redline | 8107ec47559ed8c36318a2bfa531e48f3f9080d9319e940c69a705f3ec0622ca

Analysis

max time kernel
140s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe
Size

1.1MB
MD5

d918302eff427b8528fd85a110d07b8d
SHA1

6deb85ef73bf026ff2c1d66c894bcec64e77f9f1
SHA256

378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee
SHA512

1e5c24b378548cf3d8c0e4287810894bd4f9f732bb03f9c7d2ff1ba412ef87a7d10f91c13a37d1470f6ed00acf8206b5c8494a4249c4285220af9714bc7f22bb
SSDEEP

24576:lyGtE8WqWdT5Svlhkwvlipc4lrnR/1oejn18s:AGtEzbMlj9iJt1Vy

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023254-41.dat	family_redline
behavioral2/files/0x0006000000023254-42.dat	family_redline
behavioral2/memory/3348-43-0x0000000000410000-0x000000000044E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4052	ac8ud5ka.exe
2756	Tw4bJ6ed.exe
5052	Bo9ym0Wo.exe
2608	iT2kf7bs.exe
4844	1Au43wY7.exe
3348	2XZ926Rv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Tw4bJ6ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Bo9ym0Wo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	iT2kf7bs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ac8ud5ka.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4844 set thread context of 4408	4844	1Au43wY7.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
232	4844	WerFault.exe	85
2360	4408	WerFault.exe	87

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4052	4264	378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe	81
PID 4264 wrote to memory of 4052	4264	378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe	81
PID 4264 wrote to memory of 4052	4264	378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe	81
PID 4052 wrote to memory of 2756	4052	ac8ud5ka.exe	82
PID 4052 wrote to memory of 2756	4052	ac8ud5ka.exe	82
PID 4052 wrote to memory of 2756	4052	ac8ud5ka.exe	82
PID 2756 wrote to memory of 5052	2756	Tw4bJ6ed.exe	83
PID 2756 wrote to memory of 5052	2756	Tw4bJ6ed.exe	83
PID 2756 wrote to memory of 5052	2756	Tw4bJ6ed.exe	83
PID 5052 wrote to memory of 2608	5052	Bo9ym0Wo.exe	84
PID 5052 wrote to memory of 2608	5052	Bo9ym0Wo.exe	84
PID 5052 wrote to memory of 2608	5052	Bo9ym0Wo.exe	84
PID 2608 wrote to memory of 4844	2608	iT2kf7bs.exe	85
PID 2608 wrote to memory of 4844	2608	iT2kf7bs.exe	85
PID 2608 wrote to memory of 4844	2608	iT2kf7bs.exe	85
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 4844 wrote to memory of 4408	4844	1Au43wY7.exe	87
PID 2608 wrote to memory of 3348	2608	iT2kf7bs.exe	93
PID 2608 wrote to memory of 3348	2608	iT2kf7bs.exe	93
PID 2608 wrote to memory of 3348	2608	iT2kf7bs.exe	93

C:\Users\Admin\AppData\Local\Temp\378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe
"C:\Users\Admin\AppData\Local\Temp\378709e6dfa1907262b83a223469bacd2ab5329c2e900e9862c9395d2aacdfee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac8ud5ka.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac8ud5ka.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tw4bJ6ed.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tw4bJ6ed.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bo9ym0Wo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bo9ym0Wo.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iT2kf7bs.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iT2kf7bs.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Au43wY7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Au43wY7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 540
        8⤵
        Program crash
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 140
        7⤵
        Program crash
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XZ926Rv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XZ926Rv.exe
        6⤵
        Executes dropped EXE
        
        PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4844 -ip 4844
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4408 -ip 4408
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac8ud5ka.exe

Filesize
1001KB

MD5
cf7b1cc8bb70b061be6514277dfac1bf

SHA1
77350dae7906367bc3552f468fed414366790ded

SHA256
a1d7732ab26d244816cbc06d3e1d737ad826da8f4a4ddd6893f0ee3a6926cb80

SHA512
c7fe00046fef30b42c4b28b5b9a3ee2dbc31a8e6a563d0098082c86fde1ff1e5f8b0c722247291fc2de1bb543e507837dfd7be7d4e59f35e936be0050f389e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac8ud5ka.exe

Filesize
1001KB

MD5
cf7b1cc8bb70b061be6514277dfac1bf

SHA1
77350dae7906367bc3552f468fed414366790ded

SHA256
a1d7732ab26d244816cbc06d3e1d737ad826da8f4a4ddd6893f0ee3a6926cb80

SHA512
c7fe00046fef30b42c4b28b5b9a3ee2dbc31a8e6a563d0098082c86fde1ff1e5f8b0c722247291fc2de1bb543e507837dfd7be7d4e59f35e936be0050f389e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tw4bJ6ed.exe

Filesize
811KB

MD5
7044b4fc850fea4abc517afa7deec8c5

SHA1
171eaf04cae7fbc7ff16558b66f9911576f2dbd5

SHA256
5c0363a864a750df5a00cae1e261e580b08f8e3126a2d15d5c4bba882ed72a19

SHA512
23ca0c72944fdf0d72f0a75f5aedae5134ffc743247c9bfd4b79568eda2ebbdb6b392f9f29264d742e7db6c8acee2e2d6d9a6c75ee77bc128c953d5e642b4c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tw4bJ6ed.exe

Filesize
811KB

MD5
7044b4fc850fea4abc517afa7deec8c5

SHA1
171eaf04cae7fbc7ff16558b66f9911576f2dbd5

SHA256
5c0363a864a750df5a00cae1e261e580b08f8e3126a2d15d5c4bba882ed72a19

SHA512
23ca0c72944fdf0d72f0a75f5aedae5134ffc743247c9bfd4b79568eda2ebbdb6b392f9f29264d742e7db6c8acee2e2d6d9a6c75ee77bc128c953d5e642b4c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bo9ym0Wo.exe

Filesize
577KB

MD5
deecc6d583c6b762fe69b9e7b70ba0d4

SHA1
9dee62365e9c7251d30f769d340e41a2d61390fc

SHA256
7211e6b3b1c4682d642271623a09acd22f95c23550d1a2de8adcb7539d2b3a7b

SHA512
6e204fee2f7ba1fbe416ab7bff08fecf116c7bcaca71d5d0627ce263c4da9cd54c46b8cf60bf7f4b5c182f8f287c26b2fc172d8b9f5617d082ae5936abb42b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bo9ym0Wo.exe

Filesize
577KB

MD5
deecc6d583c6b762fe69b9e7b70ba0d4

SHA1
9dee62365e9c7251d30f769d340e41a2d61390fc

SHA256
7211e6b3b1c4682d642271623a09acd22f95c23550d1a2de8adcb7539d2b3a7b

SHA512
6e204fee2f7ba1fbe416ab7bff08fecf116c7bcaca71d5d0627ce263c4da9cd54c46b8cf60bf7f4b5c182f8f287c26b2fc172d8b9f5617d082ae5936abb42b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iT2kf7bs.exe

Filesize
382KB

MD5
2ee0e57bc9caedea3174d94e058874cf

SHA1
7e20c5c0b7be85fec4c616766d7f43d234c67620

SHA256
45d05dbd7db454815b8b8380b3dfdaed072a2c8a46396755cd98dcb547cf0f16

SHA512
73f4b6cd25c2b8105811d98ee06292d134830794033fd816c2729cc1961d2fcfcceaac6d7ba3c4e65e2e148f903dad039a2bc374671d88d9c7b4fca4eada3a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iT2kf7bs.exe

Filesize
382KB

MD5
2ee0e57bc9caedea3174d94e058874cf

SHA1
7e20c5c0b7be85fec4c616766d7f43d234c67620

SHA256
45d05dbd7db454815b8b8380b3dfdaed072a2c8a46396755cd98dcb547cf0f16

SHA512
73f4b6cd25c2b8105811d98ee06292d134830794033fd816c2729cc1961d2fcfcceaac6d7ba3c4e65e2e148f903dad039a2bc374671d88d9c7b4fca4eada3a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Au43wY7.exe

Filesize
295KB

MD5
1a98df4e0e91c1ef9db3c683bf614bf6

SHA1
1ec6bc54930df4fa3923156e7c26857e702fd050

SHA256
a7e2b3a646568868b4716cdb5efa67162fac8e50604d05183e0284e0dd4b2528

SHA512
9769b8b8836734b8a67df58461f01628552340d2e483dd9425f117c3140c6ddde7a3b6feb1402d474eb05fa53382c9073d1d6b6b4e3cd745df0bece386c0bc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Au43wY7.exe

Filesize
295KB

MD5
1a98df4e0e91c1ef9db3c683bf614bf6

SHA1
1ec6bc54930df4fa3923156e7c26857e702fd050

SHA256
a7e2b3a646568868b4716cdb5efa67162fac8e50604d05183e0284e0dd4b2528

SHA512
9769b8b8836734b8a67df58461f01628552340d2e483dd9425f117c3140c6ddde7a3b6feb1402d474eb05fa53382c9073d1d6b6b4e3cd745df0bece386c0bc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XZ926Rv.exe

Filesize
222KB

MD5
ef6f5a781a56f2887f45f02c0701de31

SHA1
579ac01ba419412fa98510d15ccf54f11b4392e1

SHA256
c5720ef4d3335f86e9e747418342715e6ba07d80fa6c14675c20cf64c45540f3

SHA512
33b8af4cec1f03da42d8baff4115a0f5effdac646fcc4879fdb3eb20774a3b34fc20c306199f7a713238c6d04533c8535f2dfc4c64382a86b4fd8bdecc940b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XZ926Rv.exe

Filesize
222KB

MD5
ef6f5a781a56f2887f45f02c0701de31

SHA1
579ac01ba419412fa98510d15ccf54f11b4392e1

SHA256
c5720ef4d3335f86e9e747418342715e6ba07d80fa6c14675c20cf64c45540f3

SHA512
33b8af4cec1f03da42d8baff4115a0f5effdac646fcc4879fdb3eb20774a3b34fc20c306199f7a713238c6d04533c8535f2dfc4c64382a86b4fd8bdecc940b96

Download Submit
memory/3348-46-0x00000000071D0000-0x0000000007262000-memory.dmp

Filesize
584KB

Download
memory/3348-43-0x0000000000410000-0x000000000044E000-memory.dmp

Filesize
248KB

Download
memory/3348-47-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/3348-55-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/3348-48-0x0000000007290000-0x000000000729A000-memory.dmp

Filesize
40KB

Download
memory/3348-44-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-45-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/3348-49-0x0000000008350000-0x0000000008968000-memory.dmp

Filesize
6.1MB

Download
memory/3348-54-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-53-0x0000000007650000-0x000000000769C000-memory.dmp

Filesize
304KB

Download
memory/3348-52-0x00000000074D0000-0x000000000750C000-memory.dmp

Filesize
240KB

Download
memory/3348-50-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/3348-51-0x0000000007470000-0x0000000007482000-memory.dmp

Filesize
72KB

Download
memory/4408-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4408-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4408-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4408-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads