redline | 610c77f13bc967ea9cc11e01757663e8be33dc88dfba864978af667ac398441e

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe
Size

1.1MB
MD5

9219da8bbd497ea8e7ad5c28023d5249
SHA1

0e1444a4f5aae79482b5da1437f741db7a3d9bab
SHA256

6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc
SHA512

9118c800ad0791baef0465c0bc96affba37adfbcc0a493213aa01c979f1fb92d68d9266a0d29c9abd62707bfd3a95b87f8053d7e8aaac47ea8da557362ee36eb
SSDEEP

24576:fyRQyXHhwto7XCXYfz2y7DEUuoqdTIaQA:qDXcXYlA6

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231de-41.dat	family_redline
behavioral2/files/0x00060000000231de-42.dat	family_redline
behavioral2/memory/1392-43-0x0000000000510000-0x000000000054E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3176	Tn1Gk7kr.exe
3240	Yb8gy3tn.exe
844	ne7gg2YR.exe
4036	jA3cZ6zt.exe
1084	1bL57VJ4.exe
1392	2nr301EZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ne7gg2YR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jA3cZ6zt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Tn1Gk7kr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Yb8gy3tn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 4680	1084	1bL57VJ4.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	4680	WerFault.exe	88

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3176	1560	6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe	83
PID 1560 wrote to memory of 3176	1560	6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe	83
PID 1560 wrote to memory of 3176	1560	6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe	83
PID 3176 wrote to memory of 3240	3176	Tn1Gk7kr.exe	84
PID 3176 wrote to memory of 3240	3176	Tn1Gk7kr.exe	84
PID 3176 wrote to memory of 3240	3176	Tn1Gk7kr.exe	84
PID 3240 wrote to memory of 844	3240	Yb8gy3tn.exe	85
PID 3240 wrote to memory of 844	3240	Yb8gy3tn.exe	85
PID 3240 wrote to memory of 844	3240	Yb8gy3tn.exe	85
PID 844 wrote to memory of 4036	844	ne7gg2YR.exe	86
PID 844 wrote to memory of 4036	844	ne7gg2YR.exe	86
PID 844 wrote to memory of 4036	844	ne7gg2YR.exe	86
PID 4036 wrote to memory of 1084	4036	jA3cZ6zt.exe	87
PID 4036 wrote to memory of 1084	4036	jA3cZ6zt.exe	87
PID 4036 wrote to memory of 1084	4036	jA3cZ6zt.exe	87
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 1084 wrote to memory of 4680	1084	1bL57VJ4.exe	88
PID 4036 wrote to memory of 1392	4036	jA3cZ6zt.exe	90
PID 4036 wrote to memory of 1392	4036	jA3cZ6zt.exe	90
PID 4036 wrote to memory of 1392	4036	jA3cZ6zt.exe	90

C:\Users\Admin\AppData\Local\Temp\6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe
"C:\Users\Admin\AppData\Local\Temp\6fc4b0bf2f4993eabf50d89c33b2ee075e50a5f31f5c8a27442dd5e3280486fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tn1Gk7kr.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tn1Gk7kr.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yb8gy3tn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yb8gy3tn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ne7gg2YR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ne7gg2YR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA3cZ6zt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA3cZ6zt.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL57VJ4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL57VJ4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 540
        8⤵
        Program crash
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr301EZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr301EZ.exe
        6⤵
        Executes dropped EXE
        
        PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 4680
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tn1Gk7kr.exe

Filesize
1.0MB

MD5
e91d4b9fffc13d5ad06aee6390374539

SHA1
6eda11eb614423e69c2a42be1838c0115ee8e9fa

SHA256
39710a69def697a32364405489ade84b859862ca000018871b20b3922037e09b

SHA512
98dce59a0fb18be659d94ea01d634b57608203b738b63267d2108d32948cc4ec8754e1e661e69d042510f1eb98aacb8cf5995b2111d43f795fadc15eaec4f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tn1Gk7kr.exe

Filesize
1.0MB

MD5
e91d4b9fffc13d5ad06aee6390374539

SHA1
6eda11eb614423e69c2a42be1838c0115ee8e9fa

SHA256
39710a69def697a32364405489ade84b859862ca000018871b20b3922037e09b

SHA512
98dce59a0fb18be659d94ea01d634b57608203b738b63267d2108d32948cc4ec8754e1e661e69d042510f1eb98aacb8cf5995b2111d43f795fadc15eaec4f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yb8gy3tn.exe

Filesize
848KB

MD5
361f0e8ad662fc5518befebffd0a4073

SHA1
b2bea918f16424c93ca0a06eae96a300b1d5728d

SHA256
c295d8721454d33c187d1323ae0b728ffb1baa4a562a8ae77b0deb8720cc9d74

SHA512
4cc41257d584d291cd4561c50d9b2379e84e648f2c1fa30109f8b72f0e1885e6232b669adac75ca4244a2ca991418990baa9a23faf3be427d9cb9311d6abba6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yb8gy3tn.exe

Filesize
848KB

MD5
361f0e8ad662fc5518befebffd0a4073

SHA1
b2bea918f16424c93ca0a06eae96a300b1d5728d

SHA256
c295d8721454d33c187d1323ae0b728ffb1baa4a562a8ae77b0deb8720cc9d74

SHA512
4cc41257d584d291cd4561c50d9b2379e84e648f2c1fa30109f8b72f0e1885e6232b669adac75ca4244a2ca991418990baa9a23faf3be427d9cb9311d6abba6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ne7gg2YR.exe

Filesize
595KB

MD5
f9ee19bebfd3323dfaa0a05bceed60b5

SHA1
9bb74c10af9e5c3f03952e60642fde9990200812

SHA256
f318c9e7dab599c9d5cb21fa3ad1badc5a4247a4b6169c1669b61d71a05422fb

SHA512
a66a7b0bde1cc1eaae1137a5b961365e0a87e97b4f8a6957d83e009927a31e7053fa1382a8c20acee9425f75c1feacc3c8294df35a923aec1c1e58d92ba1558c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ne7gg2YR.exe

Filesize
595KB

MD5
f9ee19bebfd3323dfaa0a05bceed60b5

SHA1
9bb74c10af9e5c3f03952e60642fde9990200812

SHA256
f318c9e7dab599c9d5cb21fa3ad1badc5a4247a4b6169c1669b61d71a05422fb

SHA512
a66a7b0bde1cc1eaae1137a5b961365e0a87e97b4f8a6957d83e009927a31e7053fa1382a8c20acee9425f75c1feacc3c8294df35a923aec1c1e58d92ba1558c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA3cZ6zt.exe

Filesize
401KB

MD5
e8fc60b823761bf55e26cb669693eb5e

SHA1
cd8194c39da1ae0830bae711be3ff998752b767c

SHA256
73d938fa634cb8b600542f5ffa745f8ead8434d29cc0e95c8be09afb3b61213f

SHA512
ce019b11a59339dca98fbec31b88c016e9016c670f4c0950c983cb14ee1b0a5f9f4ad7250732df0bebcf51fb23cd4ef536d48a16dbcfc6cab2d561ccc98b4314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA3cZ6zt.exe

Filesize
401KB

MD5
e8fc60b823761bf55e26cb669693eb5e

SHA1
cd8194c39da1ae0830bae711be3ff998752b767c

SHA256
73d938fa634cb8b600542f5ffa745f8ead8434d29cc0e95c8be09afb3b61213f

SHA512
ce019b11a59339dca98fbec31b88c016e9016c670f4c0950c983cb14ee1b0a5f9f4ad7250732df0bebcf51fb23cd4ef536d48a16dbcfc6cab2d561ccc98b4314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL57VJ4.exe

Filesize
328KB

MD5
5893d002e1dd791a83024a655b436fed

SHA1
24e84abf2b990b4f73b7aba138df9a190bb1718c

SHA256
4a4e0f429d26bb75d850e9e40f28d507d80ca6f945d65f5cbdedb242d3bbbc47

SHA512
8e395394bc0bacdf078b9d0dbdc3a75541734264e015737872477bd0f8941038f2a5e8f1141783fd986c6148de579aecac0d89e1cdcd7f7ee98fc8c86fcd38af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bL57VJ4.exe

Filesize
328KB

MD5
5893d002e1dd791a83024a655b436fed

SHA1
24e84abf2b990b4f73b7aba138df9a190bb1718c

SHA256
4a4e0f429d26bb75d850e9e40f28d507d80ca6f945d65f5cbdedb242d3bbbc47

SHA512
8e395394bc0bacdf078b9d0dbdc3a75541734264e015737872477bd0f8941038f2a5e8f1141783fd986c6148de579aecac0d89e1cdcd7f7ee98fc8c86fcd38af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr301EZ.exe

Filesize
222KB

MD5
6efa05ecd81517fceeb47f123f12a9b4

SHA1
57149ada98523a3fced6782699a04e0bd25b4ddf

SHA256
2bb47fcaceac0a59ba9e2d927c46d0076c48d2e5e10818b048517206d5eaca9a

SHA512
02985e3879ecbed0bc0ebd2131b522f1424c1b8e3237887ddce70c5dfd4a3d1d2657cf140c02d64da3fb584a2197757e7645fefb41a22a3fc9fb40235a4f0a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nr301EZ.exe

Filesize
222KB

MD5
6efa05ecd81517fceeb47f123f12a9b4

SHA1
57149ada98523a3fced6782699a04e0bd25b4ddf

SHA256
2bb47fcaceac0a59ba9e2d927c46d0076c48d2e5e10818b048517206d5eaca9a

SHA512
02985e3879ecbed0bc0ebd2131b522f1424c1b8e3237887ddce70c5dfd4a3d1d2657cf140c02d64da3fb584a2197757e7645fefb41a22a3fc9fb40235a4f0a3a

Download Submit
memory/1392-46-0x00000000072C0000-0x0000000007352000-memory.dmp

Filesize
584KB

Download
memory/1392-48-0x0000000007480000-0x000000000748A000-memory.dmp

Filesize
40KB

Download
memory/1392-55-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/1392-54-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1392-43-0x0000000000510000-0x000000000054E000-memory.dmp

Filesize
248KB

Download
memory/1392-44-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1392-45-0x00000000077D0000-0x0000000007D74000-memory.dmp

Filesize
5.6MB

Download
memory/1392-53-0x0000000007750000-0x000000000779C000-memory.dmp

Filesize
304KB

Download
memory/1392-52-0x0000000007710000-0x000000000774C000-memory.dmp

Filesize
240KB

Download
memory/1392-49-0x00000000083A0000-0x00000000089B8000-memory.dmp

Filesize
6.1MB

Download
memory/1392-47-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/1392-50-0x0000000007D80000-0x0000000007E8A000-memory.dmp

Filesize
1.0MB

Download
memory/1392-51-0x00000000076B0000-0x00000000076C2000-memory.dmp

Filesize
72KB

Download
memory/4680-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4680-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4680-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4680-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads