redline | efe008ef2d2f134b3dc13b0e7774cf5afaac37652f491658b45665e175cf12b9

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe
Size

857KB
MD5

10d9e523ef3fa325767733e9b06a5183
SHA1

ce932310c4e2ff5db5c2c78b90f69ad2270c08b2
SHA256

f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71
SHA512

9c319dacf140286345b160ca481dfe68466db1f028fa3f823d5ad8c7aacce5ed2d1218bbb226a103870004bfe7c845d7396fe851e4142f2cdc877e47fed2cf8e
SSDEEP

12288:uMr5y90hl0vLfgTNcWAs5+X7YQaeB42ilLYj18fbo+efG40s+6OuUFLV3sBempko:Hy+0zqxA3LvmSj6jo+A0GUFh3Rm6aj

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/memory/2464-15-0x0000000000520000-0x0000000000550000-memory.dmp	family_redline
behavioral20/memory/2464-19-0x0000000000400000-0x000000000043A000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
1664	x9617499.exe
2464	f1016806.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9617499.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1664	3788	f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe	83
PID 3788 wrote to memory of 1664	3788	f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe	83
PID 3788 wrote to memory of 1664	3788	f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe	83
PID 1664 wrote to memory of 2464	1664	x9617499.exe	84
PID 1664 wrote to memory of 2464	1664	x9617499.exe	84
PID 1664 wrote to memory of 2464	1664	x9617499.exe	84

C:\Users\Admin\AppData\Local\Temp\f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe
"C:\Users\Admin\AppData\Local\Temp\f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe
    3⤵
    - Executes dropped EXE
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe

Filesize
756KB

MD5
1e4d978f486733815fa2a74fe7d0e9f5

SHA1
87bf1dd3c55e3a265249970befb9c4d6675c7914

SHA256
d5a4727fc533918aa9f73ce0aec0a88a58221512fccfd54e935f339a79fb68ca

SHA512
0c61596597603da0b7d038b80da759fddbac119cbc8f3e3a26fbf60ded1c91092892482dc3038570b8d3b8ab939786e592a994f1ee059159e8b2f01f983645fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe

Filesize
692KB

MD5
4675a01bc71e879926d8f743e3d0cc4e

SHA1
361547ce6a7ef526778697a74422f05d913cd4a7

SHA256
48a3b8d04d4ecce8fda7acbdf140fdfe0487b5d670f765fa67b3a9b476e683f1

SHA512
7334f76d51cddc0b8bb23b2d6960e6c70fbfed97e645f6ad993d26c78181f25bcb90323b40d64b5a5966aedebcce3ddec9032815de955d8eb21888ca395a2582

Download Submit
memory/2464-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2464-15-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/2464-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-20-0x0000000002390000-0x0000000002396000-memory.dmp

Filesize
24KB

Download
memory/2464-21-0x0000000004B10000-0x0000000005128000-memory.dmp

Filesize
6.1MB

Download
memory/2464-22-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/2464-23-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

Filesize
72KB

Download
memory/2464-24-0x0000000005240000-0x000000000527C000-memory.dmp

Filesize
240KB

Download
memory/2464-25-0x00000000052E0000-0x000000000532C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads