redline | 8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd

Analysis

max time kernel
282s
max time network
302s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
15/10/2023, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe
Size

1.5MB
MD5

b7a66bf68b76cd7b21e476795f54a167
SHA1

8f02737dd5ca65cb4d1b61faf90abe839de61a8c
SHA256

8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd
SHA512

2c8eeaa7a1e3a2d629bd975de888f485c4ea94c4aeffc42675eae3232f787c0ce4d061c31360df417474dfba3742b5d18f29bbed9c251231f799380716319d9a
SSDEEP

24576:Ry112yQRjGv0pMPU3e4CwVOtDBHF54gq7rdDkbxqdwD2C6n04NC7GRY+HB:E112y8GvSMPDlwVOtdl5BWrJ3dS54N

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001afb1-40.dat	family_redline
behavioral2/files/0x000600000001afb1-43.dat	family_redline
behavioral2/memory/4456-45-0x0000000000D00000-0x0000000000D3E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4464	Do0gp2vv.exe
1356	WI1LB1lM.exe
1564	xY1ol9cz.exe
4944	Lv0ai3dz.exe
1776	1pm49Un8.exe
4456	2hp794uB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Lv0ai3dz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Do0gp2vv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WI1LB1lM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xY1ol9cz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 4444	1776	1pm49Un8.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4448	4444	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4464	1168	8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe	70
PID 1168 wrote to memory of 4464	1168	8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe	70
PID 1168 wrote to memory of 4464	1168	8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe	70
PID 4464 wrote to memory of 1356	4464	Do0gp2vv.exe	71
PID 4464 wrote to memory of 1356	4464	Do0gp2vv.exe	71
PID 4464 wrote to memory of 1356	4464	Do0gp2vv.exe	71
PID 1356 wrote to memory of 1564	1356	WI1LB1lM.exe	72
PID 1356 wrote to memory of 1564	1356	WI1LB1lM.exe	72
PID 1356 wrote to memory of 1564	1356	WI1LB1lM.exe	72
PID 1564 wrote to memory of 4944	1564	xY1ol9cz.exe	73
PID 1564 wrote to memory of 4944	1564	xY1ol9cz.exe	73
PID 1564 wrote to memory of 4944	1564	xY1ol9cz.exe	73
PID 4944 wrote to memory of 1776	4944	Lv0ai3dz.exe	74
PID 4944 wrote to memory of 1776	4944	Lv0ai3dz.exe	74
PID 4944 wrote to memory of 1776	4944	Lv0ai3dz.exe	74
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 1776 wrote to memory of 4444	1776	1pm49Un8.exe	76
PID 4944 wrote to memory of 4456	4944	Lv0ai3dz.exe	77
PID 4944 wrote to memory of 4456	4944	Lv0ai3dz.exe	77
PID 4944 wrote to memory of 4456	4944	Lv0ai3dz.exe	77

C:\Users\Admin\AppData\Local\Temp\8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe
"C:\Users\Admin\AppData\Local\Temp\8ed90dc98394c745d2db2ecf6c21c4348eeec39cb29f5f4c565bf41bd041adfd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do0gp2vv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do0gp2vv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WI1LB1lM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WI1LB1lM.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY1ol9cz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY1ol9cz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lv0ai3dz.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lv0ai3dz.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pm49Un8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pm49Un8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 568
        8⤵
        Program crash
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hp794uB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hp794uB.exe
        6⤵
        Executes dropped EXE
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do0gp2vv.exe

Filesize
1.4MB

MD5
105bec1210f31e6cc6cd56f098462739

SHA1
f93fcced32e10e2c21e65fc84abb377a628f3bb3

SHA256
6cf858a24a97e5a08ff3f4ef1ccbeef1188af9cc54d069416949618e8d663e54

SHA512
7e8f2f29a4ba01069347d56450dac701827416f07c849371eb8f004e301b6e3642a1f94524ec07c85bb5019dc57e5b199ad2a50be3ed3a8415df153c6c8fa65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do0gp2vv.exe

Filesize
1.4MB

MD5
105bec1210f31e6cc6cd56f098462739

SHA1
f93fcced32e10e2c21e65fc84abb377a628f3bb3

SHA256
6cf858a24a97e5a08ff3f4ef1ccbeef1188af9cc54d069416949618e8d663e54

SHA512
7e8f2f29a4ba01069347d56450dac701827416f07c849371eb8f004e301b6e3642a1f94524ec07c85bb5019dc57e5b199ad2a50be3ed3a8415df153c6c8fa65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WI1LB1lM.exe

Filesize
1.2MB

MD5
2184c0b0f1719f6e847905d1b8c16d75

SHA1
a346ddfc7dfac42ef45b856957a49da604d4788a

SHA256
7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0

SHA512
515fe6cbaf9cc7ecef386b1c9fe455d5e177a6d5b10e6ad4c0454b2958faba3ddacd21d1ddbbbc747608dd0b6468dee306aa0c63862d36e1d56accc2c4123423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WI1LB1lM.exe

Filesize
1.2MB

MD5
2184c0b0f1719f6e847905d1b8c16d75

SHA1
a346ddfc7dfac42ef45b856957a49da604d4788a

SHA256
7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0

SHA512
515fe6cbaf9cc7ecef386b1c9fe455d5e177a6d5b10e6ad4c0454b2958faba3ddacd21d1ddbbbc747608dd0b6468dee306aa0c63862d36e1d56accc2c4123423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY1ol9cz.exe

Filesize
782KB

MD5
40b509736f2336f0ae4798e08093be25

SHA1
aef0b5561edf2078238e0550b1468910c0730d2b

SHA256
5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81

SHA512
1e42ec6f3e618a4259c5c4b809f3109ff8807e5d83b7f37f541b3eba599f3fe153ea43002eabdfcc2bd4e5e21fc3ece00f95f35ae8c9c4cc09a61e0c07dad22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY1ol9cz.exe

Filesize
782KB

MD5
40b509736f2336f0ae4798e08093be25

SHA1
aef0b5561edf2078238e0550b1468910c0730d2b

SHA256
5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81

SHA512
1e42ec6f3e618a4259c5c4b809f3109ff8807e5d83b7f37f541b3eba599f3fe153ea43002eabdfcc2bd4e5e21fc3ece00f95f35ae8c9c4cc09a61e0c07dad22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
memory/4444-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4444-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4444-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4444-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4456-48-0x0000000007AA0000-0x0000000007B32000-memory.dmp

Filesize
584KB

Download
memory/4456-46-0x0000000073590000-0x0000000073C7E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-47-0x0000000007EC0000-0x00000000083BE000-memory.dmp

Filesize
5.0MB

Download
memory/4456-45-0x0000000000D00000-0x0000000000D3E000-memory.dmp

Filesize
248KB

Download
memory/4456-49-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/4456-50-0x00000000089D0000-0x0000000008FD6000-memory.dmp

Filesize
6.0MB

Download
memory/4456-51-0x0000000007DA0000-0x0000000007EAA000-memory.dmp

Filesize
1.0MB

Download
memory/4456-52-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

Filesize
72KB

Download
memory/4456-53-0x0000000007D30000-0x0000000007D6E000-memory.dmp

Filesize
248KB

Download
memory/4456-54-0x00000000083C0000-0x000000000840B000-memory.dmp

Filesize
300KB

Download
memory/4456-55-0x0000000073590000-0x0000000073C7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads