redline | f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42

Analysis

max time kernel
163s
max time network
196s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13-10-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe
Size

1.2MB
MD5

dae0cdc6ad6dab61e261af2bb12e1091
SHA1

d163c1474edd87975abc4a55a39c45386e9eec43
SHA256

f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42
SHA512

839a7600af362a8182331d2ac3daf3543d740851a32169cc0f24d26ea6b9151713b84168098ab5095cc9a4f86935cbd34dd36eff38a8d8d2502ac00ac74a5e43
SSDEEP

24576:eyYacIqCw31IvRA+OjR0ITU3pRg+opz/QpRcQZXE6q2qCo4i4osDJOTz8TZV:tYaZKS2Jj6oGgzDQpRcgEbyo4i4osNC

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001afe7-36.dat	family_redline
behavioral1/files/0x000600000001afe7-37.dat	family_redline
behavioral1/memory/824-38-0x0000000000600000-0x000000000063E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3060	BX2zh8fO.exe
4256	ZP8ZG7cw.exe
4568	Ha3Go6Ph.exe
1020	KN0zx0TB.exe
8	1wI91mh2.exe
824	2qf545Tr.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZP8ZG7cw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ha3Go6Ph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	KN0zx0TB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	BX2zh8fO.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3060	2828	f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe	70
PID 2828 wrote to memory of 3060	2828	f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe	70
PID 2828 wrote to memory of 3060	2828	f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe	70
PID 3060 wrote to memory of 4256	3060	BX2zh8fO.exe	71
PID 3060 wrote to memory of 4256	3060	BX2zh8fO.exe	71
PID 3060 wrote to memory of 4256	3060	BX2zh8fO.exe	71
PID 4256 wrote to memory of 4568	4256	ZP8ZG7cw.exe	72
PID 4256 wrote to memory of 4568	4256	ZP8ZG7cw.exe	72
PID 4256 wrote to memory of 4568	4256	ZP8ZG7cw.exe	72
PID 4568 wrote to memory of 1020	4568	Ha3Go6Ph.exe	73
PID 4568 wrote to memory of 1020	4568	Ha3Go6Ph.exe	73
PID 4568 wrote to memory of 1020	4568	Ha3Go6Ph.exe	73
PID 1020 wrote to memory of 8	1020	KN0zx0TB.exe	74
PID 1020 wrote to memory of 8	1020	KN0zx0TB.exe	74
PID 1020 wrote to memory of 8	1020	KN0zx0TB.exe	74
PID 1020 wrote to memory of 824	1020	KN0zx0TB.exe	75
PID 1020 wrote to memory of 824	1020	KN0zx0TB.exe	75
PID 1020 wrote to memory of 824	1020	KN0zx0TB.exe	75

C:\Users\Admin\AppData\Local\Temp\f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe
"C:\Users\Admin\AppData\Local\Temp\f1b8b1183c3af56672b2ea35fa1999c39b83af837a6554d08d31505e3d1f4b42.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX2zh8fO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX2zh8fO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZP8ZG7cw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZP8ZG7cw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ha3Go6Ph.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ha3Go6Ph.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN0zx0TB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN0zx0TB.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wI91mh2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wI91mh2.exe
        6⤵
        Executes dropped EXE
        
        PID:8
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qf545Tr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qf545Tr.exe
        6⤵
        Executes dropped EXE
        
        PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX2zh8fO.exe

Filesize
1.1MB

MD5
6602013e20bfba860b35fdcfca8f9441

SHA1
1738f419bda9c6cd6a93d612e4431317ae7dd864

SHA256
eac234bff0376209dcb7e8de9976ab287d9d5858d01acfc173b020d32e9cace6

SHA512
adf2c71abd7d2e13f5374c772b19857933974aafc2fc1d6c5b68f6f0a9ba03c56f8e6624c3458a188394b9293790a60e4b63c7a30eb8ea7c28d49585b21f7362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX2zh8fO.exe

Filesize
1.1MB

MD5
6602013e20bfba860b35fdcfca8f9441

SHA1
1738f419bda9c6cd6a93d612e4431317ae7dd864

SHA256
eac234bff0376209dcb7e8de9976ab287d9d5858d01acfc173b020d32e9cace6

SHA512
adf2c71abd7d2e13f5374c772b19857933974aafc2fc1d6c5b68f6f0a9ba03c56f8e6624c3458a188394b9293790a60e4b63c7a30eb8ea7c28d49585b21f7362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZP8ZG7cw.exe

Filesize
943KB

MD5
5d247380976ef0f16039d4fb7b93a5ca

SHA1
05d4dbba7213e25ef5e2637b1144a06719ca3548

SHA256
9c68ad8dc4a9a2a342f2240b1269c63b6ff4d2eb7d58bdcd29c336cb826784ea

SHA512
c3e7dfff358c94081118ef79fc9558beffbc27f9197a0904c97f2cd6a135dcbf19f5589e269c9c65831f76d3612775128a32ce298f898034dfd98d450a30f4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZP8ZG7cw.exe

Filesize
943KB

MD5
5d247380976ef0f16039d4fb7b93a5ca

SHA1
05d4dbba7213e25ef5e2637b1144a06719ca3548

SHA256
9c68ad8dc4a9a2a342f2240b1269c63b6ff4d2eb7d58bdcd29c336cb826784ea

SHA512
c3e7dfff358c94081118ef79fc9558beffbc27f9197a0904c97f2cd6a135dcbf19f5589e269c9c65831f76d3612775128a32ce298f898034dfd98d450a30f4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ha3Go6Ph.exe

Filesize
514KB

MD5
c21b570b2ee52281f9d5402b2931d7ff

SHA1
80f5ba7a4ac45394a56ab574bc9558edff4273d5

SHA256
4ee6cd7caf5ade6ab03dc5679d179bbb140879ea4cecfb492cdb05856a5ec82c

SHA512
2f02c5f5e330b1d7f2c692ed6022de3b3ca9e12af52e6745efdcebb43731ca6775303b644324057a675dcf49f4c611a1c95f115f3bfcb359ff071aeb5f99174d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ha3Go6Ph.exe

Filesize
514KB

MD5
c21b570b2ee52281f9d5402b2931d7ff

SHA1
80f5ba7a4ac45394a56ab574bc9558edff4273d5

SHA256
4ee6cd7caf5ade6ab03dc5679d179bbb140879ea4cecfb492cdb05856a5ec82c

SHA512
2f02c5f5e330b1d7f2c692ed6022de3b3ca9e12af52e6745efdcebb43731ca6775303b644324057a675dcf49f4c611a1c95f115f3bfcb359ff071aeb5f99174d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN0zx0TB.exe

Filesize
319KB

MD5
47fff61b5bf2fcdd73798c596e27cf31

SHA1
42c0a6015d05fe69364f36a3fb9dfb25bab543c6

SHA256
83c8aa3de4adc2da48b099d23f3935806521813a767a2085b79c63b5b496c526

SHA512
5503a71cd77f3ffff299b73d9de26f1bca4a25245de7b02f1d95cb3cace2cccb320f26599b8dd39d8b21b1d71b7133a4f99441d0b83604cc2524a1b2f7a0d1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN0zx0TB.exe

Filesize
319KB

MD5
47fff61b5bf2fcdd73798c596e27cf31

SHA1
42c0a6015d05fe69364f36a3fb9dfb25bab543c6

SHA256
83c8aa3de4adc2da48b099d23f3935806521813a767a2085b79c63b5b496c526

SHA512
5503a71cd77f3ffff299b73d9de26f1bca4a25245de7b02f1d95cb3cace2cccb320f26599b8dd39d8b21b1d71b7133a4f99441d0b83604cc2524a1b2f7a0d1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wI91mh2.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wI91mh2.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wI91mh2.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qf545Tr.exe

Filesize
221KB

MD5
381eef9f280ee947cd149e70a795e2d3

SHA1
f7487abe41d7c59bc213a45a8551313c9422465e

SHA256
b7509ae1e0cb7565873990d357942f916d40bb2c6885307fabcabec402e3d260

SHA512
538ed6c5f0a2f136135ead1eae429a771414b0c0c195340780178caa88637c0c35488e378c12d179cc97f3deb4fc175fa0eca88deb8bd4cb5a8606751768d988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qf545Tr.exe

Filesize
221KB

MD5
381eef9f280ee947cd149e70a795e2d3

SHA1
f7487abe41d7c59bc213a45a8551313c9422465e

SHA256
b7509ae1e0cb7565873990d357942f916d40bb2c6885307fabcabec402e3d260

SHA512
538ed6c5f0a2f136135ead1eae429a771414b0c0c195340780178caa88637c0c35488e378c12d179cc97f3deb4fc175fa0eca88deb8bd4cb5a8606751768d988

Download Submit
memory/824-38-0x0000000000600000-0x000000000063E000-memory.dmp

Filesize
248KB

Download
memory/824-39-0x0000000073610000-0x0000000073CFE000-memory.dmp

Filesize
6.9MB

Download
memory/824-40-0x0000000007850000-0x0000000007D4E000-memory.dmp

Filesize
5.0MB

Download
memory/824-41-0x00000000073F0000-0x0000000007482000-memory.dmp

Filesize
584KB

Download
memory/824-42-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/824-43-0x0000000008360000-0x0000000008966000-memory.dmp

Filesize
6.0MB

Download
memory/824-44-0x0000000007720000-0x000000000782A000-memory.dmp

Filesize
1.0MB

Download
memory/824-45-0x0000000007500000-0x0000000007512000-memory.dmp

Filesize
72KB

Download
memory/824-46-0x0000000007650000-0x000000000768E000-memory.dmp

Filesize
248KB

Download
memory/824-47-0x0000000007690000-0x00000000076DB000-memory.dmp

Filesize
300KB

Download
memory/824-48-0x0000000073610000-0x0000000073CFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads