redline | d3b7e5cbe2980cd2fb6f7f30eaade26a956ec4a02e71ed37c80b263166b40ef2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
Size

857KB
MD5

0f0d0b0d1763725ce36c1c1db736fc8e
SHA1

3a5d36a40ae2f0aa832b88db12e8080f83b8503d
SHA256

3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6
SHA512

224c93c379f47a4b1886478c26427daab891b4cdbbacf2dbdce454a8d3acc1c16eda545ff2381cbfe0fb872fe670060471f346986f7fc6ae4007039531322f5d
SSDEEP

24576:nyD97B7U1CjyvR3id1Z0Fr4m5lO5x99+wfCbnBYsVj:yDaCjcipq5lO5X9+wqbGK

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3960-15-0x0000000000510000-0x0000000000540000-memory.dmp	family_redline
behavioral2/memory/3960-19-0x0000000000400000-0x000000000043A000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

x1185734.exef0011085.exe

pid process

900 x1185734.exe
3960 f0011085.exe

pid	process
900	x1185734.exe
3960	f0011085.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exex1185734.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1185734.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exex1185734.exe

description	pid	process	target process
PID 920 wrote to memory of 900	920	3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe	x1185734.exe
PID 920 wrote to memory of 900	920	3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe	x1185734.exe
PID 920 wrote to memory of 900	920	3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe	x1185734.exe
PID 900 wrote to memory of 3960	900	x1185734.exe	f0011085.exe
PID 900 wrote to memory of 3960	900	x1185734.exe	f0011085.exe
PID 900 wrote to memory of 3960	900	x1185734.exe	f0011085.exe

C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
"C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
3⤵
- Executes dropped EXE
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
Filesize
756KB

MD5
3211325470f6929971deb61d33db781a

SHA1
b71e886212447aac365b2485623873f4122080bc

SHA256
f5e9db4e25450c63ea89cf56c3bb7e2d9e2f7f70a2d7ef01f9070c9c9e7ea3fe

SHA512
7fca2883972e3a967a1fc19c43994b57eb60edea4690ea8b47922c970e649597db40880fe511123a126b2adf0c224091308e4004d77bf110c9033d87b1861607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
Filesize
692KB

MD5
5b55a135c863ac61103a4cd53f53ebf4

SHA1
a7366c5895d88489f3535a903fa915bcd1f141b1

SHA256
711b3f68d2100dfa3f4ee01aada958c1f9f347144cc982dfb1824e01cce64ad2

SHA512
e4d1ea6248202d6a10ae0914af581d68d8fdd339ef773cabc93f70867409bb0dc7be0f42b614a376cd200921d345ab7581daa2e620b7057dee3d4b3f56a3e9f9

Download Submit
memory/3960-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3960-15-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/3960-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3960-20-0x0000000002530000-0x0000000002536000-memory.dmp

Filesize
24KB

Download
memory/3960-21-0x000000000A000000-0x000000000A618000-memory.dmp

Filesize
6.1MB

Download
memory/3960-22-0x000000000A640000-0x000000000A74A000-memory.dmp

Filesize
1.0MB

Download
memory/3960-23-0x000000000A780000-0x000000000A792000-memory.dmp

Filesize
72KB

Download
memory/3960-24-0x000000000A7A0000-0x000000000A7DC000-memory.dmp

Filesize
240KB

Download
memory/3960-25-0x0000000004590000-0x00000000045DC000-memory.dmp

Filesize
304KB

Download