redline | d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe
Size

1.1MB
MD5

899b782a27ea9515dc7f46bd222274f1
SHA1

2f564536627e3d1b25c262b3dc36e0102df9852b
SHA256

d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b
SHA512

56978c49c17650b628df30e3dc0a24cc6d4799a6625805358652ee809debaae115131b3c80c9f0e7cd655ed04c49f9ad6abce380ddb389eb1e2f439f971228bf
SSDEEP

24576:xysbya7vRxi0GJXkDzY7pi/pNCEjNgLTekdpiaQxoTIIPm+VjTXn+u:ksbya7vRtGlksp/ECTzyvSmGfn

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002322f-41.dat	family_redline
behavioral1/files/0x000700000002322f-42.dat	family_redline
behavioral1/memory/4396-43-0x00000000002C0000-0x00000000002FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
992	gw4uN2pN.exe
3000	WK9mY4aW.exe
3384	Od3uo6Bo.exe
4480	or0Dr6by.exe
4796	1Xx71pn9.exe
4396	2Sa367iN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WK9mY4aW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Od3uo6Bo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	or0Dr6by.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gw4uN2pN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 1220	4796	1Xx71pn9.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	1220	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 992	2688	d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe	83
PID 2688 wrote to memory of 992	2688	d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe	83
PID 2688 wrote to memory of 992	2688	d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe	83
PID 992 wrote to memory of 3000	992	gw4uN2pN.exe	84
PID 992 wrote to memory of 3000	992	gw4uN2pN.exe	84
PID 992 wrote to memory of 3000	992	gw4uN2pN.exe	84
PID 3000 wrote to memory of 3384	3000	WK9mY4aW.exe	85
PID 3000 wrote to memory of 3384	3000	WK9mY4aW.exe	85
PID 3000 wrote to memory of 3384	3000	WK9mY4aW.exe	85
PID 3384 wrote to memory of 4480	3384	Od3uo6Bo.exe	86
PID 3384 wrote to memory of 4480	3384	Od3uo6Bo.exe	86
PID 3384 wrote to memory of 4480	3384	Od3uo6Bo.exe	86
PID 4480 wrote to memory of 4796	4480	or0Dr6by.exe	87
PID 4480 wrote to memory of 4796	4480	or0Dr6by.exe	87
PID 4480 wrote to memory of 4796	4480	or0Dr6by.exe	87
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4796 wrote to memory of 1220	4796	1Xx71pn9.exe	95
PID 4480 wrote to memory of 4396	4480	or0Dr6by.exe	97
PID 4480 wrote to memory of 4396	4480	or0Dr6by.exe	97
PID 4480 wrote to memory of 4396	4480	or0Dr6by.exe	97

C:\Users\Admin\AppData\Local\Temp\d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe
"C:\Users\Admin\AppData\Local\Temp\d7a1b2002766b697c01b6f24f8e6d9e12c9734ccb0e15c7bbcb8d01f9c27f98b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gw4uN2pN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gw4uN2pN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WK9mY4aW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WK9mY4aW.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Od3uo6Bo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Od3uo6Bo.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\or0Dr6by.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\or0Dr6by.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xx71pn9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xx71pn9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 560
        8⤵
        Program crash
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Sa367iN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Sa367iN.exe
        6⤵
        Executes dropped EXE
        
        PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1220 -ip 1220
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gw4uN2pN.exe

Filesize
1.0MB

MD5
fc9a6fc761800a01d4ba216fe7ac977b

SHA1
153921cad9410cc38cda76d015d2452ef837ef14

SHA256
d397b9c58d770173f51d138d482fb3a47fdcf2cf89678ba3b5cd9e91cada12af

SHA512
d1cc7d6c4ff1ba3551667db7c0e55e8109fbc2210dd47af9f647756c788dd82ade4f105e80fa8dcbe186310530166a6c14a9649be9a148c117034a08fe10eba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gw4uN2pN.exe

Filesize
1.0MB

MD5
fc9a6fc761800a01d4ba216fe7ac977b

SHA1
153921cad9410cc38cda76d015d2452ef837ef14

SHA256
d397b9c58d770173f51d138d482fb3a47fdcf2cf89678ba3b5cd9e91cada12af

SHA512
d1cc7d6c4ff1ba3551667db7c0e55e8109fbc2210dd47af9f647756c788dd82ade4f105e80fa8dcbe186310530166a6c14a9649be9a148c117034a08fe10eba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WK9mY4aW.exe

Filesize
843KB

MD5
7b10098b05b93956f36c0eb60278ba52

SHA1
b5632867f17799e73aa41652beb5be2a5a4cca9a

SHA256
803f9efc16fadfd2167f519f5570785a626b6b79a1b9450170b82a838735faaf

SHA512
5a8ee748bc5eb9b08e45e12a117d635b5938165b0df05fd5a5e0a090202d3753877e8dfbde69465006506df272b25045a21aef0cdbfb442a1eba5802d0e795b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WK9mY4aW.exe

Filesize
843KB

MD5
7b10098b05b93956f36c0eb60278ba52

SHA1
b5632867f17799e73aa41652beb5be2a5a4cca9a

SHA256
803f9efc16fadfd2167f519f5570785a626b6b79a1b9450170b82a838735faaf

SHA512
5a8ee748bc5eb9b08e45e12a117d635b5938165b0df05fd5a5e0a090202d3753877e8dfbde69465006506df272b25045a21aef0cdbfb442a1eba5802d0e795b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Od3uo6Bo.exe

Filesize
593KB

MD5
f18396e2818cdbebda780bbf178e4205

SHA1
1a10956d3a70d6b0f47e43b2bfe09e52179db254

SHA256
b9166d9469805168a95eb165c1ff321e016bad9a662894412b844caafa3376d4

SHA512
c3f294fc7560f0c96a5d017b1c9efbdfed803d241204a58b81627c3f460ff484488fe9a2e0cc543ebdfbc5890b224b5f8efab2d7ec76c54e66a7df6fd4a460c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Od3uo6Bo.exe

Filesize
593KB

MD5
f18396e2818cdbebda780bbf178e4205

SHA1
1a10956d3a70d6b0f47e43b2bfe09e52179db254

SHA256
b9166d9469805168a95eb165c1ff321e016bad9a662894412b844caafa3376d4

SHA512
c3f294fc7560f0c96a5d017b1c9efbdfed803d241204a58b81627c3f460ff484488fe9a2e0cc543ebdfbc5890b224b5f8efab2d7ec76c54e66a7df6fd4a460c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\or0Dr6by.exe

Filesize
398KB

MD5
b3334af8816c38e1980ac47ed76e60a7

SHA1
2a6c14925da94331c92b4e051c5ea8f704b6fed2

SHA256
5a44697236d6c8a61b97b2be43d4c0908e9617f05ebcdd771fe119b0719ca556

SHA512
c2076094941b65848e22a4674f450959ed41181decc2b333fcb388eceda103e5eb044499cc6d373d4b3a6ba91cc92f0ed009f281eb67cc93d1a7bc070897cc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\or0Dr6by.exe

Filesize
398KB

MD5
b3334af8816c38e1980ac47ed76e60a7

SHA1
2a6c14925da94331c92b4e051c5ea8f704b6fed2

SHA256
5a44697236d6c8a61b97b2be43d4c0908e9617f05ebcdd771fe119b0719ca556

SHA512
c2076094941b65848e22a4674f450959ed41181decc2b333fcb388eceda103e5eb044499cc6d373d4b3a6ba91cc92f0ed009f281eb67cc93d1a7bc070897cc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xx71pn9.exe

Filesize
320KB

MD5
491e27f8b97ba41c8f75eed6e435bd59

SHA1
bd2f168c5eb8714ba43dbdf2bbe1001fab29ccba

SHA256
ec1d537e74cd8af8a737da6ffc122895eb3ae2a39c98cc9124cbcac7c0cf96a6

SHA512
3f1b6eccea7f36f61fd6024dc8e476e45521249c2d1b1b90ab2651133ce2de3595bc1142555f44b8499cd683e25a8dca1cac9e06948d5daf648fa4b8cf264963

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xx71pn9.exe

Filesize
320KB

MD5
491e27f8b97ba41c8f75eed6e435bd59

SHA1
bd2f168c5eb8714ba43dbdf2bbe1001fab29ccba

SHA256
ec1d537e74cd8af8a737da6ffc122895eb3ae2a39c98cc9124cbcac7c0cf96a6

SHA512
3f1b6eccea7f36f61fd6024dc8e476e45521249c2d1b1b90ab2651133ce2de3595bc1142555f44b8499cd683e25a8dca1cac9e06948d5daf648fa4b8cf264963

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Sa367iN.exe

Filesize
222KB

MD5
c7edd2943005b1d258089293555bda7c

SHA1
1fb0977256759e65efb7e8dd056b7673ef5c6f53

SHA256
f0e1c209f3201db9ac4cc6a281ba94672c5d0e6ff36a0e9c946ce57080fb4958

SHA512
5b411d0bc2fd9c471372e134638ff45e45d3d4cc16f6eb00a2ed15a960e4f387b4c350778fe98cee388823dd635f15fa87aa4d327b66f70b538a47696a8f4a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Sa367iN.exe

Filesize
222KB

MD5
c7edd2943005b1d258089293555bda7c

SHA1
1fb0977256759e65efb7e8dd056b7673ef5c6f53

SHA256
f0e1c209f3201db9ac4cc6a281ba94672c5d0e6ff36a0e9c946ce57080fb4958

SHA512
5b411d0bc2fd9c471372e134638ff45e45d3d4cc16f6eb00a2ed15a960e4f387b4c350778fe98cee388823dd635f15fa87aa4d327b66f70b538a47696a8f4a94

Download Submit
memory/1220-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4396-46-0x00000000071F0000-0x0000000007282000-memory.dmp

Filesize
584KB

Download
memory/4396-44-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-45-0x0000000007700000-0x0000000007CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4396-43-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/4396-47-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4396-48-0x00000000071E0000-0x00000000071EA000-memory.dmp

Filesize
40KB

Download
memory/4396-49-0x00000000082D0000-0x00000000088E8000-memory.dmp

Filesize
6.1MB

Download
memory/4396-50-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

Filesize
1.0MB

Download
memory/4396-51-0x0000000007450000-0x0000000007462000-memory.dmp

Filesize
72KB

Download
memory/4396-52-0x00000000074B0000-0x00000000074EC000-memory.dmp

Filesize
240KB

Download
memory/4396-53-0x0000000007530000-0x000000000757C000-memory.dmp

Filesize
304KB

Download
memory/4396-54-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-55-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads