redline | 5917339910bda68a91f92247578c308113ee6fce121896237213a864c446fcd8

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe
Size

856KB
MD5

42bfe71072750a81fe1d4dcdb2f04dc2
SHA1

29ac9199d705da60cd8cf27229e8dda3e6188be5
SHA256

27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556
SHA512

2e0f763ffc407cfce7646b3d5318d5f507808bd0e0d63d81d39d767c754ae153fbfb3a5fcfe6331a57731cb2ca34a6c586c4ca1fc059dbe7d53a657580d37021
SSDEEP

12288:BMrSy90bmxzzWSvRTkc64XzHqbv0t3CEfEkkOP3QBXD/n3HPdy2U3RMAManmlbCY:PyRSSZ56gzHqbv0ZCEBcn3VlcG+nm1

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/memory/536-14-0x0000000000520000-0x0000000000550000-memory.dmp	family_redline
behavioral5/memory/536-19-0x0000000000400000-0x000000000043A000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3872	x0107547.exe
536	f7897423.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0107547.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3872	856	27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe	82
PID 856 wrote to memory of 3872	856	27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe	82
PID 856 wrote to memory of 3872	856	27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe	82
PID 3872 wrote to memory of 536	3872	x0107547.exe	84
PID 3872 wrote to memory of 536	3872	x0107547.exe	84
PID 3872 wrote to memory of 536	3872	x0107547.exe	84

C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe
"C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
    3⤵
    - Executes dropped EXE
    PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe

Filesize
755KB

MD5
c665ba7f1cc0ab9951da7bf197b04c01

SHA1
52a9a7b51d225fc7f8824e713043f5143cd98d85

SHA256
20e5aeb19eafd1131b3f25dcb9216eecd4f38e69de3b61fc3cf290f387c2d998

SHA512
03e97753a06da1cfd34c137ef0d158a5525508bfd7ce993816b772a2b60bb22f3c4676598be168a529202f8ee9e8790087a7708d9a92badc0eafc1945e7290fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe

Filesize
692KB

MD5
40236ff6ad5d86ba9af49e6aa8feb830

SHA1
00c2712d3beecf509a295e340c5827db20f2e251

SHA256
e6a06e909f7d3e0117e5861c6ec36369f759bb0504e7f181c6ed74d997c5b25b

SHA512
a8cdf9c4e8e2abcae17303c6fd7a62ac63ecf07d28a069f2e4e7311352404505536c287080f5a9b617c00a3c108d3f1fc5617033a848bdda8d4ec604a36c55a3

Download Submit
memory/536-14-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/536-18-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/536-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/536-20-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/536-21-0x00000000052B0000-0x00000000058C8000-memory.dmp

Filesize
6.1MB

Download
memory/536-22-0x0000000004C90000-0x0000000004D9A000-memory.dmp

Filesize
1.0MB

Download
memory/536-23-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/536-24-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/536-25-0x0000000004E00000-0x0000000004E4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads