redline | 387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0

Analysis

max time kernel
142s
max time network
161s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16-10-2023 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe
Size

1.1MB
MD5

220960c7f2a7288cce00be71725d3f2f
SHA1

567ad208da352e57803d74fb0bf3fe581d7f76b1
SHA256

387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0
SHA512

7961e7c4a02caa089276a22e6a7b75d01595e42cba34e83fe7ff9b98aa7763b3047396f384cb6621b364985856739196c695e8e101ad1b4328a871538f553dba
SSDEEP

24576:GyOzb5t1tsnVYv42xfY2cqbJ9sD3EmuV2wDPNu:VOzb5SnVZ2xYy0omuV2wJ

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd4-39.dat	family_redline
behavioral1/files/0x000700000001afd4-41.dat	family_redline
behavioral1/memory/4932-45-0x00000000000A0000-0x00000000000DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2716	EW3nh4DQ.exe
2128	hO9pl9th.exe
4456	qV6IK0rA.exe
3984	Fu9Ne1yb.exe
4200	1fx28gG7.exe
4932	2VP026ih.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qV6IK0rA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fu9Ne1yb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EW3nh4DQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hO9pl9th.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4200 set thread context of 1428	4200	1fx28gG7.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3972	1428	WerFault.exe	75

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 2716	3560	387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe	70
PID 3560 wrote to memory of 2716	3560	387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe	70
PID 3560 wrote to memory of 2716	3560	387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe	70
PID 2716 wrote to memory of 2128	2716	EW3nh4DQ.exe	71
PID 2716 wrote to memory of 2128	2716	EW3nh4DQ.exe	71
PID 2716 wrote to memory of 2128	2716	EW3nh4DQ.exe	71
PID 2128 wrote to memory of 4456	2128	hO9pl9th.exe	72
PID 2128 wrote to memory of 4456	2128	hO9pl9th.exe	72
PID 2128 wrote to memory of 4456	2128	hO9pl9th.exe	72
PID 4456 wrote to memory of 3984	4456	qV6IK0rA.exe	73
PID 4456 wrote to memory of 3984	4456	qV6IK0rA.exe	73
PID 4456 wrote to memory of 3984	4456	qV6IK0rA.exe	73
PID 3984 wrote to memory of 4200	3984	Fu9Ne1yb.exe	74
PID 3984 wrote to memory of 4200	3984	Fu9Ne1yb.exe	74
PID 3984 wrote to memory of 4200	3984	Fu9Ne1yb.exe	74
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 4200 wrote to memory of 1428	4200	1fx28gG7.exe	75
PID 3984 wrote to memory of 4932	3984	Fu9Ne1yb.exe	76
PID 3984 wrote to memory of 4932	3984	Fu9Ne1yb.exe	76
PID 3984 wrote to memory of 4932	3984	Fu9Ne1yb.exe	76

C:\Users\Admin\AppData\Local\Temp\387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe
"C:\Users\Admin\AppData\Local\Temp\387a7bd58f0df89c24c21713dbb945008952358cfba55c836cf286a2eb88b1f0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW3nh4DQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW3nh4DQ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hO9pl9th.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hO9pl9th.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qV6IK0rA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qV6IK0rA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu9Ne1yb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu9Ne1yb.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fx28gG7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fx28gG7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 568
        8⤵
        Program crash
        
        PID:3972
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VP026ih.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VP026ih.exe
        6⤵
        Executes dropped EXE
        
        PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW3nh4DQ.exe

Filesize
1.0MB

MD5
145e5ca2c4d499f0f7fa851d1ebdf290

SHA1
ff32b3d1604e83d25f7049a7ef25dea3fa2bf94d

SHA256
2b6aa6bd4e5225bfcdf0221091642b75bf615f8b739af914df5f8502a06f1264

SHA512
24253306e68974d05ed73a07287c79991ebff5d43b9527a55d19f2e2c88933f2a48a9ae2cbbcc475b9dd4253eafc1e375d14c67b80f1bf46fe0820d63a8692cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EW3nh4DQ.exe

Filesize
1.0MB

MD5
145e5ca2c4d499f0f7fa851d1ebdf290

SHA1
ff32b3d1604e83d25f7049a7ef25dea3fa2bf94d

SHA256
2b6aa6bd4e5225bfcdf0221091642b75bf615f8b739af914df5f8502a06f1264

SHA512
24253306e68974d05ed73a07287c79991ebff5d43b9527a55d19f2e2c88933f2a48a9ae2cbbcc475b9dd4253eafc1e375d14c67b80f1bf46fe0820d63a8692cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hO9pl9th.exe

Filesize
839KB

MD5
a0345df07f94c14a8afa20247b9defb5

SHA1
dffcad6eb453a9816c46bdacdbc9dbcf545caaf7

SHA256
4e5fffc0cae33e80f4dc7585d1d2b7be977913321b9304bc629866af6e2ada36

SHA512
264b5a9283278c7807574a233f2f99c478f159791da512ddb036a32f671f70ec4a26d8034a51261a86abb95afa1aa1cf9f4d175bd86a4e52e7cbb7a743cc5c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hO9pl9th.exe

Filesize
839KB

MD5
a0345df07f94c14a8afa20247b9defb5

SHA1
dffcad6eb453a9816c46bdacdbc9dbcf545caaf7

SHA256
4e5fffc0cae33e80f4dc7585d1d2b7be977913321b9304bc629866af6e2ada36

SHA512
264b5a9283278c7807574a233f2f99c478f159791da512ddb036a32f671f70ec4a26d8034a51261a86abb95afa1aa1cf9f4d175bd86a4e52e7cbb7a743cc5c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qV6IK0rA.exe

Filesize
591KB

MD5
20e3b63d85edf62cbec085aed7fd4523

SHA1
1fcbf88c9998f4295fa62f2ec71b0dd3a9c6502d

SHA256
2c48ea0dc76ccfda3d65fc2d67b0836e05039ffaeab405366b7d3b9df2b6f7dc

SHA512
dce8dfa6f91d2b17a88e8d145bfcfb53011ae856dbfea231387c817bdb0de98409019e1ca37c76d15144a1ca54689a2b8f9a14ebeb8436804f793a3cf5cb3501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qV6IK0rA.exe

Filesize
591KB

MD5
20e3b63d85edf62cbec085aed7fd4523

SHA1
1fcbf88c9998f4295fa62f2ec71b0dd3a9c6502d

SHA256
2c48ea0dc76ccfda3d65fc2d67b0836e05039ffaeab405366b7d3b9df2b6f7dc

SHA512
dce8dfa6f91d2b17a88e8d145bfcfb53011ae856dbfea231387c817bdb0de98409019e1ca37c76d15144a1ca54689a2b8f9a14ebeb8436804f793a3cf5cb3501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu9Ne1yb.exe

Filesize
396KB

MD5
453e5bf4c8900e6f1a1e39d2371cb1e6

SHA1
8a6626ae789fd0ff3c88070b48efcf4c53ceb301

SHA256
4d1fc94da13e115d0cfb24b80df5875a92e199a440121a1fe8c37f1258ef23dc

SHA512
1de775577bc2093b37b5ce94583eb96d61c072c1c30c100d3ca8e696613dba369a32808205d79bd65e2a5083d737c2668c41f9ff9ccc196da89e765bae57683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fu9Ne1yb.exe

Filesize
396KB

MD5
453e5bf4c8900e6f1a1e39d2371cb1e6

SHA1
8a6626ae789fd0ff3c88070b48efcf4c53ceb301

SHA256
4d1fc94da13e115d0cfb24b80df5875a92e199a440121a1fe8c37f1258ef23dc

SHA512
1de775577bc2093b37b5ce94583eb96d61c072c1c30c100d3ca8e696613dba369a32808205d79bd65e2a5083d737c2668c41f9ff9ccc196da89e765bae57683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fx28gG7.exe

Filesize
314KB

MD5
d85dc0f3242e1b0138b56a7deee821a5

SHA1
8a30d6aad8a185c825b26dff4eceb679713a83a7

SHA256
e511674a47404a1ae35fcb1795163b6f878f22b9734c3d32ed5b4bdd189c04f1

SHA512
541c78025ef0f58917cb5aa1dce74a3b7760694e31fbe13b8faf868b7d1197eaff12fda20ab8d4cea53d28516b2ca7ac685594bf3fa76a03fa23778d9f5c224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fx28gG7.exe

Filesize
314KB

MD5
d85dc0f3242e1b0138b56a7deee821a5

SHA1
8a30d6aad8a185c825b26dff4eceb679713a83a7

SHA256
e511674a47404a1ae35fcb1795163b6f878f22b9734c3d32ed5b4bdd189c04f1

SHA512
541c78025ef0f58917cb5aa1dce74a3b7760694e31fbe13b8faf868b7d1197eaff12fda20ab8d4cea53d28516b2ca7ac685594bf3fa76a03fa23778d9f5c224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VP026ih.exe

Filesize
222KB

MD5
4ff71c4985b928dea2bd4cc7aa6170df

SHA1
d34807f659f46b102dce5cf9d73adffdf0ab8116

SHA256
eac94c75a35286ed006a1fe13c3d4d4046cb7b3f494755c2bf33c7c4358ac711

SHA512
3140e8b61b7c6f5a0c9c113bc87c3527060609253e45c69a8d4e5f210de1552387d5877e3140059fb0a21f5cdeb6cbf81961bb01e8504c40d75c232a25b53915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VP026ih.exe

Filesize
222KB

MD5
4ff71c4985b928dea2bd4cc7aa6170df

SHA1
d34807f659f46b102dce5cf9d73adffdf0ab8116

SHA256
eac94c75a35286ed006a1fe13c3d4d4046cb7b3f494755c2bf33c7c4358ac711

SHA512
3140e8b61b7c6f5a0c9c113bc87c3527060609253e45c69a8d4e5f210de1552387d5877e3140059fb0a21f5cdeb6cbf81961bb01e8504c40d75c232a25b53915

Download Submit
memory/1428-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1428-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1428-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1428-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4932-48-0x0000000006EB0000-0x0000000006F42000-memory.dmp

Filesize
584KB

Download
memory/4932-46-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/4932-47-0x0000000007310000-0x000000000780E000-memory.dmp

Filesize
5.0MB

Download
memory/4932-45-0x00000000000A0000-0x00000000000DE000-memory.dmp

Filesize
248KB

Download
memory/4932-49-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/4932-50-0x0000000007E20000-0x0000000008426000-memory.dmp

Filesize
6.0MB

Download
memory/4932-51-0x0000000007140000-0x000000000724A000-memory.dmp

Filesize
1.0MB

Download
memory/4932-52-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4932-53-0x00000000070D0000-0x000000000710E000-memory.dmp

Filesize
248KB

Download
memory/4932-54-0x0000000007250000-0x000000000729B000-memory.dmp

Filesize
300KB

Download
memory/4932-55-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads