redline | 477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db

Analysis

max time kernel
138s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
14/10/2023, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe
Size

1.5MB
MD5

27a377d27d16aa9df83edabfd23b565a
SHA1

4d4d71f95db9e6b0e80c1decfd7e587b71e5663d
SHA256

477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db
SHA512

f89a2dc0b7b7a9e9843dcaed4c436a0ea6d485bfe5e741cdef46de3dc6f21c6f55194cc47d98efda2f3483b8a5f6df854282af8dface09758496d7aa9651010a
SSDEEP

24576:3y1IC/BgLwm1SaGpzU4VpCDyRmtsN8YtTFRUgZy9qBhlJiLD7ef0nkK8JkrM:Cf/lajcpC3tsN8EBRd8kblJiLD7znkk

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001afa0-39.dat	family_redline
behavioral1/files/0x000600000001afa0-40.dat	family_redline
behavioral1/memory/2416-45-0x0000000000EC0000-0x0000000000EFE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3752	xQ9FN8xn.exe
2824	yw8Yt8qc.exe
2728	nP5sl3PK.exe
4236	Cj9AV7id.exe
2712	1an99dM7.exe
2416	2BA930jt.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nP5sl3PK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Cj9AV7id.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xQ9FN8xn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yw8Yt8qc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 1220	2712	1an99dM7.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
164	1220	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3752	5024	477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe	70
PID 5024 wrote to memory of 3752	5024	477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe	70
PID 5024 wrote to memory of 3752	5024	477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe	70
PID 3752 wrote to memory of 2824	3752	xQ9FN8xn.exe	71
PID 3752 wrote to memory of 2824	3752	xQ9FN8xn.exe	71
PID 3752 wrote to memory of 2824	3752	xQ9FN8xn.exe	71
PID 2824 wrote to memory of 2728	2824	yw8Yt8qc.exe	72
PID 2824 wrote to memory of 2728	2824	yw8Yt8qc.exe	72
PID 2824 wrote to memory of 2728	2824	yw8Yt8qc.exe	72
PID 2728 wrote to memory of 4236	2728	nP5sl3PK.exe	73
PID 2728 wrote to memory of 4236	2728	nP5sl3PK.exe	73
PID 2728 wrote to memory of 4236	2728	nP5sl3PK.exe	73
PID 4236 wrote to memory of 2712	4236	Cj9AV7id.exe	74
PID 4236 wrote to memory of 2712	4236	Cj9AV7id.exe	74
PID 4236 wrote to memory of 2712	4236	Cj9AV7id.exe	74
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 2712 wrote to memory of 1220	2712	1an99dM7.exe	76
PID 4236 wrote to memory of 2416	4236	Cj9AV7id.exe	77
PID 4236 wrote to memory of 2416	4236	Cj9AV7id.exe	77
PID 4236 wrote to memory of 2416	4236	Cj9AV7id.exe	77

C:\Users\Admin\AppData\Local\Temp\477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe
"C:\Users\Admin\AppData\Local\Temp\477eff40308a79a29ed5532bd305397cfbc7d9aa675af690d5d98626dd9c96db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 568
        8⤵
        Program crash
        
        PID:164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe
        6⤵
        Executes dropped EXE
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe

Filesize
1.4MB

MD5
3a9498ef02f9064e0ac360c26d00d943

SHA1
617f6dbe66aa0139c2e99a4f053a36860565e93e

SHA256
c7919166bb6e4ef0ee07d865375e08a84cfab05ccc4007e03c2ee50da49e617b

SHA512
60736b50ab7ae6b7cdb436139ddce046c3fe100df227b03bdb76e4f8c46d2992100483637dcf351ccaadef5b5de791573d5683e13e0720661caeb4ec9be9333e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xQ9FN8xn.exe

Filesize
1.4MB

MD5
3a9498ef02f9064e0ac360c26d00d943

SHA1
617f6dbe66aa0139c2e99a4f053a36860565e93e

SHA256
c7919166bb6e4ef0ee07d865375e08a84cfab05ccc4007e03c2ee50da49e617b

SHA512
60736b50ab7ae6b7cdb436139ddce046c3fe100df227b03bdb76e4f8c46d2992100483637dcf351ccaadef5b5de791573d5683e13e0720661caeb4ec9be9333e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe

Filesize
1.2MB

MD5
d375f511438636562992f7f7bc73bf10

SHA1
1f9b8c46af3d4e2dac20bdb75ee7a0b7c031e43f

SHA256
c3aaa8db149c2d4cc4eb61bb400d3e00dddad32b5f4da7a231b64aec34e03346

SHA512
a16b02949ac3dd1dd0245dedc73efd322781dc800faa3b47b8adc5364064e70048c88107ddc2591d1984441c51399ef6ec43046215ccd53be6988778f4e96372

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw8Yt8qc.exe

Filesize
1.2MB

MD5
d375f511438636562992f7f7bc73bf10

SHA1
1f9b8c46af3d4e2dac20bdb75ee7a0b7c031e43f

SHA256
c3aaa8db149c2d4cc4eb61bb400d3e00dddad32b5f4da7a231b64aec34e03346

SHA512
a16b02949ac3dd1dd0245dedc73efd322781dc800faa3b47b8adc5364064e70048c88107ddc2591d1984441c51399ef6ec43046215ccd53be6988778f4e96372

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe

Filesize
782KB

MD5
8b757cbde5ba54c44f56d67abd60d4f3

SHA1
ae6af1e4e7e0c34f2c95af22a8dc11f775a32f6a

SHA256
7a66930b790514bb04da619c7307e9896d97dca1933949c50a7f814f63994bb6

SHA512
381a22d82c997cb9abd10bc0d8559cdaf3e744e485d2bf60449bd478cc7aa99f4054ebd9aef2ae4c6190eb2d27a4ff90b945908b0ba46d5e633533af941e6fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP5sl3PK.exe

Filesize
782KB

MD5
8b757cbde5ba54c44f56d67abd60d4f3

SHA1
ae6af1e4e7e0c34f2c95af22a8dc11f775a32f6a

SHA256
7a66930b790514bb04da619c7307e9896d97dca1933949c50a7f814f63994bb6

SHA512
381a22d82c997cb9abd10bc0d8559cdaf3e744e485d2bf60449bd478cc7aa99f4054ebd9aef2ae4c6190eb2d27a4ff90b945908b0ba46d5e633533af941e6fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe

Filesize
581KB

MD5
23eb4bb71703067527c3911067f3ac39

SHA1
8c82d461f93d5ce11a6039a4b44f2e429cbb9f06

SHA256
917ac1d7e4b41e1bbedef201014de0013f4536bebf6cb1527be4fce647bf538d

SHA512
ae633bf14171fe4210cb985ea479989713a580bd5dc214beb03a4406c125b576b32fc3fd97f1131049b91cb13f2016ad64ffa1f224aeb223be6254784439049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cj9AV7id.exe

Filesize
581KB

MD5
23eb4bb71703067527c3911067f3ac39

SHA1
8c82d461f93d5ce11a6039a4b44f2e429cbb9f06

SHA256
917ac1d7e4b41e1bbedef201014de0013f4536bebf6cb1527be4fce647bf538d

SHA512
ae633bf14171fe4210cb985ea479989713a580bd5dc214beb03a4406c125b576b32fc3fd97f1131049b91cb13f2016ad64ffa1f224aeb223be6254784439049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1an99dM7.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe

Filesize
222KB

MD5
ca2da7d9a152e2b133f095fb49a7055a

SHA1
639fedda2b77f6b416f184c5da648d3306fac76c

SHA256
73868efb657845c63d642599b0267ccf7dd6112586f3fc0996a47dac86dbba82

SHA512
25565324bb7b964df9a7df98b15c6492b08bd3da007473da503998ed7e51e0009acde51e010bd41c384883a2c5412007843b23d20fc83c10fb1c29268284869b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BA930jt.exe

Filesize
222KB

MD5
ca2da7d9a152e2b133f095fb49a7055a

SHA1
639fedda2b77f6b416f184c5da648d3306fac76c

SHA256
73868efb657845c63d642599b0267ccf7dd6112586f3fc0996a47dac86dbba82

SHA512
25565324bb7b964df9a7df98b15c6492b08bd3da007473da503998ed7e51e0009acde51e010bd41c384883a2c5412007843b23d20fc83c10fb1c29268284869b

Download Submit
memory/1220-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2416-47-0x0000000008190000-0x000000000868E000-memory.dmp

Filesize
5.0MB

Download
memory/2416-46-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-45-0x0000000000EC0000-0x0000000000EFE000-memory.dmp

Filesize
248KB

Download
memory/2416-48-0x0000000007C90000-0x0000000007D22000-memory.dmp

Filesize
584KB

Download
memory/2416-49-0x0000000007D90000-0x0000000007D9A000-memory.dmp

Filesize
40KB

Download
memory/2416-50-0x0000000008CA0000-0x00000000092A6000-memory.dmp

Filesize
6.0MB

Download
memory/2416-51-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/2416-52-0x0000000007E70000-0x0000000007E82000-memory.dmp

Filesize
72KB

Download
memory/2416-53-0x0000000007F30000-0x0000000007F6E000-memory.dmp

Filesize
248KB

Download
memory/2416-54-0x0000000007ED0000-0x0000000007F1B000-memory.dmp

Filesize
300KB

Download
memory/2416-55-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads