redline | 96908b0cc125bfb859e66da0ed4acfd2a53d44e975229d93c919662af343d013

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe
Size

1.2MB
MD5

c1012f4ae35b997bcb09b2f23a0a859f
SHA1

ec535af23c61a0d94c226420023802108746987f
SHA256

214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849
SHA512

6e357be39e575b779f6b4a166cd1d9f5475fe6686a7b73ad64f96f00b0e79c02da32a0a8433f5d43d435d51b45a180a551ee50c008fe5d9ebd5b9254e40dd71d
SSDEEP

24576:nyAacfrkPSr62KyBJ0KMpQIU+gEp7sjudHxc5bYK3YrTxp94pjj:yZcQPSr60sY+lQ2bK3YvP9aj

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023255-36.dat	family_redline
behavioral2/files/0x0006000000023255-37.dat	family_redline
behavioral2/memory/4644-38-0x0000000000FD0000-0x000000000100E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2932	Iz8Gg2gw.exe
688	XL0Yj2kZ.exe
3940	bh7Mp6ou.exe
3688	jf5ws5Or.exe
2344	1xa67AW3.exe
4644	2Xy980RK.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Iz8Gg2gw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	XL0Yj2kZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	bh7Mp6ou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jf5ws5Or.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2932	3720	214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe	84
PID 3720 wrote to memory of 2932	3720	214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe	84
PID 3720 wrote to memory of 2932	3720	214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe	84
PID 2932 wrote to memory of 688	2932	Iz8Gg2gw.exe	85
PID 2932 wrote to memory of 688	2932	Iz8Gg2gw.exe	85
PID 2932 wrote to memory of 688	2932	Iz8Gg2gw.exe	85
PID 688 wrote to memory of 3940	688	XL0Yj2kZ.exe	87
PID 688 wrote to memory of 3940	688	XL0Yj2kZ.exe	87
PID 688 wrote to memory of 3940	688	XL0Yj2kZ.exe	87
PID 3940 wrote to memory of 3688	3940	bh7Mp6ou.exe	88
PID 3940 wrote to memory of 3688	3940	bh7Mp6ou.exe	88
PID 3940 wrote to memory of 3688	3940	bh7Mp6ou.exe	88
PID 3688 wrote to memory of 2344	3688	jf5ws5Or.exe	89
PID 3688 wrote to memory of 2344	3688	jf5ws5Or.exe	89
PID 3688 wrote to memory of 2344	3688	jf5ws5Or.exe	89
PID 3688 wrote to memory of 4644	3688	jf5ws5Or.exe	90
PID 3688 wrote to memory of 4644	3688	jf5ws5Or.exe	90
PID 3688 wrote to memory of 4644	3688	jf5ws5Or.exe	90

C:\Users\Admin\AppData\Local\Temp\214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe
"C:\Users\Admin\AppData\Local\Temp\214a1cc8f5959cc200cc9f2f4edb63509bd07c8d7d0163e416cb0866e224f849.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iz8Gg2gw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iz8Gg2gw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XL0Yj2kZ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XL0Yj2kZ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bh7Mp6ou.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bh7Mp6ou.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jf5ws5Or.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jf5ws5Or.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xa67AW3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xa67AW3.exe
        6⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xy980RK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xy980RK.exe
        6⤵
        Executes dropped EXE
        
        PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iz8Gg2gw.exe

Filesize
1.1MB

MD5
53a65465a0b5e5810d22b0e60cb6b2e2

SHA1
0570cf7fb406f3749dacd77f7e24540c752c191d

SHA256
316148d301953ae030b0ef50004a7e0436d1e01846a506117ed46489cad26e58

SHA512
59d69e997ea2a6f00094586cc69f8edd54765944ad5349eb9f1817803a426ba17610c05ee2d8e9d8e67c618052fea86d004d6a52b7fd817dbc9da8a248c6a8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iz8Gg2gw.exe

Filesize
1.1MB

MD5
53a65465a0b5e5810d22b0e60cb6b2e2

SHA1
0570cf7fb406f3749dacd77f7e24540c752c191d

SHA256
316148d301953ae030b0ef50004a7e0436d1e01846a506117ed46489cad26e58

SHA512
59d69e997ea2a6f00094586cc69f8edd54765944ad5349eb9f1817803a426ba17610c05ee2d8e9d8e67c618052fea86d004d6a52b7fd817dbc9da8a248c6a8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XL0Yj2kZ.exe

Filesize
925KB

MD5
bd25c811d4384c4a2dc341565be15eda

SHA1
5631cf539d9baac273db8e0d72f75b04e136d51a

SHA256
1da7b5207df5cb3454dfce0d139f865f3f9fd185a3a03c4522acc7da8e7e7e6d

SHA512
169b9cd49b7318fefa85381a8403d6632d2e175250749ff79f270eaaf53ed21a43e1d14722ec8a42cfc33cbd322fdcb37d4551e944d624293b84ce56fc749d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XL0Yj2kZ.exe

Filesize
925KB

MD5
bd25c811d4384c4a2dc341565be15eda

SHA1
5631cf539d9baac273db8e0d72f75b04e136d51a

SHA256
1da7b5207df5cb3454dfce0d139f865f3f9fd185a3a03c4522acc7da8e7e7e6d

SHA512
169b9cd49b7318fefa85381a8403d6632d2e175250749ff79f270eaaf53ed21a43e1d14722ec8a42cfc33cbd322fdcb37d4551e944d624293b84ce56fc749d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bh7Mp6ou.exe

Filesize
514KB

MD5
e44f5bd7decb363d5fad6022b4137eda

SHA1
63e15742c7f75397cf62a916da5598f924725572

SHA256
7a5943d94f31c9ba20c299eca390426c86f4739a2f48d22b7db739376b7f3da8

SHA512
4480b3a25db660405db8e614b2bd138ca74696905164404aba7c3ce37bd539a46b377f50001f593e8856e6d8d2a46e8a1e6f93c156320998a087e10b3bb624f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bh7Mp6ou.exe

Filesize
514KB

MD5
e44f5bd7decb363d5fad6022b4137eda

SHA1
63e15742c7f75397cf62a916da5598f924725572

SHA256
7a5943d94f31c9ba20c299eca390426c86f4739a2f48d22b7db739376b7f3da8

SHA512
4480b3a25db660405db8e614b2bd138ca74696905164404aba7c3ce37bd539a46b377f50001f593e8856e6d8d2a46e8a1e6f93c156320998a087e10b3bb624f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jf5ws5Or.exe

Filesize
319KB

MD5
d4faa67e48c7aadf68863a3f072520dd

SHA1
d676f1c8c2a438cddaf50b3553b145dfb9765076

SHA256
71c1703769acab737ce8f484c9f1b50ea16a4fc9d79ca32b7559ec3aeb54c7d6

SHA512
af536112a52decbeab789e6674d5578e9150198e3ab0d410883ec0329da3bb4d5eb8378b5c5bf6ee77da4205d2aa34cece203e5e3d0513abe3d1f5b954aa3290

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jf5ws5Or.exe

Filesize
319KB

MD5
d4faa67e48c7aadf68863a3f072520dd

SHA1
d676f1c8c2a438cddaf50b3553b145dfb9765076

SHA256
71c1703769acab737ce8f484c9f1b50ea16a4fc9d79ca32b7559ec3aeb54c7d6

SHA512
af536112a52decbeab789e6674d5578e9150198e3ab0d410883ec0329da3bb4d5eb8378b5c5bf6ee77da4205d2aa34cece203e5e3d0513abe3d1f5b954aa3290

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xa67AW3.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xa67AW3.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xa67AW3.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xy980RK.exe

Filesize
221KB

MD5
a799c8552b3bba8f2cf25a6c58b9fe70

SHA1
af644f1de215c2e20cd403c820189f02d9f30192

SHA256
e96457d461e91a891c55deaecaa157494184818599b6b140dad83a4c6a5d039e

SHA512
8b0a21c80d91093b76310b49fcda3a9fba8a589280020ffbf6204d5b90cee0fd07240ed6cebc29b2a55862ffb747b611f4060189455e13747d81df567d590786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xy980RK.exe

Filesize
221KB

MD5
a799c8552b3bba8f2cf25a6c58b9fe70

SHA1
af644f1de215c2e20cd403c820189f02d9f30192

SHA256
e96457d461e91a891c55deaecaa157494184818599b6b140dad83a4c6a5d039e

SHA512
8b0a21c80d91093b76310b49fcda3a9fba8a589280020ffbf6204d5b90cee0fd07240ed6cebc29b2a55862ffb747b611f4060189455e13747d81df567d590786

Download Submit
memory/4644-38-0x0000000000FD0000-0x000000000100E000-memory.dmp

Filesize
248KB

Download
memory/4644-39-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/4644-40-0x00000000083D0000-0x0000000008974000-memory.dmp

Filesize
5.6MB

Download
memory/4644-41-0x0000000007EC0000-0x0000000007F52000-memory.dmp

Filesize
584KB

Download
memory/4644-42-0x00000000080D0000-0x00000000080E0000-memory.dmp

Filesize
64KB

Download
memory/4644-43-0x0000000007F90000-0x0000000007F9A000-memory.dmp

Filesize
40KB

Download
memory/4644-44-0x0000000008FA0000-0x00000000095B8000-memory.dmp

Filesize
6.1MB

Download
memory/4644-45-0x0000000008980000-0x0000000008A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-46-0x0000000008070000-0x0000000008082000-memory.dmp

Filesize
72KB

Download
memory/4644-47-0x00000000081D0000-0x000000000820C000-memory.dmp

Filesize
240KB

Download
memory/4644-48-0x0000000008210000-0x000000000825C000-memory.dmp

Filesize
304KB

Download
memory/4644-49-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/4644-50-0x00000000080D0000-0x00000000080E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads