redline | 722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe
Size

1.1MB
MD5

4243ac36afceebbd88d322261ce65c50
SHA1

165c546df2b82d9ab33ae652471457e24447eced
SHA256

722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03
SHA512

b4fa38b5efc9caa9019dfabd64ab138e0a741507b43d7c8977a4169a1ce4271832090d4d179e8f2ee2ddd1021dd1da7e6a2286db94e6425526db6dd1573a7464
SSDEEP

24576:6yI4d2n+1n95Mf/8uMtDlTkKKlvf5Rr7Vu:Bj2n+1YENtDlk5R

Score

10^/10

redline larek infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

larek

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000231d6-41.dat	family_redline
behavioral1/files/0x00060000000231d6-42.dat	family_redline
behavioral1/memory/2324-43-0x0000000000E70000-0x0000000000EAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4164	kW4NJ5fV.exe
1832	ho3Xv5yR.exe
2840	pW9qb1aS.exe
1732	tU5oq0vY.exe
2352	1gL99Vb7.exe
2324	2mF174Rd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kW4NJ5fV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ho3Xv5yR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pW9qb1aS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	tU5oq0vY.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2088	2352	1gL99Vb7.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2948	2352	WerFault.exe	91
1936	2088	WerFault.exe	94

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4164	3940	722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe	86
PID 3940 wrote to memory of 4164	3940	722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe	86
PID 3940 wrote to memory of 4164	3940	722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe	86
PID 4164 wrote to memory of 1832	4164	kW4NJ5fV.exe	88
PID 4164 wrote to memory of 1832	4164	kW4NJ5fV.exe	88
PID 4164 wrote to memory of 1832	4164	kW4NJ5fV.exe	88
PID 1832 wrote to memory of 2840	1832	ho3Xv5yR.exe	89
PID 1832 wrote to memory of 2840	1832	ho3Xv5yR.exe	89
PID 1832 wrote to memory of 2840	1832	ho3Xv5yR.exe	89
PID 2840 wrote to memory of 1732	2840	pW9qb1aS.exe	90
PID 2840 wrote to memory of 1732	2840	pW9qb1aS.exe	90
PID 2840 wrote to memory of 1732	2840	pW9qb1aS.exe	90
PID 1732 wrote to memory of 2352	1732	tU5oq0vY.exe	91
PID 1732 wrote to memory of 2352	1732	tU5oq0vY.exe	91
PID 1732 wrote to memory of 2352	1732	tU5oq0vY.exe	91
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 2352 wrote to memory of 2088	2352	1gL99Vb7.exe	94
PID 1732 wrote to memory of 2324	1732	tU5oq0vY.exe	103
PID 1732 wrote to memory of 2324	1732	tU5oq0vY.exe	103
PID 1732 wrote to memory of 2324	1732	tU5oq0vY.exe	103

C:\Users\Admin\AppData\Local\Temp\722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe
"C:\Users\Admin\AppData\Local\Temp\722361794fdc529e30455b686796ab9e29bc3dd4934459609e60c83f29e9dd03.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW4NJ5fV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW4NJ5fV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ho3Xv5yR.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ho3Xv5yR.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW9qb1aS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW9qb1aS.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tU5oq0vY.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tU5oq0vY.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gL99Vb7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gL99Vb7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 540
        8⤵
        Program crash
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 612
        7⤵
        Program crash
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mF174Rd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mF174Rd.exe
        6⤵
        Executes dropped EXE
        
        PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2088 -ip 2088
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2352 -ip 2352
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW4NJ5fV.exe

Filesize
960KB

MD5
3ccc70083f6980ac64ad1e7b111fe93a

SHA1
84094f4020a986752dd3670a34645dc587b0bdd6

SHA256
ef5fd32742b62a366442d6786524b22d2fdfcd3939a9943721839c593707c5ec

SHA512
95ed67aaa3166e7ebfe9dfdd37f0963772fa886a11a68163356d6fbb88bae15be08c5ad8fb331ea92b355392a81734a117bcd157a2df4bf71532efb62d6f2ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW4NJ5fV.exe

Filesize
960KB

MD5
3ccc70083f6980ac64ad1e7b111fe93a

SHA1
84094f4020a986752dd3670a34645dc587b0bdd6

SHA256
ef5fd32742b62a366442d6786524b22d2fdfcd3939a9943721839c593707c5ec

SHA512
95ed67aaa3166e7ebfe9dfdd37f0963772fa886a11a68163356d6fbb88bae15be08c5ad8fb331ea92b355392a81734a117bcd157a2df4bf71532efb62d6f2ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ho3Xv5yR.exe

Filesize
777KB

MD5
05579c65ead2fc17abb28026ab32fb76

SHA1
72858fdd1bf6b3f9b011268eb95f7cdbf2061bcb

SHA256
1be1a4f137c9b2cde16ab5e02e04d34b6fc5c3168eec1097c0d98533d40686a2

SHA512
10b830446944be0852cfcd571d89671df0aada0d11a64d414cbec560e0e1c61d3a06a9f3488cfa07896476f94dc1ccc73d79093e974888b1d91a8e9ca8a10c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ho3Xv5yR.exe

Filesize
777KB

MD5
05579c65ead2fc17abb28026ab32fb76

SHA1
72858fdd1bf6b3f9b011268eb95f7cdbf2061bcb

SHA256
1be1a4f137c9b2cde16ab5e02e04d34b6fc5c3168eec1097c0d98533d40686a2

SHA512
10b830446944be0852cfcd571d89671df0aada0d11a64d414cbec560e0e1c61d3a06a9f3488cfa07896476f94dc1ccc73d79093e974888b1d91a8e9ca8a10c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW9qb1aS.exe

Filesize
531KB

MD5
d2cc0174393be66f87f97737419efb0a

SHA1
18df0ed935d13b69fd1533c7555129ee44e4df63

SHA256
ce61d63e3cf023c7ed289edbb65f503aa75ce2fc8c44e8b7c6fd0f0e0f574c9b

SHA512
bfb52b3ce2780a9916804dc198a91e67fb780f63bcc8ffa53911a85f0c88dea7548827cb0010b6ffd54987ab8f31477051d29e09bfb3108f2195a6cb864f030e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pW9qb1aS.exe

Filesize
531KB

MD5
d2cc0174393be66f87f97737419efb0a

SHA1
18df0ed935d13b69fd1533c7555129ee44e4df63

SHA256
ce61d63e3cf023c7ed289edbb65f503aa75ce2fc8c44e8b7c6fd0f0e0f574c9b

SHA512
bfb52b3ce2780a9916804dc198a91e67fb780f63bcc8ffa53911a85f0c88dea7548827cb0010b6ffd54987ab8f31477051d29e09bfb3108f2195a6cb864f030e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tU5oq0vY.exe

Filesize
365KB

MD5
0e6bbf8be253a222fad676c83f396ce5

SHA1
18411a8c11eda02ba6a873fc55131b7d4d47bb97

SHA256
4b21b50e7614ac3b1e5cc592d2f6a2829c7fe666e2f75e1727bd41d556a525f1

SHA512
2d649231e11fbf2b6326904def3148c0a8f2e6644a741d05ce76fd3bf5cc23d2c14d7fd308ab5fa44018f69f40600aced9fe808ca5c10580e174b753ecc9d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tU5oq0vY.exe

Filesize
365KB

MD5
0e6bbf8be253a222fad676c83f396ce5

SHA1
18411a8c11eda02ba6a873fc55131b7d4d47bb97

SHA256
4b21b50e7614ac3b1e5cc592d2f6a2829c7fe666e2f75e1727bd41d556a525f1

SHA512
2d649231e11fbf2b6326904def3148c0a8f2e6644a741d05ce76fd3bf5cc23d2c14d7fd308ab5fa44018f69f40600aced9fe808ca5c10580e174b753ecc9d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gL99Vb7.exe

Filesize
285KB

MD5
c34ca44ce50fb36b96ce8e9c3690adc3

SHA1
7a39be3d5481f40b61499f7395ee20304fc445d0

SHA256
364b78a4fd553bb4d17ab3872d6861be00b8b83de161112110630eefd0a82e41

SHA512
9e3f5d57ac51777ebcb514f500bee95bafab81b82990bb0dd0ad41509b1b671822aefed1c387eb0ca76ddc982c2917af793ce29330a7f61918893f20021b0175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gL99Vb7.exe

Filesize
285KB

MD5
c34ca44ce50fb36b96ce8e9c3690adc3

SHA1
7a39be3d5481f40b61499f7395ee20304fc445d0

SHA256
364b78a4fd553bb4d17ab3872d6861be00b8b83de161112110630eefd0a82e41

SHA512
9e3f5d57ac51777ebcb514f500bee95bafab81b82990bb0dd0ad41509b1b671822aefed1c387eb0ca76ddc982c2917af793ce29330a7f61918893f20021b0175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mF174Rd.exe

Filesize
221KB

MD5
50b23a52c943f47cbd684ab4de7e8aad

SHA1
3e35f5166629a65458072ca2b8c71fe0d2e9207c

SHA256
83b6e776b638ecd5d4d8fb4cbc390c13079615f25465b08cb67243bb9e0b9d61

SHA512
562ea1fff3f10bbd666070b8cd6bc57cf03ebdfd1e19b4ff7e5f33fa10617321bbcba49b385a00d7ad0493635f485944b87490fed19a3952d68404b1e10cfc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mF174Rd.exe

Filesize
221KB

MD5
50b23a52c943f47cbd684ab4de7e8aad

SHA1
3e35f5166629a65458072ca2b8c71fe0d2e9207c

SHA256
83b6e776b638ecd5d4d8fb4cbc390c13079615f25465b08cb67243bb9e0b9d61

SHA512
562ea1fff3f10bbd666070b8cd6bc57cf03ebdfd1e19b4ff7e5f33fa10617321bbcba49b385a00d7ad0493635f485944b87490fed19a3952d68404b1e10cfc9f

Download Submit
memory/2088-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2088-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2088-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2088-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2324-46-0x0000000007D70000-0x0000000007E02000-memory.dmp

Filesize
584KB

Download
memory/2324-44-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/2324-45-0x0000000008220000-0x00000000087C4000-memory.dmp

Filesize
5.6MB

Download
memory/2324-43-0x0000000000E70000-0x0000000000EAE000-memory.dmp

Filesize
248KB

Download
memory/2324-47-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/2324-48-0x0000000007E40000-0x0000000007E4A000-memory.dmp

Filesize
40KB

Download
memory/2324-49-0x0000000008DF0000-0x0000000009408000-memory.dmp

Filesize
6.1MB

Download
memory/2324-50-0x00000000080E0000-0x00000000081EA000-memory.dmp

Filesize
1.0MB

Download
memory/2324-51-0x0000000008010000-0x0000000008022000-memory.dmp

Filesize
72KB

Download
memory/2324-52-0x0000000008070000-0x00000000080AC000-memory.dmp

Filesize
240KB

Download
memory/2324-53-0x00000000087D0000-0x000000000881C000-memory.dmp

Filesize
304KB

Download
memory/2324-54-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/2324-55-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads