ou59gS1.exe

Filesize
1.1MB

MD5
ea8f113de3bac92a6f43b911bfe7d682

SHA1
ad9fbd7927c5230e49c50a81cc0f7e645cd81f3a

SHA256
3bceb544dc24e5fde80d3458a27d2b5dce65c07fc971ad8fb637d389f3bc46ab

SHA512
2bb92e79fd0f64187a15c29d76645f41b4d41cbaeb42fa6b09287e26ae964192a5097751d0f2659697d9ac2a6eeec4dfe2e9a87ba765833e40e9613b2388e022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ou59gS1.exe

Filesize
1.1MB

MD5
ea8f113de3bac92a6f43b911bfe7d682

SHA1
ad9fbd7927c5230e49c50a81cc0f7e645cd81f3a

SHA256
3bceb544dc24e5fde80d3458a27d2b5dce65c07fc971ad8fb637d389f3bc46ab

SHA512
2bb92e79fd0f64187a15c29d76645f41b4d41cbaeb42fa6b09287e26ae964192a5097751d0f2659697d9ac2a6eeec4dfe2e9a87ba765833e40e9613b2388e022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bu235yz.exe

Filesize
222KB

MD5
b711721ecac41eb08fe124ce4183f078

SHA1
a9a556ee43c471298912f4bd8e4fe70dd4d60f3e

SHA256
b258c5df50889da6759579b525cfe3a52af0557488ed830c8af224a1aef1498c

SHA512
8dbb46798f6a2bbba542544f1814c7ccb12c3ebb9b52a65e5d7ccd0da6f6de6f20d84e0d5f49004d3059e7731e2b45fb58e1b050b376ae67198ddaf0a09a5ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Bu235yz.exe

Filesize
222KB

MD5
b711721ecac41eb08fe124ce4183f078

SHA1
a9a556ee43c471298912f4bd8e4fe70dd4d60f3e

SHA256
b258c5df50889da6759579b525cfe3a52af0557488ed830c8af224a1aef1498c

SHA512
8dbb46798f6a2bbba542544f1814c7ccb12c3ebb9b52a65e5d7ccd0da6f6de6f20d84e0d5f49004d3059e7731e2b45fb58e1b050b376ae67198ddaf0a09a5ca8

Download Submit
memory/2092-27-0x0000000007740000-0x0000000007750000-memory.dmp

Filesize
64KB

Download
memory/2092-31-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

Filesize
1.0MB

Download
memory/2092-34-0x0000000007C00000-0x0000000007C4C000-memory.dmp

Filesize
304KB

Download
memory/2092-33-0x0000000007A80000-0x0000000007ABC000-memory.dmp

Filesize
240KB

Download
memory/2092-22-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2092-23-0x0000000000880000-0x00000000008BE000-memory.dmp

Filesize
248KB

Download
memory/2092-24-0x0000000007C60000-0x0000000008204000-memory.dmp

Filesize
5.6MB

Download
memory/2092-25-0x0000000007790000-0x0000000007822000-memory.dmp

Filesize
584KB

Download
memory/2092-26-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2092-32-0x0000000007A20000-0x0000000007A32000-memory.dmp

Filesize
72KB

Download
memory/2092-28-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/2092-29-0x0000000008830000-0x0000000008E48000-memory.dmp

Filesize
6.1MB

Download
memory/2092-30-0x0000000007740000-0x0000000007750000-memory.dmp

Filesize
64KB

Download
memory/3540-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads