redline | d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922

Analysis

max time kernel
135s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16/10/2023, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe
Size

1.1MB
MD5

836a38caaae69ce3f1f5fc23ced607a4
SHA1

15074e86cb042ffcaf2e2bdf4374a2bce8751733
SHA256

d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922
SHA512

821b8df1cb39900f1ee29738352ecd6905f184d50144b80ea315d9374e0a9cd2c044082925a42a31bb33a61ca284284d362e7f476b0064a0bb3d03a2198d8152
SSDEEP

24576:zyZ0ZGQqWbWXLyCUlv8dhy6u57OeOEfrfZK/DOAwyWCSD2hkuPyaNQ2:GCEallv+ru5TOEfzFihv

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001af61-41.dat	family_redline
behavioral1/files/0x000600000001af61-44.dat	family_redline
behavioral1/memory/4884-45-0x0000000000360000-0x000000000039E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4772	wj2Sc1wu.exe
4708	Vt4Sp5Po.exe
4524	Tp5Er8ax.exe
4824	Fn3zL6nr.exe
2120	1SH39BH0.exe
4884	2Lt723oN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wj2Sc1wu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Vt4Sp5Po.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Tp5Er8ax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fn3zL6nr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 1892	2120	1SH39BH0.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4192	1892	WerFault.exe	74

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4772	2212	d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe	69
PID 2212 wrote to memory of 4772	2212	d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe	69
PID 2212 wrote to memory of 4772	2212	d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe	69
PID 4772 wrote to memory of 4708	4772	wj2Sc1wu.exe	70
PID 4772 wrote to memory of 4708	4772	wj2Sc1wu.exe	70
PID 4772 wrote to memory of 4708	4772	wj2Sc1wu.exe	70
PID 4708 wrote to memory of 4524	4708	Vt4Sp5Po.exe	71
PID 4708 wrote to memory of 4524	4708	Vt4Sp5Po.exe	71
PID 4708 wrote to memory of 4524	4708	Vt4Sp5Po.exe	71
PID 4524 wrote to memory of 4824	4524	Tp5Er8ax.exe	72
PID 4524 wrote to memory of 4824	4524	Tp5Er8ax.exe	72
PID 4524 wrote to memory of 4824	4524	Tp5Er8ax.exe	72
PID 4824 wrote to memory of 2120	4824	Fn3zL6nr.exe	73
PID 4824 wrote to memory of 2120	4824	Fn3zL6nr.exe	73
PID 4824 wrote to memory of 2120	4824	Fn3zL6nr.exe	73
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 2120 wrote to memory of 1892	2120	1SH39BH0.exe	74
PID 4824 wrote to memory of 4884	4824	Fn3zL6nr.exe	75
PID 4824 wrote to memory of 4884	4824	Fn3zL6nr.exe	75
PID 4824 wrote to memory of 4884	4824	Fn3zL6nr.exe	75

C:\Users\Admin\AppData\Local\Temp\d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe
"C:\Users\Admin\AppData\Local\Temp\d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 568
        8⤵
        Program crash
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe
        6⤵
        Executes dropped EXE
        
        PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe

Filesize
1.0MB

MD5
193963f09541048cf035b3504a388c92

SHA1
790b0fd99a4794eb958d166b239204b7f847b293

SHA256
89d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e

SHA512
3926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe

Filesize
1.0MB

MD5
193963f09541048cf035b3504a388c92

SHA1
790b0fd99a4794eb958d166b239204b7f847b293

SHA256
89d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e

SHA512
3926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe

Filesize
839KB

MD5
0be9ec8a4dd67da4d9bf82362b3281bb

SHA1
17c9321ce4e65362d79a5075fae2ffc2e12562fb

SHA256
607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b

SHA512
3e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe

Filesize
839KB

MD5
0be9ec8a4dd67da4d9bf82362b3281bb

SHA1
17c9321ce4e65362d79a5075fae2ffc2e12562fb

SHA256
607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b

SHA512
3e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe

Filesize
591KB

MD5
369740c6d89d313a48a795e543cb1c8f

SHA1
b6891b018ce0cdd4f0e393f731c572e57dfd4927

SHA256
02b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994

SHA512
1e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe

Filesize
591KB

MD5
369740c6d89d313a48a795e543cb1c8f

SHA1
b6891b018ce0cdd4f0e393f731c572e57dfd4927

SHA256
02b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994

SHA512
1e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe

Filesize
396KB

MD5
0d0d9be70edd172d9f39f88c5120f2a8

SHA1
6a4b01a94d842f717f0430df6ae0fc2aee427812

SHA256
6846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75

SHA512
50d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe

Filesize
396KB

MD5
0d0d9be70edd172d9f39f88c5120f2a8

SHA1
6a4b01a94d842f717f0430df6ae0fc2aee427812

SHA256
6846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75

SHA512
50d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe

Filesize
222KB

MD5
24aaff529d54683757167da84006c817

SHA1
b14ab5da418d25aa6952f9cda70e9893c5aded16

SHA256
a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a

SHA512
b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe

Filesize
222KB

MD5
24aaff529d54683757167da84006c817

SHA1
b14ab5da418d25aa6952f9cda70e9893c5aded16

SHA256
a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a

SHA512
b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891

Download Submit
memory/1892-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1892-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1892-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1892-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4884-48-0x00000000070C0000-0x0000000007152000-memory.dmp

Filesize
584KB

Download
memory/4884-46-0x0000000073080000-0x000000007376E000-memory.dmp

Filesize
6.9MB

Download
memory/4884-47-0x00000000074D0000-0x00000000079CE000-memory.dmp

Filesize
5.0MB

Download
memory/4884-45-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/4884-49-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/4884-50-0x0000000007FE0000-0x00000000085E6000-memory.dmp

Filesize
6.0MB

Download
memory/4884-51-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4884-52-0x0000000007470000-0x0000000007482000-memory.dmp

Filesize
72KB

Download
memory/4884-53-0x00000000079D0000-0x0000000007A0E000-memory.dmp

Filesize
248KB

Download
memory/4884-54-0x0000000007A10000-0x0000000007A5B000-memory.dmp

Filesize
300KB

Download
memory/4884-55-0x0000000073080000-0x000000007376E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads