redline | f6a395732f5dfe45c1b53e1a544f31826d5f310499de2170e9064ac9605a913e

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe
Size

857KB
MD5

237c39297542fa123e7be74d1eaae4e8
SHA1

e4473b2e8bb53b9fc2b0f7e9c4e31721fcb9f0a9
SHA256

28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8
SHA512

a16b6f0ea0e24b4f5898ceaf363599d682d4ad38e4b1f67dbf13d1a2272a49b2d042362816fccde43de295f7354e0c1b62c0e7b9f7c1a378c3431fc4145f5a13
SSDEEP

24576:lyJLHvLRaQFKWeHcPlaBbI29NLrunu79Tf:AJFKWG2cI29NnuCl

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/3044-16-0x0000000000440000-0x0000000000470000-memory.dmp	family_redline
behavioral6/memory/3044-19-0x0000000000400000-0x000000000043A000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

x9434757.exef1115157.exe

pid process

1228 x9434757.exe
3044 f1115157.exe

pid	process
1228	x9434757.exe
3044	f1115157.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exex9434757.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9434757.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exex9434757.exe

description	pid	process	target process
PID 1280 wrote to memory of 1228	1280	28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe	x9434757.exe
PID 1280 wrote to memory of 1228	1280	28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe	x9434757.exe
PID 1280 wrote to memory of 1228	1280	28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe	x9434757.exe
PID 1228 wrote to memory of 3044	1228	x9434757.exe	f1115157.exe
PID 1228 wrote to memory of 3044	1228	x9434757.exe	f1115157.exe
PID 1228 wrote to memory of 3044	1228	x9434757.exe	f1115157.exe

C:\Users\Admin\AppData\Local\Temp\28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe
"C:\Users\Admin\AppData\Local\Temp\28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9434757.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9434757.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1115157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1115157.exe
3⤵
- Executes dropped EXE
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9434757.exe
Filesize
756KB

MD5
17612205140dbf13fe18ecc01cf26827

SHA1
f0cd309a1e5cefd09da363e18af50e028ff91c2b

SHA256
e1e80454790db734118276070b090c5725a9a41b8ec05b228e977617b1d5cd86

SHA512
081583c010d9d2a388c501003d609b40b889869bacc9fd1bedcc0b5fe83d34a809193d14be5137f136809d8cfa90aea3687708a5cbf5d2664b78b32948edb79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1115157.exe
Filesize
691KB

MD5
b66f0db799260482b5631114186a4059

SHA1
f32e8af8a9fefc3fdf8ebf6aee9c47cbf7d853b7

SHA256
11ac4710e163fb5c6c4e973d060ebe02becd58bd351de75e1c31cbea8f513070

SHA512
f0d4103cc773c25df02b46d277799e5d35f6d80c29a72b815a615662185b3a48300cd80c8539136d6fa10bc42281bd20af2d5c092474bd405a08197d838d354c

Download Submit
memory/3044-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/3044-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3044-20-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/3044-21-0x000000000A4D0000-0x000000000AAE8000-memory.dmp

Filesize
6.1MB

Download
memory/3044-22-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

Filesize
1.0MB

Download
memory/3044-23-0x000000000A020000-0x000000000A032000-memory.dmp

Filesize
72KB

Download
memory/3044-24-0x000000000A040000-0x000000000A07C000-memory.dmp

Filesize
240KB

Download
memory/3044-25-0x00000000044A0000-0x00000000044EC000-memory.dmp

Filesize
304KB

Download