redline | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe
Size

502KB
MD5

0c649b9bfe03a9df5f7005313d592a02
SHA1

2de0347a93ec769078cbf275d68e6c17efefefec
SHA256

25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391
SHA512

69c461e9c6ab1d3f2c88975fd7adf42411990772ae3a98427de06d864f85cfe955f89553418bb31d60a28d640847be5e9a08116978ae4821699f1f2e98440ba7
SSDEEP

12288:rMrFy90bvAiHuU2YQ57uk4+0vmuWDRQAKKDg0n6iQ:6ycAxU9e7g+0vmukQAPBQ

Score

10^/10

redline kinza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0009000000023276-12.dat	family_redline
behavioral4/memory/3004-15-0x0000000000D70000-0x0000000000DAE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4632	vb6cj7Ca.exe
3004	2qf601zJ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vb6cj7Ca.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4632	3932	25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe	91
PID 3932 wrote to memory of 4632	3932	25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe	91
PID 3932 wrote to memory of 4632	3932	25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe	91
PID 4632 wrote to memory of 3004	4632	vb6cj7Ca.exe	92
PID 4632 wrote to memory of 3004	4632	vb6cj7Ca.exe	92
PID 4632 wrote to memory of 3004	4632	vb6cj7Ca.exe	92

C:\Users\Admin\AppData\Local\Temp\25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe
"C:\Users\Admin\AppData\Local\Temp\25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb6cj7Ca.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb6cj7Ca.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qf601zJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qf601zJ.exe
    3⤵
    - Executes dropped EXE
    PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb6cj7Ca.exe

Filesize
320KB

MD5
9bd51943834d7ba027652c7e1170319b

SHA1
d72a8647c1b9e97ae6bcd98c857230da6ff8779f

SHA256
20bf223837d6e2c28f71e8f7912112d18ba17271c0427ddcda180fe82fbafea4

SHA512
6af3bcb5342beba0ef4a15691a774ca79e07ad0fb61023f607baf4c8da86309dbbf27cbe5d56ea7ceb88b17d346b6b147e2c53a69a981c03c15d06d29b62c6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qf601zJ.exe

Filesize
222KB

MD5
724d7a6c52e945d2d9e7fb470bed36ce

SHA1
faf6078c7c8eaa12408f734fa3cb22dfe161f660

SHA256
74fb0f5ffdf964d57f246b3a63429cd3fca1d21f5268fcadfaa0de0868ebb15d

SHA512
0fbf9c73490ee3a1180ed5eea3e12db66cf88ccce9587e57b34ba3473998ba3f36b95743453d8561b10827cdbd6801ee7a9c92bc0f553dcddaae9e14405d29b9

Download Submit
memory/3004-14-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3004-15-0x0000000000D70000-0x0000000000DAE000-memory.dmp

Filesize
248KB

Download
memory/3004-16-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/3004-17-0x0000000007B90000-0x0000000007C22000-memory.dmp

Filesize
584KB

Download
memory/3004-18-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3004-19-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/3004-20-0x0000000008C70000-0x0000000009288000-memory.dmp

Filesize
6.1MB

Download
memory/3004-21-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/3004-22-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/3004-23-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/3004-24-0x0000000007FB0000-0x0000000007FFC000-memory.dmp

Filesize
304KB

Download
memory/3004-25-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3004-26-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads