redline | 2685b451d5bc5d1cd7c159a87efdfacd5a60c314491404e6e60e752ba3db90cf

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe
Size

857KB
MD5

e51f5ef0b3d5038c9e1b0b5516244e8c
SHA1

d1d5a940665d849f900e8a369c29f0fac7c1374f
SHA256

e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e
SHA512

b5f4eccb3c51b84c315b966ea819b338b0cb8b6970b8c85749f123f9a6c06b0b76e64b29c303afc816b4c338860388d6f3c47e2a10f99828a7bd004de001c19b
SSDEEP

12288:7MrFy90I/vsuqkr+jSMqxvObV/znJyyd34t6G6Gxzbj4kx2R2V/dBAo+HES2VN9T:myN/vXx+6GR/t37sJbj/fLAZ6Nlb9d

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral25/memory/1936-15-0x0000000000510000-0x0000000000540000-memory.dmp	family_redline
behavioral25/memory/1936-19-0x0000000000400000-0x000000000043A000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

x4613386.exef4035649.exe

pid process

820 x4613386.exe
1936 f4035649.exe

pid	process
820	x4613386.exe
1936	f4035649.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exex4613386.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4613386.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exex4613386.exe

description	pid	process	target process
PID 4180 wrote to memory of 820	4180	e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe	x4613386.exe
PID 4180 wrote to memory of 820	4180	e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe	x4613386.exe
PID 4180 wrote to memory of 820	4180	e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe	x4613386.exe
PID 820 wrote to memory of 1936	820	x4613386.exe	f4035649.exe
PID 820 wrote to memory of 1936	820	x4613386.exe	f4035649.exe
PID 820 wrote to memory of 1936	820	x4613386.exe	f4035649.exe

C:\Users\Admin\AppData\Local\Temp\e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe
"C:\Users\Admin\AppData\Local\Temp\e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4613386.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4613386.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4035649.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4035649.exe
3⤵
- Executes dropped EXE
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4613386.exe
Filesize
756KB

MD5
cf3f34f32dc4a452ca0f4d836908db49

SHA1
a4d13ea28196fea15ab933d5c4a566f836e5d7ae

SHA256
5529e10ffd4fabd413c2b5304c0ce9fbc74f34ef0658d4a412adb720eba49868

SHA512
df1375c03a5122ef5eac5493c66e10acfa4ded09706a43d49b0b0c952501d0e2d4ef69360f69ee0e0345bc3d048fd71e421b9587434cdfd415f05f7c0e9dedee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4035649.exe
Filesize
692KB

MD5
df7789aa0d0a80e21e5ee23b870e5cf1

SHA1
79bbce991030bb94b6f7fb29e6357bd13225095e

SHA256
774ac38f6596e453d65e442508c5e2182b2012ddaea6baea53e4075d9c23a4b0

SHA512
359fb9aaba0c44c103adb3c1662c15f2ec59504d69b31f6d1e10fd20dc5d5233c72c859ca62d54341c63d60bc28b01c55c07108fd1aa72c707c69014417dafb1

Download Submit
memory/1936-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1936-15-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/1936-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-20-0x0000000004920000-0x0000000004926000-memory.dmp

Filesize
24KB

Download
memory/1936-21-0x000000000A470000-0x000000000AA88000-memory.dmp

Filesize
6.1MB

Download
memory/1936-22-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

Filesize
1.0MB

Download
memory/1936-23-0x000000000A020000-0x000000000A032000-memory.dmp

Filesize
72KB

Download
memory/1936-24-0x000000000A040000-0x000000000A07C000-memory.dmp

Filesize
240KB

Download
memory/1936-25-0x0000000002310000-0x000000000235C000-memory.dmp

Filesize
304KB

Download