Analysis

  • max time kernel
    138s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/10/2023, 08:50 UTC

General

  • Target

    477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe

  • Size

    1.5MB

  • MD5

    27a377d27d16aa9df83edabfd23b565a

  • SHA1

    4d4d71f95db9e6b0e80c1decfd7e587b71e5663d

  • SHA256

    477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db

  • SHA512

    f89a2dc0b7b7a9e9843dcaed4c436a0ea6d485bfe5e741cdef46de3dc6f21c6f55194cc47d98efda2f3483b8a5f6df854282af8dface09758496d7aa9651010a

  • SSDEEP

    24576:3y1IC/BgLwm1SaGpzU4VpCDyRmtsN8YtTFRUgZy9qBhlJiLD7ef0nkK8JkrM:Cf/lajcpC3tsN8EBRd8kblJiLD7znkk

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe
    "C:\Users\Admin\AppData\Local\Temp\477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4236
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:1220
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 568
                    8⤵
                    • Program crash
                    PID:164
              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe
                C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe
                6⤵
                • Executes dropped EXE
                PID:2416

    Network

    • flag-us
      DNS
      96.134.101.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      96.134.101.95.in-addr.arpa
      IN PTR
      Response
      96.134.101.95.in-addr.arpa
      IN PTR
      a95-101-134-96deploystaticakamaitechnologiescom
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 77.91.124.55:19071
      2BA930jt.exe
      156 B
      3
    • 77.91.124.55:19071
      2BA930jt.exe
      156 B
      3
    • 77.91.124.55:19071
      2BA930jt.exe
      156 B
      3
    • 77.91.124.55:19071
      2BA930jt.exe
      156 B
      3
    • 77.91.124.55:19071
      2BA930jt.exe
      156 B
      3
    • 77.91.124.55:19071
      2BA930jt.exe
      156 B
      3
    • 8.8.8.8:53
      96.134.101.95.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      96.134.101.95.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      18.173.189.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      18.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe

      Filesize

      1.4MB

      MD5

      3a9498ef02f9064e0ac360c26d00d943

      SHA1

      617f6dbe66aa0139c2e99a4f053a36860565e93e

      SHA256

      c7919166bb6e4ef0ee07d865375e08a84cfab05ccc4007e03c2ee50da49e617b

      SHA512

      60736b50ab7ae6b7cdb436139ddce046c3fe100df227b03bdb76e4f8c46d2992100483637dcf351ccaadef5b5de791573d5683e13e0720661caeb4ec9be9333e

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe

      Filesize

      1.4MB

      MD5

      3a9498ef02f9064e0ac360c26d00d943

      SHA1

      617f6dbe66aa0139c2e99a4f053a36860565e93e

      SHA256

      c7919166bb6e4ef0ee07d865375e08a84cfab05ccc4007e03c2ee50da49e617b

      SHA512

      60736b50ab7ae6b7cdb436139ddce046c3fe100df227b03bdb76e4f8c46d2992100483637dcf351ccaadef5b5de791573d5683e13e0720661caeb4ec9be9333e

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe

      Filesize

      1.2MB

      MD5

      d375f511438636562992f7f7bc73bf10

      SHA1

      1f9b8c46af3d4e2dac20bdb75ee7a0b7c031e43f

      SHA256

      c3aaa8db149c2d4cc4eb61bb400d3e00dddad32b5f4da7a231b64aec34e03346

      SHA512

      a16b02949ac3dd1dd0245dedc73efd322781dc800faa3b47b8adc5364064e70048c88107ddc2591d1984441c51399ef6ec43046215ccd53be6988778f4e96372

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe

      Filesize

      1.2MB

      MD5

      d375f511438636562992f7f7bc73bf10

      SHA1

      1f9b8c46af3d4e2dac20bdb75ee7a0b7c031e43f

      SHA256

      c3aaa8db149c2d4cc4eb61bb400d3e00dddad32b5f4da7a231b64aec34e03346

      SHA512

      a16b02949ac3dd1dd0245dedc73efd322781dc800faa3b47b8adc5364064e70048c88107ddc2591d1984441c51399ef6ec43046215ccd53be6988778f4e96372

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe

      Filesize

      782KB

      MD5

      8b757cbde5ba54c44f56d67abd60d4f3

      SHA1

      ae6af1e4e7e0c34f2c95af22a8dc11f775a32f6a

      SHA256

      7a66930b790514bb04da619c7307e9896d97dca1933949c50a7f814f63994bb6

      SHA512

      381a22d82c997cb9abd10bc0d8559cdaf3e744e485d2bf60449bd478cc7aa99f4054ebd9aef2ae4c6190eb2d27a4ff90b945908b0ba46d5e633533af941e6fef

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe

      Filesize

      782KB

      MD5

      8b757cbde5ba54c44f56d67abd60d4f3

      SHA1

      ae6af1e4e7e0c34f2c95af22a8dc11f775a32f6a

      SHA256

      7a66930b790514bb04da619c7307e9896d97dca1933949c50a7f814f63994bb6

      SHA512

      381a22d82c997cb9abd10bc0d8559cdaf3e744e485d2bf60449bd478cc7aa99f4054ebd9aef2ae4c6190eb2d27a4ff90b945908b0ba46d5e633533af941e6fef

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe

      Filesize

      581KB

      MD5

      23eb4bb71703067527c3911067f3ac39

      SHA1

      8c82d461f93d5ce11a6039a4b44f2e429cbb9f06

      SHA256

      917ac1d7e4b41e1bbedef201014de0013f4536bebf6cb1527be4fce647bf538d

      SHA512

      ae633bf14171fe4210cb985ea479989713a580bd5dc214beb03a4406c125b576b32fc3fd97f1131049b91cb13f2016ad64ffa1f224aeb223be6254784439049c

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe

      Filesize

      581KB

      MD5

      23eb4bb71703067527c3911067f3ac39

      SHA1

      8c82d461f93d5ce11a6039a4b44f2e429cbb9f06

      SHA256

      917ac1d7e4b41e1bbedef201014de0013f4536bebf6cb1527be4fce647bf538d

      SHA512

      ae633bf14171fe4210cb985ea479989713a580bd5dc214beb03a4406c125b576b32fc3fd97f1131049b91cb13f2016ad64ffa1f224aeb223be6254784439049c

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe

      Filesize

      1.1MB

      MD5

      6ef68ec5b2d91cbc9c66fa0553e527ec

      SHA1

      8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

      SHA256

      8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

      SHA512

      1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe

      Filesize

      1.1MB

      MD5

      6ef68ec5b2d91cbc9c66fa0553e527ec

      SHA1

      8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

      SHA256

      8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

      SHA512

      1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe

      Filesize

      222KB

      MD5

      ca2da7d9a152e2b133f095fb49a7055a

      SHA1

      639fedda2b77f6b416f184c5da648d3306fac76c

      SHA256

      73868efb657845c63d642599b0267ccf7dd6112586f3fc0996a47dac86dbba82

      SHA512

      25565324bb7b964df9a7df98b15c6492b08bd3da007473da503998ed7e51e0009acde51e010bd41c384883a2c5412007843b23d20fc83c10fb1c29268284869b

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe

      Filesize

      222KB

      MD5

      ca2da7d9a152e2b133f095fb49a7055a

      SHA1

      639fedda2b77f6b416f184c5da648d3306fac76c

      SHA256

      73868efb657845c63d642599b0267ccf7dd6112586f3fc0996a47dac86dbba82

      SHA512

      25565324bb7b964df9a7df98b15c6492b08bd3da007473da503998ed7e51e0009acde51e010bd41c384883a2c5412007843b23d20fc83c10fb1c29268284869b

    • memory/1220-35-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

    • memory/1220-41-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

    • memory/1220-42-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

    • memory/1220-44-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

    • memory/2416-47-0x0000000008190000-0x000000000868E000-memory.dmp

      Filesize

      5.0MB

    • memory/2416-46-0x0000000073840000-0x0000000073F2E000-memory.dmp

      Filesize

      6.9MB

    • memory/2416-45-0x0000000000EC0000-0x0000000000EFE000-memory.dmp

      Filesize

      248KB

    • memory/2416-48-0x0000000007C90000-0x0000000007D22000-memory.dmp

      Filesize

      584KB

    • memory/2416-49-0x0000000007D90000-0x0000000007D9A000-memory.dmp

      Filesize

      40KB

    • memory/2416-50-0x0000000008CA0000-0x00000000092A6000-memory.dmp

      Filesize

      6.0MB

    • memory/2416-51-0x0000000008040000-0x000000000814A000-memory.dmp

      Filesize

      1.0MB

    • memory/2416-52-0x0000000007E70000-0x0000000007E82000-memory.dmp

      Filesize

      72KB

    • memory/2416-53-0x0000000007F30000-0x0000000007F6E000-memory.dmp

      Filesize

      248KB

    • memory/2416-54-0x0000000007ED0000-0x0000000007F1B000-memory.dmp

      Filesize

      300KB

    • memory/2416-55-0x0000000073840000-0x0000000073F2E000-memory.dmp

      Filesize

      6.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.