redline | 003e9b419d92c68dac183f27514552147e15b2a34181caa412f0aec00f9b7bf7

General

Target

WS6lv4zQ.exe
Size

319KB
MD5

c2c23f0f3d5763d5a4d208a378dd6957
SHA1

255ab1e23775fe39fa06b85a50f66e8853b5749f
SHA256

003e9b419d92c68dac183f27514552147e15b2a34181caa412f0aec00f9b7bf7
SHA512

8bf525b3bf59637c1bae025d1ba39896d3b01900d8dc6645d633cbf4dc3ea942d0885e5ac421a4e910bee9c77cb1fba80f23892aa2c529ec874045c52ead55ce
SSDEEP

6144:Kpy+bnr+/p0yN90QEL1xameXBnEmB7nIJ4xErrJPSzdrfD7tl+5IW:DMrXy90ZuREEIIEpSzU5J

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016c76-10.dat	family_redline
behavioral1/files/0x0009000000016c76-13.dat	family_redline
behavioral1/files/0x0009000000016c76-14.dat	family_redline
behavioral1/files/0x0009000000016c76-15.dat	family_redline
behavioral1/memory/2568-16-0x0000000000E00000-0x0000000000E3E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2324	1dB90go9.exe
2568	2lh658YQ.exe

Loads dropped DLL 4 IoCs

pid	Process
2096	WS6lv4zQ.exe
2324	1dB90go9.exe
2096	WS6lv4zQ.exe
2568	2lh658YQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WS6lv4zQ.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2324	2096	WS6lv4zQ.exe	28
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33
PID 2096 wrote to memory of 2568	2096	WS6lv4zQ.exe	33

C:\Users\Admin\AppData\Local\Temp\WS6lv4zQ.exe
"C:\Users\Admin\AppData\Local\Temp\WS6lv4zQ.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1dB90go9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1dB90go9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lh658YQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lh658YQ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1dB90go9.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1dB90go9.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lh658YQ.exe

Filesize
221KB

MD5
278a8dd873cd7c46439078dca89131ad

SHA1
8bf9c0e0ecabb7d4d46d341c429712db31d04f2c

SHA256
8fdff28c1c8bfd963d80539f72f979a503fc5fc0764b488ae9425258c04c6676

SHA512
8fdd5e67c8dcf495faa02f86903e1654a00967fc1407fac14a877bc0a2182fb6f94e3360707614f8c6ab4425a22d501dd5cdb2028000b3e0c6b2d31ee9f30b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lh658YQ.exe

Filesize
221KB

MD5
278a8dd873cd7c46439078dca89131ad

SHA1
8bf9c0e0ecabb7d4d46d341c429712db31d04f2c

SHA256
8fdff28c1c8bfd963d80539f72f979a503fc5fc0764b488ae9425258c04c6676

SHA512
8fdd5e67c8dcf495faa02f86903e1654a00967fc1407fac14a877bc0a2182fb6f94e3360707614f8c6ab4425a22d501dd5cdb2028000b3e0c6b2d31ee9f30b92

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1dB90go9.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1dB90go9.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lh658YQ.exe

Filesize
221KB

MD5
278a8dd873cd7c46439078dca89131ad

SHA1
8bf9c0e0ecabb7d4d46d341c429712db31d04f2c

SHA256
8fdff28c1c8bfd963d80539f72f979a503fc5fc0764b488ae9425258c04c6676

SHA512
8fdd5e67c8dcf495faa02f86903e1654a00967fc1407fac14a877bc0a2182fb6f94e3360707614f8c6ab4425a22d501dd5cdb2028000b3e0c6b2d31ee9f30b92

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lh658YQ.exe

Filesize
221KB

MD5
278a8dd873cd7c46439078dca89131ad

SHA1
8bf9c0e0ecabb7d4d46d341c429712db31d04f2c

SHA256
8fdff28c1c8bfd963d80539f72f979a503fc5fc0764b488ae9425258c04c6676

SHA512
8fdd5e67c8dcf495faa02f86903e1654a00967fc1407fac14a877bc0a2182fb6f94e3360707614f8c6ab4425a22d501dd5cdb2028000b3e0c6b2d31ee9f30b92

Download Submit
memory/2568-16-0x0000000000E00000-0x0000000000E3E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads