redline | a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe
Size

1.1MB
MD5

ab731e7d8e334afc7db4eb1a39e2e0a9
SHA1

78ab5a0c98af58f132f0da58cec8774b4778418c
SHA256

a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b
SHA512

8946c23fa8da79fb08b05b5eea221efca7743ee04bb183a740fa3a0a73fbe9235f0527f3c52cb4efb9a2f66cf975d59c58edb51a743060218b0fe7c014ec4379
SSDEEP

24576:Hyf/Y8iDZJTIPoLboRsmX18izZGsvGompPf:Sf/Y8iDjIQS18izZGsvG3P

Score

10^/10

redline larek infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

larek

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023218-41.dat	family_redline
behavioral1/files/0x0006000000023218-42.dat	family_redline
behavioral1/memory/4696-43-0x00000000007C0000-0x00000000007FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1364	Kr5Py4HA.exe
532	Xs1EI1sJ.exe
4508	kT5Ka0DV.exe
4872	mL9NC1BT.exe
4960	1PH25yU5.exe
4696	2ac459wb.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Kr5Py4HA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xs1EI1sJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kT5Ka0DV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	mL9NC1BT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 4572	4960	1PH25yU5.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2704	4960	WerFault.exe	90
3012	4572	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1364	4804	a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe	86
PID 4804 wrote to memory of 1364	4804	a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe	86
PID 4804 wrote to memory of 1364	4804	a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe	86
PID 1364 wrote to memory of 532	1364	Kr5Py4HA.exe	87
PID 1364 wrote to memory of 532	1364	Kr5Py4HA.exe	87
PID 1364 wrote to memory of 532	1364	Kr5Py4HA.exe	87
PID 532 wrote to memory of 4508	532	Xs1EI1sJ.exe	88
PID 532 wrote to memory of 4508	532	Xs1EI1sJ.exe	88
PID 532 wrote to memory of 4508	532	Xs1EI1sJ.exe	88
PID 4508 wrote to memory of 4872	4508	kT5Ka0DV.exe	89
PID 4508 wrote to memory of 4872	4508	kT5Ka0DV.exe	89
PID 4508 wrote to memory of 4872	4508	kT5Ka0DV.exe	89
PID 4872 wrote to memory of 4960	4872	mL9NC1BT.exe	90
PID 4872 wrote to memory of 4960	4872	mL9NC1BT.exe	90
PID 4872 wrote to memory of 4960	4872	mL9NC1BT.exe	90
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4960 wrote to memory of 4572	4960	1PH25yU5.exe	92
PID 4872 wrote to memory of 4696	4872	mL9NC1BT.exe	99
PID 4872 wrote to memory of 4696	4872	mL9NC1BT.exe	99
PID 4872 wrote to memory of 4696	4872	mL9NC1BT.exe	99

C:\Users\Admin\AppData\Local\Temp\a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe
"C:\Users\Admin\AppData\Local\Temp\a9835342545dccc28b6477fca9416b37258ccaee343e75d1ef828a66e120df6b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr5Py4HA.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr5Py4HA.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xs1EI1sJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xs1EI1sJ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5Ka0DV.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5Ka0DV.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mL9NC1BT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mL9NC1BT.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PH25yU5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PH25yU5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 200
        8⤵
        Program crash
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 600
        7⤵
        Program crash
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ac459wb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ac459wb.exe
        6⤵
        Executes dropped EXE
        
        PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 4960
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr5Py4HA.exe

Filesize
962KB

MD5
c6cabeed9e881806ed1b1b52d53336c9

SHA1
794d91a11a66f3866a0abe14ff160a9ffdc7204c

SHA256
8c752f522be42f2caabd8ff8cea522e8f4b7458d1cba471bdb127c3ae1191caf

SHA512
507f55796b8d71411692dff1e4f9fef69c1ca8da18c00d213bc97c1ff60c93eada7e87398e8f3f3c393a900635e0deef93e21464f0e5eb78bfa37a5541240d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr5Py4HA.exe

Filesize
962KB

MD5
c6cabeed9e881806ed1b1b52d53336c9

SHA1
794d91a11a66f3866a0abe14ff160a9ffdc7204c

SHA256
8c752f522be42f2caabd8ff8cea522e8f4b7458d1cba471bdb127c3ae1191caf

SHA512
507f55796b8d71411692dff1e4f9fef69c1ca8da18c00d213bc97c1ff60c93eada7e87398e8f3f3c393a900635e0deef93e21464f0e5eb78bfa37a5541240d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xs1EI1sJ.exe

Filesize
779KB

MD5
79811594ea052cc044eadcbdd1787356

SHA1
4c87047b276215eb4c037fe63597e90b697976e6

SHA256
5f6c9c628d867c65974efcc3337ff2d34695c93ddd54365a15691299021ebf22

SHA512
658e404be0df1a2550c52bdecd8630e1e508fd099b0900fd99fb57ef9acb122f5dd2147d95ca07225701cee6035c5a8594b635486e99bc568d16d25a7894a0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xs1EI1sJ.exe

Filesize
779KB

MD5
79811594ea052cc044eadcbdd1787356

SHA1
4c87047b276215eb4c037fe63597e90b697976e6

SHA256
5f6c9c628d867c65974efcc3337ff2d34695c93ddd54365a15691299021ebf22

SHA512
658e404be0df1a2550c52bdecd8630e1e508fd099b0900fd99fb57ef9acb122f5dd2147d95ca07225701cee6035c5a8594b635486e99bc568d16d25a7894a0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5Ka0DV.exe

Filesize
532KB

MD5
daf2d48b049bc84be4a51eb8a1ea46f2

SHA1
45c88b646428401a3b2c8abc0e9f23a7166f5e0c

SHA256
3a773430d8f2a4e3aacc03e4765e3f75100623c62c9dd6e8875f96b05908521e

SHA512
a9c63d8d6e25df39cd911d73f985fd8276a7759ce91e10231a31471e7259d4cc66a7e3781437ce769d03912cd6a77869442066b1ca1d30187d9a814b0392d8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5Ka0DV.exe

Filesize
532KB

MD5
daf2d48b049bc84be4a51eb8a1ea46f2

SHA1
45c88b646428401a3b2c8abc0e9f23a7166f5e0c

SHA256
3a773430d8f2a4e3aacc03e4765e3f75100623c62c9dd6e8875f96b05908521e

SHA512
a9c63d8d6e25df39cd911d73f985fd8276a7759ce91e10231a31471e7259d4cc66a7e3781437ce769d03912cd6a77869442066b1ca1d30187d9a814b0392d8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mL9NC1BT.exe

Filesize
366KB

MD5
335e47232fb0829a94dae38ff8346b8e

SHA1
566a0e702384afcde472ef321f5ed471b5127679

SHA256
1458ae8c765ae1e34ff262c45c7e9eb79fa05a7c96105d7d5d5beaabb5211baa

SHA512
bfb35a145d1768e661ae2ce01033cdc61fafc75295c7eba9eb7ee302014693cc762bd0e2e2e4f6d37d0bfc881edc00c06adc63d01ee1b50b0b6f6c5f30ce56b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mL9NC1BT.exe

Filesize
366KB

MD5
335e47232fb0829a94dae38ff8346b8e

SHA1
566a0e702384afcde472ef321f5ed471b5127679

SHA256
1458ae8c765ae1e34ff262c45c7e9eb79fa05a7c96105d7d5d5beaabb5211baa

SHA512
bfb35a145d1768e661ae2ce01033cdc61fafc75295c7eba9eb7ee302014693cc762bd0e2e2e4f6d37d0bfc881edc00c06adc63d01ee1b50b0b6f6c5f30ce56b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PH25yU5.exe

Filesize
285KB

MD5
00b3ec92baa015f7eaad12ce3382bfda

SHA1
5e224bcc279dcac7ad6a02b76e1a0adc6921a6b3

SHA256
6f34d3a7d5e937e015427f008e9a99d26a4aaabf544850a2a9d250f3e5db1fd6

SHA512
0bd739e320875d248d7acbd18c8160e2a12be9a55fa13b27cad1a453e30b30ee39b2551e0d1fa5517c1f966583a18e013f878aea89922b281a832b9b98ab86f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PH25yU5.exe

Filesize
285KB

MD5
00b3ec92baa015f7eaad12ce3382bfda

SHA1
5e224bcc279dcac7ad6a02b76e1a0adc6921a6b3

SHA256
6f34d3a7d5e937e015427f008e9a99d26a4aaabf544850a2a9d250f3e5db1fd6

SHA512
0bd739e320875d248d7acbd18c8160e2a12be9a55fa13b27cad1a453e30b30ee39b2551e0d1fa5517c1f966583a18e013f878aea89922b281a832b9b98ab86f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ac459wb.exe

Filesize
221KB

MD5
8e213011bb8ec2212ecf574d7e39ffe4

SHA1
4fb3e4d280d5169aa1c914148104f180e3731b35

SHA256
2070a1daccb6f2817fc92f8be7615b31526f0ec752ffd42b0951844aeefbeb3b

SHA512
9b6d2ebd9f9a03d801f38b45582f96c1b1106927f8ad17c9b66188ec4b465a0278b2a0df5c5d32d5ac08daa549e6240116fe863e7b249a46a220910d167c3723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ac459wb.exe

Filesize
221KB

MD5
8e213011bb8ec2212ecf574d7e39ffe4

SHA1
4fb3e4d280d5169aa1c914148104f180e3731b35

SHA256
2070a1daccb6f2817fc92f8be7615b31526f0ec752ffd42b0951844aeefbeb3b

SHA512
9b6d2ebd9f9a03d801f38b45582f96c1b1106927f8ad17c9b66188ec4b465a0278b2a0df5c5d32d5ac08daa549e6240116fe863e7b249a46a220910d167c3723

Download Submit
memory/4572-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4572-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4572-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4572-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4696-46-0x00000000076C0000-0x0000000007752000-memory.dmp

Filesize
584KB

Download
memory/4696-44-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-45-0x0000000007B90000-0x0000000008134000-memory.dmp

Filesize
5.6MB

Download
memory/4696-43-0x00000000007C0000-0x00000000007FE000-memory.dmp

Filesize
248KB

Download
memory/4696-47-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4696-48-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/4696-49-0x0000000008760000-0x0000000008D78000-memory.dmp

Filesize
6.1MB

Download
memory/4696-50-0x0000000007A30000-0x0000000007B3A000-memory.dmp

Filesize
1.0MB

Download
memory/4696-51-0x0000000007960000-0x0000000007972000-memory.dmp

Filesize
72KB

Download
memory/4696-52-0x00000000079C0000-0x00000000079FC000-memory.dmp

Filesize
240KB

Download
memory/4696-53-0x0000000007B40000-0x0000000007B8C000-memory.dmp

Filesize
304KB

Download
memory/4696-54-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-55-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads