redline | 16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 04:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe
Size

1.1MB
MD5

bde950809dca7600ec1ff15ab179726a
SHA1

8ba7c6266c2b891a0c4b7ed69c8d742ba23c6190
SHA256

16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b
SHA512

0555e24c9657273d9448ef57079e656e198f11cc0a5502826536f61b2172b7bc5f4793584f727fca70bc68248f88b217673efecb73ebd22b63cca7e1773783b4
SSDEEP

24576:KyLoO78TE4+A4HDOd6l46ooqESO8TmgT4DXZBISVDure:R777FDXlvzmFebFc

Score

10^/10

redline larek infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

larek

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002320a-41.dat	family_redline
behavioral1/files/0x000700000002320a-42.dat	family_redline
behavioral1/memory/1980-43-0x0000000000D10000-0x0000000000D4E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3816	js6KL4Lb.exe
384	Sc1Hd9cl.exe
3056	Nz1Ev7gZ.exe
5008	MT4sl4xc.exe
2524	1Nz94Yz2.exe
1980	2aa454yt.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	js6KL4Lb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Sc1Hd9cl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Nz1Ev7gZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	MT4sl4xc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 908	2524	1Nz94Yz2.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4020	908	WerFault.exe	92
1676	2524	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3816	4776	16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe	85
PID 4776 wrote to memory of 3816	4776	16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe	85
PID 4776 wrote to memory of 3816	4776	16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe	85
PID 3816 wrote to memory of 384	3816	js6KL4Lb.exe	86
PID 3816 wrote to memory of 384	3816	js6KL4Lb.exe	86
PID 3816 wrote to memory of 384	3816	js6KL4Lb.exe	86
PID 384 wrote to memory of 3056	384	Sc1Hd9cl.exe	88
PID 384 wrote to memory of 3056	384	Sc1Hd9cl.exe	88
PID 384 wrote to memory of 3056	384	Sc1Hd9cl.exe	88
PID 3056 wrote to memory of 5008	3056	Nz1Ev7gZ.exe	89
PID 3056 wrote to memory of 5008	3056	Nz1Ev7gZ.exe	89
PID 3056 wrote to memory of 5008	3056	Nz1Ev7gZ.exe	89
PID 5008 wrote to memory of 2524	5008	MT4sl4xc.exe	90
PID 5008 wrote to memory of 2524	5008	MT4sl4xc.exe	90
PID 5008 wrote to memory of 2524	5008	MT4sl4xc.exe	90
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 2524 wrote to memory of 908	2524	1Nz94Yz2.exe	92
PID 5008 wrote to memory of 1980	5008	MT4sl4xc.exe	98
PID 5008 wrote to memory of 1980	5008	MT4sl4xc.exe	98
PID 5008 wrote to memory of 1980	5008	MT4sl4xc.exe	98

C:\Users\Admin\AppData\Local\Temp\16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe
"C:\Users\Admin\AppData\Local\Temp\16026b861e19a9dd4cbdff2ac98b34468f7c2c6f8c03e75b6912c573182b105b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\js6KL4Lb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\js6KL4Lb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sc1Hd9cl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sc1Hd9cl.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz1Ev7gZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz1Ev7gZ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MT4sl4xc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MT4sl4xc.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nz94Yz2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nz94Yz2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 564
        8⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 148
        7⤵
        Program crash
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa454yt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa454yt.exe
        6⤵
        Executes dropped EXE
        
        PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 908 -ip 908
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2524 -ip 2524
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\js6KL4Lb.exe

Filesize
960KB

MD5
a9040bf7a6ffee895d2a8e73961b3e5d

SHA1
af7c394960711821c79bc478931ace968e377f1b

SHA256
c86b7f170d97b1b4a1f044e93221265214a0ea1124f582a6a506049aea5b0cc8

SHA512
2131fbbc8dde9f6c3ee906979b6cf187f9be4c79440a0810f2bc18f0affd4c7181863703a91f1a1e458c8fed93d05b93b5bd605db7f04fda1ca137f11dd39c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\js6KL4Lb.exe

Filesize
960KB

MD5
a9040bf7a6ffee895d2a8e73961b3e5d

SHA1
af7c394960711821c79bc478931ace968e377f1b

SHA256
c86b7f170d97b1b4a1f044e93221265214a0ea1124f582a6a506049aea5b0cc8

SHA512
2131fbbc8dde9f6c3ee906979b6cf187f9be4c79440a0810f2bc18f0affd4c7181863703a91f1a1e458c8fed93d05b93b5bd605db7f04fda1ca137f11dd39c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sc1Hd9cl.exe

Filesize
777KB

MD5
e9c058937207e2e8714ad881baebdf2a

SHA1
b0ffb81f41d15d99745cda17bc683bee5dd8ced2

SHA256
2475d32400efb2dbbe62e826df9374cdcdee53d76ceca9f854ea458199e60c40

SHA512
d905eb4a701f0df3ad58724852a7d9fa6a733222431d64330eb4cbf4f0477d5fd7dc98db7d4872d803fe52868e210e164791ba07f128f439a6e77b11a9fb2e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sc1Hd9cl.exe

Filesize
777KB

MD5
e9c058937207e2e8714ad881baebdf2a

SHA1
b0ffb81f41d15d99745cda17bc683bee5dd8ced2

SHA256
2475d32400efb2dbbe62e826df9374cdcdee53d76ceca9f854ea458199e60c40

SHA512
d905eb4a701f0df3ad58724852a7d9fa6a733222431d64330eb4cbf4f0477d5fd7dc98db7d4872d803fe52868e210e164791ba07f128f439a6e77b11a9fb2e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz1Ev7gZ.exe

Filesize
531KB

MD5
26f7245474f116fe4bb03d09b167f525

SHA1
6c3fb1878f3abe23fa88f7a20cc9210ada69e902

SHA256
ac49301c0cbca59a26c3d0c8d55c2d6e8656a38cf921f191cdfd19102bee19f4

SHA512
9153e167ce9a660f9ce4257ec8b0f6dbd55702386ea546cd1c4490cc48d46c8b5f8af01ca6f103fa0e46e9dc5fff34bd1d5baac183c94481d0bb1ead610263fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz1Ev7gZ.exe

Filesize
531KB

MD5
26f7245474f116fe4bb03d09b167f525

SHA1
6c3fb1878f3abe23fa88f7a20cc9210ada69e902

SHA256
ac49301c0cbca59a26c3d0c8d55c2d6e8656a38cf921f191cdfd19102bee19f4

SHA512
9153e167ce9a660f9ce4257ec8b0f6dbd55702386ea546cd1c4490cc48d46c8b5f8af01ca6f103fa0e46e9dc5fff34bd1d5baac183c94481d0bb1ead610263fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MT4sl4xc.exe

Filesize
365KB

MD5
0648b3e733a70f64e4009673d891d0a3

SHA1
c3abecdbfde17ff94c57b718b33e637be7b551bb

SHA256
d69b71e1f59ce9d21e2cbb9a2e5183125fe2a286dd61afba39d88af4c93b36f2

SHA512
11ae4775a166111264251f4bd0370aa0b04bc62f1617fdb8598061464865ca1094fd59545e57590675577641fb2d00bec6ddbcadf9388c15a1c016227c39460a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\MT4sl4xc.exe

Filesize
365KB

MD5
0648b3e733a70f64e4009673d891d0a3

SHA1
c3abecdbfde17ff94c57b718b33e637be7b551bb

SHA256
d69b71e1f59ce9d21e2cbb9a2e5183125fe2a286dd61afba39d88af4c93b36f2

SHA512
11ae4775a166111264251f4bd0370aa0b04bc62f1617fdb8598061464865ca1094fd59545e57590675577641fb2d00bec6ddbcadf9388c15a1c016227c39460a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nz94Yz2.exe

Filesize
285KB

MD5
d5cd8cf7c4ec92380de336eb0474c7dd

SHA1
817e55eb728a3bad81c8262cbab568c7a322f34b

SHA256
e8203d17683974dc0672a074bd0ebd40a6b001d2ce2bccfb160a9d52c121679b

SHA512
d865449f2ea57a5f3c9f1c5baa04b507c75ad4e279659b546528330e4b50be65d6f15452e96e63bc478529390422091e902c61126729b16916efeadf1e1be1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nz94Yz2.exe

Filesize
285KB

MD5
d5cd8cf7c4ec92380de336eb0474c7dd

SHA1
817e55eb728a3bad81c8262cbab568c7a322f34b

SHA256
e8203d17683974dc0672a074bd0ebd40a6b001d2ce2bccfb160a9d52c121679b

SHA512
d865449f2ea57a5f3c9f1c5baa04b507c75ad4e279659b546528330e4b50be65d6f15452e96e63bc478529390422091e902c61126729b16916efeadf1e1be1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa454yt.exe

Filesize
221KB

MD5
4076172c616ad5b2eaea20a055082cf0

SHA1
37ff6c46843f531c95a596cc84590e36ab085a8a

SHA256
e709d18e63d6680254c9a1c32993c34d2afd96487a51b185cd60596ddb5c6e66

SHA512
f3b541f744f2f0aa1b73ea1774b1a564a4a8123d1d2803676267dcab67dc99f6e9239312d817d4d1140bbb23259060074152dd2a5bedea7c14617ea7721777e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa454yt.exe

Filesize
221KB

MD5
4076172c616ad5b2eaea20a055082cf0

SHA1
37ff6c46843f531c95a596cc84590e36ab085a8a

SHA256
e709d18e63d6680254c9a1c32993c34d2afd96487a51b185cd60596ddb5c6e66

SHA512
f3b541f744f2f0aa1b73ea1774b1a564a4a8123d1d2803676267dcab67dc99f6e9239312d817d4d1140bbb23259060074152dd2a5bedea7c14617ea7721777e9

Download Submit
memory/908-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-46-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/1980-44-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/1980-45-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/1980-43-0x0000000000D10000-0x0000000000D4E000-memory.dmp

Filesize
248KB

Download
memory/1980-47-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download
memory/1980-48-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

Filesize
40KB

Download
memory/1980-49-0x0000000008CE0000-0x00000000092F8000-memory.dmp

Filesize
6.1MB

Download
memory/1980-50-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/1980-51-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/1980-52-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/1980-53-0x0000000007F60000-0x0000000007FAC000-memory.dmp

Filesize
304KB

Download
memory/1980-54-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/1980-55-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads