redline | 16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91

Analysis

max time kernel
155s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe
Size

1.1MB
MD5

0c2bb7640eaf5b885e02b16430ba7ca4
SHA1

847f3179118541ac5327d6d3ab3fa7a6a9c0f47e
SHA256

16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91
SHA512

ea208ed2ecb5d40febe85b24ad8a585080a966254e9cc7a01ac531ff3be6b3d669e7d47da2f70187424252313ded3402c13bc0f64efe97e2a1762f582e12a9a4
SSDEEP

24576:ZytqsEO/SrTrP/pobIZoZ4IompQOJoEame6Johpg+VknbTcS13hr:M9KPrpYwoqIompNNJepleHco3

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000230ac-41.dat	family_redline
behavioral1/files/0x00060000000230ac-42.dat	family_redline
behavioral1/memory/3544-44-0x0000000000E50000-0x0000000000E8E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3672	mA6wN3iA.exe
4744	qf5GC8sd.exe
4452	An1TZ3nl.exe
4380	cl6Iz1BB.exe
3724	1Id14BC5.exe
3544	2Qd538fN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mA6wN3iA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qf5GC8sd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	An1TZ3nl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cl6Iz1BB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3724 set thread context of 4964	3724	1Id14BC5.exe	89

Program crash 3 IoCs

pid	pid_target	Process	procid_target
872	4964	WerFault.exe	89
4496	3724	WerFault.exe	87
1340	4964	WerFault.exe	89

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3672	208	16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe	83
PID 208 wrote to memory of 3672	208	16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe	83
PID 208 wrote to memory of 3672	208	16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe	83
PID 3672 wrote to memory of 4744	3672	mA6wN3iA.exe	84
PID 3672 wrote to memory of 4744	3672	mA6wN3iA.exe	84
PID 3672 wrote to memory of 4744	3672	mA6wN3iA.exe	84
PID 4744 wrote to memory of 4452	4744	qf5GC8sd.exe	85
PID 4744 wrote to memory of 4452	4744	qf5GC8sd.exe	85
PID 4744 wrote to memory of 4452	4744	qf5GC8sd.exe	85
PID 4452 wrote to memory of 4380	4452	An1TZ3nl.exe	86
PID 4452 wrote to memory of 4380	4452	An1TZ3nl.exe	86
PID 4452 wrote to memory of 4380	4452	An1TZ3nl.exe	86
PID 4380 wrote to memory of 3724	4380	cl6Iz1BB.exe	87
PID 4380 wrote to memory of 3724	4380	cl6Iz1BB.exe	87
PID 4380 wrote to memory of 3724	4380	cl6Iz1BB.exe	87
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 3724 wrote to memory of 4964	3724	1Id14BC5.exe	89
PID 4964 wrote to memory of 872	4964	AppLaunch.exe	95
PID 4964 wrote to memory of 872	4964	AppLaunch.exe	95
PID 4964 wrote to memory of 872	4964	AppLaunch.exe	95
PID 4380 wrote to memory of 3544	4380	cl6Iz1BB.exe	98
PID 4380 wrote to memory of 3544	4380	cl6Iz1BB.exe	98
PID 4380 wrote to memory of 3544	4380	cl6Iz1BB.exe	98

C:\Users\Admin\AppData\Local\Temp\16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe
"C:\Users\Admin\AppData\Local\Temp\16b57a52fbdc94326ec0f9428a6eb35c6e65f297463a23c44d657c4c22591d91.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mA6wN3iA.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mA6wN3iA.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qf5GC8sd.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qf5GC8sd.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\An1TZ3nl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\An1TZ3nl.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cl6Iz1BB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cl6Iz1BB.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Id14BC5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Id14BC5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 540
        8⤵
        Program crash
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 540
        8⤵
        Program crash
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 224
        7⤵
        Program crash
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd538fN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd538fN.exe
        6⤵
        Executes dropped EXE
        
        PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3724 -ip 3724
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mA6wN3iA.exe

Filesize
998KB

MD5
510c1963d4196db59a4ec1738b376fb2

SHA1
c5569954ce9084f15c16b7ffc0512108dc83c804

SHA256
c3c8ff9996150aade51c0384787dbebd280039fd988cac8d24c5dc626a8e69a0

SHA512
55e5ec8f782337c9fca9f6ad8dfef517049859e82776aa571585225fccafa893424c0957b9589f783bcbb7f2ad5e73a3fedf4cfc029eaa83d289ec0b54d545d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mA6wN3iA.exe

Filesize
998KB

MD5
510c1963d4196db59a4ec1738b376fb2

SHA1
c5569954ce9084f15c16b7ffc0512108dc83c804

SHA256
c3c8ff9996150aade51c0384787dbebd280039fd988cac8d24c5dc626a8e69a0

SHA512
55e5ec8f782337c9fca9f6ad8dfef517049859e82776aa571585225fccafa893424c0957b9589f783bcbb7f2ad5e73a3fedf4cfc029eaa83d289ec0b54d545d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qf5GC8sd.exe

Filesize
811KB

MD5
98670265e571bbeb0ab3c9c36595f45b

SHA1
4d3d36d085a763941b67362b785da1b5b4ad0786

SHA256
8c07e0843e0a6a7a017d282d87292826e08945430d255d48e9aa5cf0b546719a

SHA512
74f230978e81fb5ed3e0e1c5d5688e7b89e5f241c849257be178eac6290d93d7904c51a11ed7e581b401af02fdaed387f703b488e49298ff229c6dc2b2c45d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qf5GC8sd.exe

Filesize
811KB

MD5
98670265e571bbeb0ab3c9c36595f45b

SHA1
4d3d36d085a763941b67362b785da1b5b4ad0786

SHA256
8c07e0843e0a6a7a017d282d87292826e08945430d255d48e9aa5cf0b546719a

SHA512
74f230978e81fb5ed3e0e1c5d5688e7b89e5f241c849257be178eac6290d93d7904c51a11ed7e581b401af02fdaed387f703b488e49298ff229c6dc2b2c45d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\An1TZ3nl.exe

Filesize
578KB

MD5
cc69be2b3891f0b09dd0c5e1971f53fc

SHA1
d431b14caf94b054223b462e58e4ad94b0fc8f6f

SHA256
65a393888773350b4444358b355051773647827b13b34105ad177724e566fe51

SHA512
41823398e4b40078d0761147fb0f1d4ca624c68d20b1aae01f12b129616babfb7cc9f0e30b1b56a999a8cea47e5551a1c7a2177bf1ae35dab90541c0c4e4e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\An1TZ3nl.exe

Filesize
578KB

MD5
cc69be2b3891f0b09dd0c5e1971f53fc

SHA1
d431b14caf94b054223b462e58e4ad94b0fc8f6f

SHA256
65a393888773350b4444358b355051773647827b13b34105ad177724e566fe51

SHA512
41823398e4b40078d0761147fb0f1d4ca624c68d20b1aae01f12b129616babfb7cc9f0e30b1b56a999a8cea47e5551a1c7a2177bf1ae35dab90541c0c4e4e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cl6Iz1BB.exe

Filesize
382KB

MD5
257688c9df89daad84fefe317ba00987

SHA1
84e24f1e6f64901ccb4fe580ea024c759c6cd580

SHA256
482a706e47a0980b458f0a833392dc6d4bbdb83d5d8cdf385d030a231bcb9ca7

SHA512
db9014e487b06067a3681d376e739e863cb01cbea9302bdff335f61de162ad81741b38ba06d1a01572a61ea2ca67a57e82f4d95ccf3fa1a6d465e5327391554e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cl6Iz1BB.exe

Filesize
382KB

MD5
257688c9df89daad84fefe317ba00987

SHA1
84e24f1e6f64901ccb4fe580ea024c759c6cd580

SHA256
482a706e47a0980b458f0a833392dc6d4bbdb83d5d8cdf385d030a231bcb9ca7

SHA512
db9014e487b06067a3681d376e739e863cb01cbea9302bdff335f61de162ad81741b38ba06d1a01572a61ea2ca67a57e82f4d95ccf3fa1a6d465e5327391554e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Id14BC5.exe

Filesize
295KB

MD5
8b2f4d97ea0ddd24893f02499fc14026

SHA1
bca3c20665feab748a01981fcf0aa3e2401f4d34

SHA256
542981d80eee0d59a7484cf3ace126654dcd0269125016f052c41abdba4df4a0

SHA512
7dcb6fbb373241d85593fb20f072f9c759b3b10771afa45160d94188e6790b22a6b7e6c16bc5aced9e8c7b89c8ae27eb6924989f3fcc1edccc1dc8a000678688

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Id14BC5.exe

Filesize
295KB

MD5
8b2f4d97ea0ddd24893f02499fc14026

SHA1
bca3c20665feab748a01981fcf0aa3e2401f4d34

SHA256
542981d80eee0d59a7484cf3ace126654dcd0269125016f052c41abdba4df4a0

SHA512
7dcb6fbb373241d85593fb20f072f9c759b3b10771afa45160d94188e6790b22a6b7e6c16bc5aced9e8c7b89c8ae27eb6924989f3fcc1edccc1dc8a000678688

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd538fN.exe

Filesize
222KB

MD5
f93d3b04017b08357ba247f8e7f053bc

SHA1
e199dfd07ec7e45c7c7a99f5129f9f918d63621c

SHA256
331c6f845fad699dac352087d3fa60fb0b0d9bc8fa26ab07fc875895c4973e1e

SHA512
4c1b8da12691f675c7eeaea51676de90fb86aec588ae96ce9c13ef77bd69c8c28befc807c01ec6f4126a43085c285ca47fc0812452baaf7bc78e47da57ea49b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Qd538fN.exe

Filesize
222KB

MD5
f93d3b04017b08357ba247f8e7f053bc

SHA1
e199dfd07ec7e45c7c7a99f5129f9f918d63621c

SHA256
331c6f845fad699dac352087d3fa60fb0b0d9bc8fa26ab07fc875895c4973e1e

SHA512
4c1b8da12691f675c7eeaea51676de90fb86aec588ae96ce9c13ef77bd69c8c28befc807c01ec6f4126a43085c285ca47fc0812452baaf7bc78e47da57ea49b0

Download Submit
memory/3544-46-0x0000000007D90000-0x0000000007E22000-memory.dmp

Filesize
584KB

Download
memory/3544-48-0x0000000007F20000-0x0000000007F30000-memory.dmp

Filesize
64KB

Download
memory/3544-55-0x00000000088D0000-0x000000000891C000-memory.dmp

Filesize
304KB

Download
memory/3544-54-0x0000000008890000-0x00000000088CC000-memory.dmp

Filesize
240KB

Download
memory/3544-43-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/3544-44-0x0000000000E50000-0x0000000000E8E000-memory.dmp

Filesize
248KB

Download
memory/3544-45-0x0000000008260000-0x0000000008804000-memory.dmp

Filesize
5.6MB

Download
memory/3544-53-0x0000000008830000-0x0000000008842000-memory.dmp

Filesize
72KB

Download
memory/3544-52-0x0000000008920000-0x0000000008A2A000-memory.dmp

Filesize
1.0MB

Download
memory/3544-49-0x0000000007F20000-0x0000000007F30000-memory.dmp

Filesize
64KB

Download
memory/3544-47-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/3544-50-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/3544-51-0x0000000008E30000-0x0000000009448000-memory.dmp

Filesize
6.1MB

Download
memory/4964-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4964-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4964-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4964-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads