redline | 19ffc101f7c4457a5adb66b38ce5823d52f596b323578de48d3585b1b57d24c6

Analysis

max time kernel
132s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe
Size

856KB
MD5

35762cd3ccc1574a12f103066ecba520
SHA1

c7f02aeefc74ddb4d4134ac09418bbdcb250d192
SHA256

123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f
SHA512

fbb0ef7fd42bf2d5d8629921528fc69e880b90173fe3e57746bc08bf84033ac6331104678a24a67146e7cd738aa06cca421a0cb6af37d2c06be3729ad4b967d9
SSDEEP

12288:1MrRy90zgvdGHHhfom5cyZF5RRvoIlBQpE73i3qnj5/vYkZrSsf1bBvzfS4R:4yDvdMFtZF5xPQmDiMdvYkQU1xSY

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2284-14-0x00000000007C0000-0x00000000007F0000-memory.dmp	family_redline
behavioral3/memory/2284-19-0x0000000000400000-0x000000000043A000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

x3430455.exef1299352.exe

pid process

2740 x3430455.exe
2284 f1299352.exe

pid	process
2740	x3430455.exe
2284	f1299352.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x3430455.exe123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3430455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exex3430455.exe

description	pid	process	target process
PID 4412 wrote to memory of 2740	4412	123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe	x3430455.exe
PID 4412 wrote to memory of 2740	4412	123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe	x3430455.exe
PID 4412 wrote to memory of 2740	4412	123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe	x3430455.exe
PID 2740 wrote to memory of 2284	2740	x3430455.exe	f1299352.exe
PID 2740 wrote to memory of 2284	2740	x3430455.exe	f1299352.exe
PID 2740 wrote to memory of 2284	2740	x3430455.exe	f1299352.exe

C:\Users\Admin\AppData\Local\Temp\123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe
"C:\Users\Admin\AppData\Local\Temp\123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3430455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3430455.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1299352.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1299352.exe
3⤵
- Executes dropped EXE
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3430455.exe
Filesize
755KB

MD5
1db062248945dfb449237e3b9960bf7a

SHA1
07bbca6477c814544ea5a56ab62f4ddf21906acc

SHA256
ae67ccf827a2a052b259cdf30c291262168ea04d593c0ba147efc066e2e01db8

SHA512
3b8d1320dc3c09462d704d8439461098201eb011898e36b45a24280584b364dd2a3add9ae5750d5cb228c6525af0d7afa73438b2274006fdae87b5f7e2cb49d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1299352.exe
Filesize
692KB

MD5
829309073538923812f892e2fc6a043b

SHA1
4a8115a7fe9c1496237a4a1373eeb317c4112e15

SHA256
efb3d8da2b0a468c13d858998395552d386e4bc47a3103279d4215a96c3cb57e

SHA512
2b4b7b043868941f7f1e558b054d73d1d1a30a90ff0a940a489c9786e60b96c97d83093a77c992224d84fcfa8e909b543b1c7f2240dee1dd47b8fde078ec08ee

Download Submit
memory/2284-14-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/2284-18-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2284-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-20-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/2284-21-0x000000000A4D0000-0x000000000AAE8000-memory.dmp

Filesize
6.1MB

Download
memory/2284-22-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

Filesize
1.0MB

Download
memory/2284-23-0x000000000A020000-0x000000000A032000-memory.dmp

Filesize
72KB

Download
memory/2284-24-0x000000000A040000-0x000000000A07C000-memory.dmp

Filesize
240KB

Download
memory/2284-25-0x0000000002390000-0x00000000023DC000-memory.dmp

Filesize
304KB

Download