redline | 7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97

Analysis

max time kernel
139s
max time network
159s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13/10/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe
Size

1.5MB
MD5

f858b3501c6547c212e8f70433524df8
SHA1

db313230299980434cd0d0532b939622c8bd55b5
SHA256

7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97
SHA512

60138f00574a79fabb39e7f0ca3d82a17278655e8d16ab009ed820abbd845db97d755d6932901ffc59a70b5e2089ce9794b606509613f72d227303824b9e7147
SSDEEP

24576:HyEF3/B/YomB05zMbv1Ut1A4Snsx4ROwTSyn82zmOy+wnbnoVbN6qhoLRU:SEFK9wz61UOsGROwWe82CO4oVJ6q+1

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b010-39.dat	family_redline
behavioral1/files/0x000600000001b010-43.dat	family_redline
behavioral1/memory/760-45-0x00000000006C0000-0x00000000006FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4628	Lw2Ih7Ud.exe
4552	Xa7PS9WS.exe
928	fv6zL5nX.exe
500	iB0Tl7gl.exe
4952	1vx52Fg2.exe
760	2cg246FK.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lw2Ih7Ud.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xa7PS9WS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fv6zL5nX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	iB0Tl7gl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 4820	4952	1vx52Fg2.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	4820	WerFault.exe	77

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4628	3928	7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe	70
PID 3928 wrote to memory of 4628	3928	7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe	70
PID 3928 wrote to memory of 4628	3928	7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe	70
PID 4628 wrote to memory of 4552	4628	Lw2Ih7Ud.exe	71
PID 4628 wrote to memory of 4552	4628	Lw2Ih7Ud.exe	71
PID 4628 wrote to memory of 4552	4628	Lw2Ih7Ud.exe	71
PID 4552 wrote to memory of 928	4552	Xa7PS9WS.exe	72
PID 4552 wrote to memory of 928	4552	Xa7PS9WS.exe	72
PID 4552 wrote to memory of 928	4552	Xa7PS9WS.exe	72
PID 928 wrote to memory of 500	928	fv6zL5nX.exe	73
PID 928 wrote to memory of 500	928	fv6zL5nX.exe	73
PID 928 wrote to memory of 500	928	fv6zL5nX.exe	73
PID 500 wrote to memory of 4952	500	iB0Tl7gl.exe	74
PID 500 wrote to memory of 4952	500	iB0Tl7gl.exe	74
PID 500 wrote to memory of 4952	500	iB0Tl7gl.exe	74
PID 4952 wrote to memory of 1216	4952	1vx52Fg2.exe	76
PID 4952 wrote to memory of 1216	4952	1vx52Fg2.exe	76
PID 4952 wrote to memory of 1216	4952	1vx52Fg2.exe	76
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 4952 wrote to memory of 4820	4952	1vx52Fg2.exe	77
PID 500 wrote to memory of 760	500	iB0Tl7gl.exe	78
PID 500 wrote to memory of 760	500	iB0Tl7gl.exe	78
PID 500 wrote to memory of 760	500	iB0Tl7gl.exe	78

C:\Users\Admin\AppData\Local\Temp\7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe
"C:\Users\Admin\AppData\Local\Temp\7412518f71f76e1e4a0217a127a2c391c4c81657c2923113a5f4a4b60bf25b97.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ih7Ud.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ih7Ud.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xa7PS9WS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xa7PS9WS.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fv6zL5nX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fv6zL5nX.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iB0Tl7gl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iB0Tl7gl.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:500
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vx52Fg2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vx52Fg2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 568
        8⤵
        Program crash
        
        PID:1632
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cg246FK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cg246FK.exe
        6⤵
        Executes dropped EXE
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ih7Ud.exe

Filesize
1.4MB

MD5
23e23cdbdef65c4b9e940a4474d5ae30

SHA1
bdbab7a43e2fc0c783cb41d88778bea3fc2177cb

SHA256
8278de0e35d995b16529463cb0b4c53b7d1b1ba8ef7c0949a0485c15069dd463

SHA512
743decefd6417b9abb17039a783e8bf4b8f6f04c86dbc4a220574d6b5077a4d7ef1c11f74a7f4bba68798f13e1268bb22b6615f4d828f12a7d740388299d0866

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lw2Ih7Ud.exe

Filesize
1.4MB

MD5
23e23cdbdef65c4b9e940a4474d5ae30

SHA1
bdbab7a43e2fc0c783cb41d88778bea3fc2177cb

SHA256
8278de0e35d995b16529463cb0b4c53b7d1b1ba8ef7c0949a0485c15069dd463

SHA512
743decefd6417b9abb17039a783e8bf4b8f6f04c86dbc4a220574d6b5077a4d7ef1c11f74a7f4bba68798f13e1268bb22b6615f4d828f12a7d740388299d0866

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xa7PS9WS.exe

Filesize
1.2MB

MD5
2b144c3da70931cc0c7423ced49a9c07

SHA1
a528cfbd137f19d03b7112175f64a9560d34aed5

SHA256
b15f8b11a4a4af3c39450febce1e1cedc5a663c1738a304e628c86a856fd2665

SHA512
8ede49323dd17f2aa60cd129414a6c263f5957a932f18b44d7265704ac6dd35b15b214c83fcd235c76f7695cd15a06b6a6e7607c05b378f657ff6148ec02ed12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xa7PS9WS.exe

Filesize
1.2MB

MD5
2b144c3da70931cc0c7423ced49a9c07

SHA1
a528cfbd137f19d03b7112175f64a9560d34aed5

SHA256
b15f8b11a4a4af3c39450febce1e1cedc5a663c1738a304e628c86a856fd2665

SHA512
8ede49323dd17f2aa60cd129414a6c263f5957a932f18b44d7265704ac6dd35b15b214c83fcd235c76f7695cd15a06b6a6e7607c05b378f657ff6148ec02ed12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fv6zL5nX.exe

Filesize
776KB

MD5
a7f04dd66012898651c5756c53412cc4

SHA1
d1d3bf11adfb02d94a3216635a269a3ca5e701b2

SHA256
6b111697674d75b0dcad346cc3508d6851d983eeeda4a162ca4d2e15a5592119

SHA512
d9033f742633cef8a9e94e75fe6576e1bd08827eaf918aae726a3426b206134dff49b41df3e8dbf3da5828ee786bc1622ceed5b07625ea6252dcb8faef78332a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fv6zL5nX.exe

Filesize
776KB

MD5
a7f04dd66012898651c5756c53412cc4

SHA1
d1d3bf11adfb02d94a3216635a269a3ca5e701b2

SHA256
6b111697674d75b0dcad346cc3508d6851d983eeeda4a162ca4d2e15a5592119

SHA512
d9033f742633cef8a9e94e75fe6576e1bd08827eaf918aae726a3426b206134dff49b41df3e8dbf3da5828ee786bc1622ceed5b07625ea6252dcb8faef78332a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iB0Tl7gl.exe

Filesize
580KB

MD5
22f8356dfcbf1686c64b46c6e3d83461

SHA1
8bce79ee6ff919f0c141af3d043bbae3f4f15a15

SHA256
eca372aeac9e66d7a7eaa55283dfd885cdee186745c8055327c36b2c1c9aee4b

SHA512
51163eb9f76862fea0880a0147b04284db97c50ac86732b23f3c722e6d7e5791ad205fb0ce7f1141b0384932019c051895b0eff1de5143fa8d4c1656493b7984

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iB0Tl7gl.exe

Filesize
580KB

MD5
22f8356dfcbf1686c64b46c6e3d83461

SHA1
8bce79ee6ff919f0c141af3d043bbae3f4f15a15

SHA256
eca372aeac9e66d7a7eaa55283dfd885cdee186745c8055327c36b2c1c9aee4b

SHA512
51163eb9f76862fea0880a0147b04284db97c50ac86732b23f3c722e6d7e5791ad205fb0ce7f1141b0384932019c051895b0eff1de5143fa8d4c1656493b7984

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vx52Fg2.exe

Filesize
1.1MB

MD5
a1c1c44e837edbc2d55d33ba9620a109

SHA1
0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

SHA256
4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

SHA512
75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vx52Fg2.exe

Filesize
1.1MB

MD5
a1c1c44e837edbc2d55d33ba9620a109

SHA1
0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

SHA256
4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

SHA512
75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cg246FK.exe

Filesize
222KB

MD5
d1947db2b064a7ad8da6e770a9d2e55a

SHA1
24d54db51fed8089436296e2c5435f80268976fb

SHA256
28990e2fce09e446b6a49f641ded0d3af88d644e527506c3d75deb08e8c7e84a

SHA512
8c24d07e2d5e3e79b41b74ead7e6d346e526e7571182a1785906b2bfde90b7d3ae5f045233f87f980771d020346dbc540781a9661c06860f3f65986a593d35e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cg246FK.exe

Filesize
222KB

MD5
d1947db2b064a7ad8da6e770a9d2e55a

SHA1
24d54db51fed8089436296e2c5435f80268976fb

SHA256
28990e2fce09e446b6a49f641ded0d3af88d644e527506c3d75deb08e8c7e84a

SHA512
8c24d07e2d5e3e79b41b74ead7e6d346e526e7571182a1785906b2bfde90b7d3ae5f045233f87f980771d020346dbc540781a9661c06860f3f65986a593d35e2

Download Submit
memory/760-47-0x00000000078D0000-0x0000000007DCE000-memory.dmp

Filesize
5.0MB

Download
memory/760-48-0x0000000007470000-0x0000000007502000-memory.dmp

Filesize
584KB

Download
memory/760-55-0x0000000073000000-0x00000000736EE000-memory.dmp

Filesize
6.9MB

Download
memory/760-54-0x0000000007870000-0x00000000078BB000-memory.dmp

Filesize
300KB

Download
memory/760-45-0x00000000006C0000-0x00000000006FE000-memory.dmp

Filesize
248KB

Download
memory/760-46-0x0000000073000000-0x00000000736EE000-memory.dmp

Filesize
6.9MB

Download
memory/760-53-0x0000000007830000-0x000000000786E000-memory.dmp

Filesize
248KB

Download
memory/760-52-0x00000000077D0000-0x00000000077E2000-memory.dmp

Filesize
72KB

Download
memory/760-49-0x0000000007430000-0x000000000743A000-memory.dmp

Filesize
40KB

Download
memory/760-50-0x00000000083E0000-0x00000000089E6000-memory.dmp

Filesize
6.0MB

Download
memory/760-51-0x0000000007DD0000-0x0000000007EDA000-memory.dmp

Filesize
1.0MB

Download
memory/4820-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4820-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4820-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4820-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads