redline | 5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a

Analysis

max time kernel
136s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16/10/2023, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe
Size

1.1MB
MD5

e7607d4fa7ba9243de7bebf6e31ff5e3
SHA1

5e374f01dbc9c4c2eda1d46442d0078433f51c68
SHA256

5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a
SHA512

5b5040d7ba536db055783ecb62dec79d207b063705d6fbf50af55889c7146ada4a9cd30021c30a2f624f5a536ae06dd058f8fd734df6639d14d03d4e58952dd3
SSDEEP

24576:oyvrM8Qir/BiwbX+lUbnfXm5TnDwplIwMDZwgXC/uvx5oW+lay:vDt3r5i6XOUbfXm5Tn6ywMDehy4la

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b005-39.dat	family_redline
behavioral1/files/0x000600000001b005-44.dat	family_redline
behavioral1/memory/4780-45-0x0000000000110000-0x000000000014E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
944	MS3Ht0Rm.exe
5112	Mf8FA4Yn.exe
4444	fV8yy1Sk.exe
4104	qm0HE3Zk.exe
2608	1sh58Ac9.exe
4780	2bW128ze.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MS3Ht0Rm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Mf8FA4Yn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fV8yy1Sk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	qm0HE3Zk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 4704	2608	1sh58Ac9.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4716	4704	WerFault.exe	76

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 944	4768	5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe	70
PID 4768 wrote to memory of 944	4768	5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe	70
PID 4768 wrote to memory of 944	4768	5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe	70
PID 944 wrote to memory of 5112	944	MS3Ht0Rm.exe	71
PID 944 wrote to memory of 5112	944	MS3Ht0Rm.exe	71
PID 944 wrote to memory of 5112	944	MS3Ht0Rm.exe	71
PID 5112 wrote to memory of 4444	5112	Mf8FA4Yn.exe	72
PID 5112 wrote to memory of 4444	5112	Mf8FA4Yn.exe	72
PID 5112 wrote to memory of 4444	5112	Mf8FA4Yn.exe	72
PID 4444 wrote to memory of 4104	4444	fV8yy1Sk.exe	73
PID 4444 wrote to memory of 4104	4444	fV8yy1Sk.exe	73
PID 4444 wrote to memory of 4104	4444	fV8yy1Sk.exe	73
PID 4104 wrote to memory of 2608	4104	qm0HE3Zk.exe	74
PID 4104 wrote to memory of 2608	4104	qm0HE3Zk.exe	74
PID 4104 wrote to memory of 2608	4104	qm0HE3Zk.exe	74
PID 2608 wrote to memory of 2572	2608	1sh58Ac9.exe	75
PID 2608 wrote to memory of 2572	2608	1sh58Ac9.exe	75
PID 2608 wrote to memory of 2572	2608	1sh58Ac9.exe	75
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 2608 wrote to memory of 4704	2608	1sh58Ac9.exe	76
PID 4104 wrote to memory of 4780	4104	qm0HE3Zk.exe	77
PID 4104 wrote to memory of 4780	4104	qm0HE3Zk.exe	77
PID 4104 wrote to memory of 4780	4104	qm0HE3Zk.exe	77

C:\Users\Admin\AppData\Local\Temp\5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe
"C:\Users\Admin\AppData\Local\Temp\5d656fc9c4854b4b62f1ccbba625650a80a5487632522e1d8868afaeac4df05a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MS3Ht0Rm.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MS3Ht0Rm.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mf8FA4Yn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mf8FA4Yn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV8yy1Sk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV8yy1Sk.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qm0HE3Zk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qm0HE3Zk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sh58Ac9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sh58Ac9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 200
        8⤵
        Program crash
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bW128ze.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bW128ze.exe
        6⤵
        Executes dropped EXE
        
        PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MS3Ht0Rm.exe

Filesize
1.0MB

MD5
7e54ab06d0ab41ac52f9b11cbdde93a4

SHA1
c146e3ac5799d630e39a057cb900b5e5d3d6b145

SHA256
38c817f48bb4ee271c0381e56ed77506f27ba476b654cfae98f495e084f8beaf

SHA512
fe0c62d132a4a3fbed4de809eb844a630bfa05299832cc3f54e1538a14cc1b32915ce209e238c35ed51117f96f89d70000594134b831206f2f4743c7ee61ac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MS3Ht0Rm.exe

Filesize
1.0MB

MD5
7e54ab06d0ab41ac52f9b11cbdde93a4

SHA1
c146e3ac5799d630e39a057cb900b5e5d3d6b145

SHA256
38c817f48bb4ee271c0381e56ed77506f27ba476b654cfae98f495e084f8beaf

SHA512
fe0c62d132a4a3fbed4de809eb844a630bfa05299832cc3f54e1538a14cc1b32915ce209e238c35ed51117f96f89d70000594134b831206f2f4743c7ee61ac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mf8FA4Yn.exe

Filesize
838KB

MD5
f898f6de5f17e0d9103a1ea36e3d3a13

SHA1
ecc7c3cc1bb4c30ec49a0866402278624d515a50

SHA256
930587869e1bd3a3b21bba56212c9b92677604595c8e90312bb3444559e4f15d

SHA512
cca9f064137fc8158f2946c67c03c65dad822c0e92e72d614f39eed26404063287ee3a33c3b6027cbc656c36d4b0cafd0bdde3e374dc4edf0a55a57f538b38d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mf8FA4Yn.exe

Filesize
838KB

MD5
f898f6de5f17e0d9103a1ea36e3d3a13

SHA1
ecc7c3cc1bb4c30ec49a0866402278624d515a50

SHA256
930587869e1bd3a3b21bba56212c9b92677604595c8e90312bb3444559e4f15d

SHA512
cca9f064137fc8158f2946c67c03c65dad822c0e92e72d614f39eed26404063287ee3a33c3b6027cbc656c36d4b0cafd0bdde3e374dc4edf0a55a57f538b38d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV8yy1Sk.exe

Filesize
591KB

MD5
66dbcecb5c485a45fecb8bdcdbed0e7d

SHA1
12857441e6e0ecc32b5e0c4d8288a6e582a4ff44

SHA256
b0ae9fcb7f5e0d24d1b01c71c31ab2eb42193c0bebe1cc3d6bed507d22bb6db3

SHA512
91df4a0e38b7bb08a2ff75887f2a2e84c1fe710dd8eb930466257783a43f7ab6fb652fb6de00f0ebd6dcc0975e89b19e3d254ff2c860f6bf2a6aa40800bde1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fV8yy1Sk.exe

Filesize
591KB

MD5
66dbcecb5c485a45fecb8bdcdbed0e7d

SHA1
12857441e6e0ecc32b5e0c4d8288a6e582a4ff44

SHA256
b0ae9fcb7f5e0d24d1b01c71c31ab2eb42193c0bebe1cc3d6bed507d22bb6db3

SHA512
91df4a0e38b7bb08a2ff75887f2a2e84c1fe710dd8eb930466257783a43f7ab6fb652fb6de00f0ebd6dcc0975e89b19e3d254ff2c860f6bf2a6aa40800bde1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qm0HE3Zk.exe

Filesize
396KB

MD5
9e2a6a680cf6198a12ef15650d2a1601

SHA1
8cba2770bfa0de5125e8fe19e055315491a18c28

SHA256
a310918bf7c65f1338c114903f21b4c7749c61f23fc500f51b5200a705bc2fe4

SHA512
bd18e305a703e7575a06dd539108481d0d451a32a3070425b36a9cccd520742241959422a0d0c1a25447cb7112852fa5872f0efb30c8ce9f4c0418edbb90dabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qm0HE3Zk.exe

Filesize
396KB

MD5
9e2a6a680cf6198a12ef15650d2a1601

SHA1
8cba2770bfa0de5125e8fe19e055315491a18c28

SHA256
a310918bf7c65f1338c114903f21b4c7749c61f23fc500f51b5200a705bc2fe4

SHA512
bd18e305a703e7575a06dd539108481d0d451a32a3070425b36a9cccd520742241959422a0d0c1a25447cb7112852fa5872f0efb30c8ce9f4c0418edbb90dabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sh58Ac9.exe

Filesize
314KB

MD5
260a4a825b5c3c3a99c93b2c6afca5d6

SHA1
e25a0c7226f28bcdd5725d6d9df35d0bdb92e33c

SHA256
f255ac13437b2d074bda1524710a98eb6420bead4dcb5fb684e4078b001df39b

SHA512
3c4e8161cbd82aff2d62006c325f1d82ea7ba85d3b1f9d4cbfaab97560775f6b8c928c0a76a84771ff6abf4627e866f635b119d9f2ac9da994a491f4a3b7bd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sh58Ac9.exe

Filesize
314KB

MD5
260a4a825b5c3c3a99c93b2c6afca5d6

SHA1
e25a0c7226f28bcdd5725d6d9df35d0bdb92e33c

SHA256
f255ac13437b2d074bda1524710a98eb6420bead4dcb5fb684e4078b001df39b

SHA512
3c4e8161cbd82aff2d62006c325f1d82ea7ba85d3b1f9d4cbfaab97560775f6b8c928c0a76a84771ff6abf4627e866f635b119d9f2ac9da994a491f4a3b7bd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bW128ze.exe

Filesize
222KB

MD5
8218a20b873ac2c6046d348ba7766afe

SHA1
655734b6f560de0916d210a4314a6489cc3610ef

SHA256
6f5f29c8db5ebf908a7dca7edf380657f5b4a4d1e0da9ba77e2da7826ca301d3

SHA512
87ef5b6d21f9273a09f4396063e9104c475d9d19f362a639061f5a9670451dacd0bba2edeec90d113b27409ad9c43b52da31130f58d3c8e226ec4ff9e3a87b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bW128ze.exe

Filesize
222KB

MD5
8218a20b873ac2c6046d348ba7766afe

SHA1
655734b6f560de0916d210a4314a6489cc3610ef

SHA256
6f5f29c8db5ebf908a7dca7edf380657f5b4a4d1e0da9ba77e2da7826ca301d3

SHA512
87ef5b6d21f9273a09f4396063e9104c475d9d19f362a639061f5a9670451dacd0bba2edeec90d113b27409ad9c43b52da31130f58d3c8e226ec4ff9e3a87b18

Download Submit
memory/4704-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4704-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4704-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4704-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4780-48-0x0000000006E80000-0x0000000006F12000-memory.dmp

Filesize
584KB

Download
memory/4780-46-0x0000000072D20000-0x000000007340E000-memory.dmp

Filesize
6.9MB

Download
memory/4780-47-0x00000000072A0000-0x000000000779E000-memory.dmp

Filesize
5.0MB

Download
memory/4780-45-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/4780-49-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/4780-50-0x0000000007DB0000-0x00000000083B6000-memory.dmp

Filesize
6.0MB

Download
memory/4780-51-0x00000000077A0000-0x00000000078AA000-memory.dmp

Filesize
1.0MB

Download
memory/4780-52-0x00000000070C0000-0x00000000070D2000-memory.dmp

Filesize
72KB

Download
memory/4780-53-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/4780-54-0x0000000007190000-0x00000000071DB000-memory.dmp

Filesize
300KB

Download
memory/4780-55-0x0000000072D20000-0x000000007340E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads