redline | 4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe
Size

1.1MB
MD5

078d4d4baab7ee5679ccce47536cdca0
SHA1

88127bf0ca5bd91d61c24235b57785ec47313936
SHA256

4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266
SHA512

0a72f9fd543a75dda75cf203226f50b6660090131e7bb28b250e9e009a5efaeacb71a5a7dd517cab1994e448f2f4e4716d19dbfaec168903d9f98622f455956f
SSDEEP

24576:Zyp5Vh393mHlymgl0NU+fbYzww2iWUX+S9sr6Da:MpXht6yxl0q+CDXy2D

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000231dc-41.dat	family_redline
behavioral1/files/0x00060000000231dc-42.dat	family_redline
behavioral1/memory/804-44-0x0000000000370000-0x00000000003AE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3948	zl2Ya9uW.exe
4140	ji9mm8lC.exe
844	mK9Dr8ih.exe
4036	zY7NK2zp.exe
4964	1oq77wp7.exe
804	2ZP115Tv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zl2Ya9uW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ji9mm8lC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mK9Dr8ih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zY7NK2zp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4964 set thread context of 884	4964	1oq77wp7.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1628	4964	WerFault.exe	87
1140	884	WerFault.exe	90

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3948	4280	4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe	83
PID 4280 wrote to memory of 3948	4280	4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe	83
PID 4280 wrote to memory of 3948	4280	4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe	83
PID 3948 wrote to memory of 4140	3948	zl2Ya9uW.exe	84
PID 3948 wrote to memory of 4140	3948	zl2Ya9uW.exe	84
PID 3948 wrote to memory of 4140	3948	zl2Ya9uW.exe	84
PID 4140 wrote to memory of 844	4140	ji9mm8lC.exe	85
PID 4140 wrote to memory of 844	4140	ji9mm8lC.exe	85
PID 4140 wrote to memory of 844	4140	ji9mm8lC.exe	85
PID 844 wrote to memory of 4036	844	mK9Dr8ih.exe	86
PID 844 wrote to memory of 4036	844	mK9Dr8ih.exe	86
PID 844 wrote to memory of 4036	844	mK9Dr8ih.exe	86
PID 4036 wrote to memory of 4964	4036	zY7NK2zp.exe	87
PID 4036 wrote to memory of 4964	4036	zY7NK2zp.exe	87
PID 4036 wrote to memory of 4964	4036	zY7NK2zp.exe	87
PID 4964 wrote to memory of 3832	4964	1oq77wp7.exe	89
PID 4964 wrote to memory of 3832	4964	1oq77wp7.exe	89
PID 4964 wrote to memory of 3832	4964	1oq77wp7.exe	89
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4964 wrote to memory of 884	4964	1oq77wp7.exe	90
PID 4036 wrote to memory of 804	4036	zY7NK2zp.exe	96
PID 4036 wrote to memory of 804	4036	zY7NK2zp.exe	96
PID 4036 wrote to memory of 804	4036	zY7NK2zp.exe	96

C:\Users\Admin\AppData\Local\Temp\4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe
"C:\Users\Admin\AppData\Local\Temp\4280d59ea2f55c16d3ff47b0199378fa54e2aeb92f692a71522a77103d658266.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zl2Ya9uW.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zl2Ya9uW.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ji9mm8lC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ji9mm8lC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mK9Dr8ih.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mK9Dr8ih.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zY7NK2zp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zY7NK2zp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oq77wp7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oq77wp7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 540
        8⤵
        Program crash
        
        PID:1140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 588
        7⤵
        Program crash
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZP115Tv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZP115Tv.exe
        6⤵
        Executes dropped EXE
        
        PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4964 -ip 4964
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 884 -ip 884
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zl2Ya9uW.exe

Filesize
999KB

MD5
ec81946b8f08a02b9c753fa2b9c0c58d

SHA1
64ab9a931d2a63b15216b2c010deb9048eabf0fd

SHA256
c8bd9a14f4ab2f1f1834384f3a88793567ee1bdf32cca1162c9b83af9de08ed6

SHA512
517e000060ac58c3087b9cf89cedfa58d59bbba043776203f16737bc16c218e500413ef18759bb592f213add174e9a5a3ab8635d46fc033972fbf559498cc278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zl2Ya9uW.exe

Filesize
999KB

MD5
ec81946b8f08a02b9c753fa2b9c0c58d

SHA1
64ab9a931d2a63b15216b2c010deb9048eabf0fd

SHA256
c8bd9a14f4ab2f1f1834384f3a88793567ee1bdf32cca1162c9b83af9de08ed6

SHA512
517e000060ac58c3087b9cf89cedfa58d59bbba043776203f16737bc16c218e500413ef18759bb592f213add174e9a5a3ab8635d46fc033972fbf559498cc278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ji9mm8lC.exe

Filesize
812KB

MD5
77f72b544b03731cfae0adaf55b72a6d

SHA1
2216ecd7f3e123a4ff8db70c544886960ca35917

SHA256
b343226dcfc619004c72b843c1c451593f13ae83fe3f25f25e82d40013b48590

SHA512
be0ea9772384fcbd58db602852613f30ee32f6b85c9b84c4cfa7ccf101065772d98b5c1728b034249aba1f5a356ad9a6b68312f91c09bac877c0eb4fb309a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ji9mm8lC.exe

Filesize
812KB

MD5
77f72b544b03731cfae0adaf55b72a6d

SHA1
2216ecd7f3e123a4ff8db70c544886960ca35917

SHA256
b343226dcfc619004c72b843c1c451593f13ae83fe3f25f25e82d40013b48590

SHA512
be0ea9772384fcbd58db602852613f30ee32f6b85c9b84c4cfa7ccf101065772d98b5c1728b034249aba1f5a356ad9a6b68312f91c09bac877c0eb4fb309a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mK9Dr8ih.exe

Filesize
579KB

MD5
372e6c68333cb0626489e2f3b709bc06

SHA1
49092c5de87270095846a4ddeb9195a55208ba43

SHA256
08b1505b23842b2011bc77d75d5c3588dcc8910ffcdab8dc5fde4d752a18c9a8

SHA512
0be5d1101a5a8d700a6b35d484cdc1f6a251444c819d2375963d47a23751cc1d68626fdd704a427486b4d11b3d4814b7d6af8b08e49617344e3d801e9fa867c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mK9Dr8ih.exe

Filesize
579KB

MD5
372e6c68333cb0626489e2f3b709bc06

SHA1
49092c5de87270095846a4ddeb9195a55208ba43

SHA256
08b1505b23842b2011bc77d75d5c3588dcc8910ffcdab8dc5fde4d752a18c9a8

SHA512
0be5d1101a5a8d700a6b35d484cdc1f6a251444c819d2375963d47a23751cc1d68626fdd704a427486b4d11b3d4814b7d6af8b08e49617344e3d801e9fa867c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zY7NK2zp.exe

Filesize
383KB

MD5
51251d58adac7864ac9998e52c560792

SHA1
47bc218363c37b8985549ae0eb00c9626f67902d

SHA256
be7eca590a0e90224417a75a6f55239f40bc2c3ebb1a9f934bd658b544b5fcb7

SHA512
25f1d2e4d8151dfce77f47ea712c59c060585b9bd82d9061988cb628c861a754d92a14bf5e2539e7d642b5adfbfaaace654d0c62c83d23c79387bd15b6cacafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zY7NK2zp.exe

Filesize
383KB

MD5
51251d58adac7864ac9998e52c560792

SHA1
47bc218363c37b8985549ae0eb00c9626f67902d

SHA256
be7eca590a0e90224417a75a6f55239f40bc2c3ebb1a9f934bd658b544b5fcb7

SHA512
25f1d2e4d8151dfce77f47ea712c59c060585b9bd82d9061988cb628c861a754d92a14bf5e2539e7d642b5adfbfaaace654d0c62c83d23c79387bd15b6cacafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oq77wp7.exe

Filesize
295KB

MD5
d4cd6050d488246258381e3915453c8c

SHA1
c8d1b240d72b7a0148bd50bf07d950f1ccb87ef9

SHA256
02a18e86f8f4516487b0733719ede29d11fb31f78c0fd0d3f11185c0deea3ace

SHA512
4568f2dd350eecf72aa63639b96eb7fc9328c31b6c0238254fd45c2774e105cdf5e524fcf5f011780665a7b9b6e702bae4763d1b02f260d05966859439b1278c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oq77wp7.exe

Filesize
295KB

MD5
d4cd6050d488246258381e3915453c8c

SHA1
c8d1b240d72b7a0148bd50bf07d950f1ccb87ef9

SHA256
02a18e86f8f4516487b0733719ede29d11fb31f78c0fd0d3f11185c0deea3ace

SHA512
4568f2dd350eecf72aa63639b96eb7fc9328c31b6c0238254fd45c2774e105cdf5e524fcf5f011780665a7b9b6e702bae4763d1b02f260d05966859439b1278c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZP115Tv.exe

Filesize
222KB

MD5
78bd72c38462d26e7da88c984a67aa6d

SHA1
7ae1029b1fc04677d07d3cbefdbac276ea4c8a14

SHA256
20ef0d21a9156ac9fef8a68d5390267656b84fc56e67a9e80f3df9236c5b6a88

SHA512
8cd214317d5f21b88b277096a66ddc94c7553f94754a90361117ef5af3ca66f9428eb5a14d02db48e129baaaa9eb0a507ba67fefcf446b1d16f88f47dd5ea581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZP115Tv.exe

Filesize
222KB

MD5
78bd72c38462d26e7da88c984a67aa6d

SHA1
7ae1029b1fc04677d07d3cbefdbac276ea4c8a14

SHA256
20ef0d21a9156ac9fef8a68d5390267656b84fc56e67a9e80f3df9236c5b6a88

SHA512
8cd214317d5f21b88b277096a66ddc94c7553f94754a90361117ef5af3ca66f9428eb5a14d02db48e129baaaa9eb0a507ba67fefcf446b1d16f88f47dd5ea581

Download Submit
memory/804-46-0x0000000007100000-0x0000000007192000-memory.dmp

Filesize
584KB

Download
memory/804-48-0x00000000072F0000-0x00000000072FA000-memory.dmp

Filesize
40KB

Download
memory/804-55-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/804-54-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/804-43-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/804-44-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/804-45-0x00000000075D0000-0x0000000007B74000-memory.dmp

Filesize
5.6MB

Download
memory/804-53-0x0000000007B80000-0x0000000007BCC000-memory.dmp

Filesize
304KB

Download
memory/804-52-0x0000000007570000-0x00000000075AC000-memory.dmp

Filesize
240KB

Download
memory/804-49-0x00000000081A0000-0x00000000087B8000-memory.dmp

Filesize
6.1MB

Download
memory/804-47-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/804-50-0x0000000007C90000-0x0000000007D9A000-memory.dmp

Filesize
1.0MB

Download
memory/804-51-0x0000000007510000-0x0000000007522000-memory.dmp

Filesize
72KB

Download
memory/884-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/884-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/884-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/884-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads