redline | cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe
Size

1.1MB
MD5

258e87fa967c3dc0c360fd63aa81d1bf
SHA1

334a591725643b0e44637d3c0577a818ab137718
SHA256

cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f
SHA512

c750db7e5e71d69d67ca6f924d2d80c2d0a5ef97e2334e171036359971696ae8a214f27e199b8cd24eef65d0add2a3e7a9bb90dbd2eb042702228d0a565f6690
SSDEEP

24576:IyEhhQqPRv/08vU7Sbuzp4BI+9bAen4P+vmEx+cSAnlKeB:P2PP1M8vqSCmIg9dmo+hS

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023227-41.dat	family_redline
behavioral1/files/0x0006000000023227-42.dat	family_redline
behavioral1/memory/3408-43-0x00000000008D0000-0x000000000090E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4352	zC9Oc6gD.exe
3508	Ml4IV5la.exe
3596	uo1DA0QZ.exe
3816	pe3Nm7Jr.exe
1780	1YW21Wp9.exe
3408	2AL736sq.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zC9Oc6gD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ml4IV5la.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uo1DA0QZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pe3Nm7Jr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 4856	1780	1YW21Wp9.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3648	1780	WerFault.exe	86
1792	4856	WerFault.exe	88

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 4352	1380	cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe	82
PID 1380 wrote to memory of 4352	1380	cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe	82
PID 1380 wrote to memory of 4352	1380	cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe	82
PID 4352 wrote to memory of 3508	4352	zC9Oc6gD.exe	83
PID 4352 wrote to memory of 3508	4352	zC9Oc6gD.exe	83
PID 4352 wrote to memory of 3508	4352	zC9Oc6gD.exe	83
PID 3508 wrote to memory of 3596	3508	Ml4IV5la.exe	84
PID 3508 wrote to memory of 3596	3508	Ml4IV5la.exe	84
PID 3508 wrote to memory of 3596	3508	Ml4IV5la.exe	84
PID 3596 wrote to memory of 3816	3596	uo1DA0QZ.exe	85
PID 3596 wrote to memory of 3816	3596	uo1DA0QZ.exe	85
PID 3596 wrote to memory of 3816	3596	uo1DA0QZ.exe	85
PID 3816 wrote to memory of 1780	3816	pe3Nm7Jr.exe	86
PID 3816 wrote to memory of 1780	3816	pe3Nm7Jr.exe	86
PID 3816 wrote to memory of 1780	3816	pe3Nm7Jr.exe	86
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 1780 wrote to memory of 4856	1780	1YW21Wp9.exe	88
PID 3816 wrote to memory of 3408	3816	pe3Nm7Jr.exe	95
PID 3816 wrote to memory of 3408	3816	pe3Nm7Jr.exe	95
PID 3816 wrote to memory of 3408	3816	pe3Nm7Jr.exe	95

C:\Users\Admin\AppData\Local\Temp\cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe
"C:\Users\Admin\AppData\Local\Temp\cd7cd2bb5a5b2b07cf0ee361f4f7f66a993896f792308b1ec9ef95f538afb44f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zC9Oc6gD.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zC9Oc6gD.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ml4IV5la.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ml4IV5la.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uo1DA0QZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uo1DA0QZ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe3Nm7Jr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe3Nm7Jr.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW21Wp9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW21Wp9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 540
        8⤵
        Program crash
        
        PID:1792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 604
        7⤵
        Program crash
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AL736sq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AL736sq.exe
        6⤵
        Executes dropped EXE
        
        PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4856 -ip 4856
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1780 -ip 1780
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zC9Oc6gD.exe

Filesize
1000KB

MD5
5435dd437858fa1360e284784372624f

SHA1
d5978ca8df8fe8c9763a67a5a1acdcf3af1b707a

SHA256
beba4754b0a7c1463c84587ad9866baaa14fab38894392a8daa2286902155af4

SHA512
eba287863543a7d045d1ef08ce7afa9b724d4ce6369582a6b2e0e4e5925ca8fa58e248af0d4e64826b22317286f64175ed562109748d218dbcb759ed2c15d276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zC9Oc6gD.exe

Filesize
1000KB

MD5
5435dd437858fa1360e284784372624f

SHA1
d5978ca8df8fe8c9763a67a5a1acdcf3af1b707a

SHA256
beba4754b0a7c1463c84587ad9866baaa14fab38894392a8daa2286902155af4

SHA512
eba287863543a7d045d1ef08ce7afa9b724d4ce6369582a6b2e0e4e5925ca8fa58e248af0d4e64826b22317286f64175ed562109748d218dbcb759ed2c15d276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ml4IV5la.exe

Filesize
811KB

MD5
da343c51d2630c94f26aec091e3e6c7c

SHA1
742db1d56da44719b84d64034225f4a50e9376b9

SHA256
de14d54727f74b59a71aebc6cf281e0dc1ec300af886ca22f30780b9b8277dbd

SHA512
8a3e022783c6a23f11de383a496db280c6430da312ccb1cf37196505a08eba99756dc32106fcb1659a01b8dd742a1a18504dded93776702d161f91887bcf9515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ml4IV5la.exe

Filesize
811KB

MD5
da343c51d2630c94f26aec091e3e6c7c

SHA1
742db1d56da44719b84d64034225f4a50e9376b9

SHA256
de14d54727f74b59a71aebc6cf281e0dc1ec300af886ca22f30780b9b8277dbd

SHA512
8a3e022783c6a23f11de383a496db280c6430da312ccb1cf37196505a08eba99756dc32106fcb1659a01b8dd742a1a18504dded93776702d161f91887bcf9515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uo1DA0QZ.exe

Filesize
577KB

MD5
cf0439e80ac8018c47f4b6c408c79fe9

SHA1
928b8c935206fe5d26ab867e8242370832122bbe

SHA256
00e132595173bf95b2edd90166cc1234fca082f876dfa3b454bba99282e36958

SHA512
1b3583c29145ddded0eecfa656df18971db3cff7a841c0fd2bae653ed54c6982e441c3d1260a18f172cc2e4a3e1fae4a6c5bd1831d12bc772a621a01ee2f84b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uo1DA0QZ.exe

Filesize
577KB

MD5
cf0439e80ac8018c47f4b6c408c79fe9

SHA1
928b8c935206fe5d26ab867e8242370832122bbe

SHA256
00e132595173bf95b2edd90166cc1234fca082f876dfa3b454bba99282e36958

SHA512
1b3583c29145ddded0eecfa656df18971db3cff7a841c0fd2bae653ed54c6982e441c3d1260a18f172cc2e4a3e1fae4a6c5bd1831d12bc772a621a01ee2f84b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe3Nm7Jr.exe

Filesize
382KB

MD5
9c1ae8bc58ac26d580174ba22c433d79

SHA1
a021b3f6f8050be6673cb2456d904268c2805fe7

SHA256
abdb8b7623ca6ab698f9259eba76d4d26a080f42c1de051e0505ac996674a67f

SHA512
79bf6297424e10fcc6deb284138d5c943629a5aff8bc7174c5d2e8ef495545285c20791999cd9447a9aa1394e4c812d62421e9ebd3ea7134fc4dc63a68204b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pe3Nm7Jr.exe

Filesize
382KB

MD5
9c1ae8bc58ac26d580174ba22c433d79

SHA1
a021b3f6f8050be6673cb2456d904268c2805fe7

SHA256
abdb8b7623ca6ab698f9259eba76d4d26a080f42c1de051e0505ac996674a67f

SHA512
79bf6297424e10fcc6deb284138d5c943629a5aff8bc7174c5d2e8ef495545285c20791999cd9447a9aa1394e4c812d62421e9ebd3ea7134fc4dc63a68204b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW21Wp9.exe

Filesize
295KB

MD5
ba6806e09e0617ab727abb9804759d83

SHA1
62413aeac9a0938d66e9e8d7a57e91cbffab91f1

SHA256
d33a327c26c2eb980e273cabb9a342d41891f5a45fb55bc65309179cb4c0c64f

SHA512
26902b6a5787d4c008b60add14e9f120852eec90f467ace29783af25b9dac8d93216fef6ce169d081876695f4c70fd1e8fa3bdfbd4f8532cfa91d3afcae9c80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YW21Wp9.exe

Filesize
295KB

MD5
ba6806e09e0617ab727abb9804759d83

SHA1
62413aeac9a0938d66e9e8d7a57e91cbffab91f1

SHA256
d33a327c26c2eb980e273cabb9a342d41891f5a45fb55bc65309179cb4c0c64f

SHA512
26902b6a5787d4c008b60add14e9f120852eec90f467ace29783af25b9dac8d93216fef6ce169d081876695f4c70fd1e8fa3bdfbd4f8532cfa91d3afcae9c80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AL736sq.exe

Filesize
222KB

MD5
1b7601bd97685054727c8ada65d9a0de

SHA1
80cc886b944b73249a83381adfba46698dd5f087

SHA256
64199496342990a177ea505db8e336801e0c0d4d8ae01173d54f1fb1c8fa0117

SHA512
42822450ccc7d15e4205e02bb6f2531c6c3806ee27f352a44513edffbc81d1d9958c58f10362f8c1cd7765b62a2c5fbd9769563788ccd56ea1d198aa53d33519

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AL736sq.exe

Filesize
222KB

MD5
1b7601bd97685054727c8ada65d9a0de

SHA1
80cc886b944b73249a83381adfba46698dd5f087

SHA256
64199496342990a177ea505db8e336801e0c0d4d8ae01173d54f1fb1c8fa0117

SHA512
42822450ccc7d15e4205e02bb6f2531c6c3806ee27f352a44513edffbc81d1d9958c58f10362f8c1cd7765b62a2c5fbd9769563788ccd56ea1d198aa53d33519

Download Submit
memory/3408-46-0x00000000076F0000-0x0000000007782000-memory.dmp

Filesize
584KB

Download
memory/3408-48-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/3408-55-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/3408-54-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3408-43-0x00000000008D0000-0x000000000090E000-memory.dmp

Filesize
248KB

Download
memory/3408-44-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3408-45-0x0000000007C00000-0x00000000081A4000-memory.dmp

Filesize
5.6MB

Download
memory/3408-53-0x00000000079E0000-0x0000000007A2C000-memory.dmp

Filesize
304KB

Download
memory/3408-52-0x00000000079A0000-0x00000000079DC000-memory.dmp

Filesize
240KB

Download
memory/3408-49-0x00000000087D0000-0x0000000008DE8000-memory.dmp

Filesize
6.1MB

Download
memory/3408-47-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/3408-50-0x0000000007A30000-0x0000000007B3A000-memory.dmp

Filesize
1.0MB

Download
memory/3408-51-0x0000000007940000-0x0000000007952000-memory.dmp

Filesize
72KB

Download
memory/4856-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4856-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4856-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4856-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads