redline | bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960

Analysis

max time kernel
127s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe
Size

1.2MB
MD5

d725f316f6e11449170743aca1680036
SHA1

e8b15fef1faf90d8a314e499211643d21dae7dc5
SHA256

bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960
SHA512

288fbe947afb48c9c9530150de07779b0386649b09af618b77325bdc401c7c65558d81dba8cc32bac8097a994d2b62a64453da0480bc78b39ee6abacc5032231
SSDEEP

24576:WyW4tae1sL27ESWmTajggwwD36TEgfKSsE9kOzHVKtc2W:l7oeea7kNnwwb6Ttc6k0

Score

10^/10

redline kolyan infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kolyan

77.91.124.82:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002302a-41.dat	family_redline
behavioral1/files/0x000700000002302a-42.dat	family_redline
behavioral1/memory/3012-44-0x0000000000030000-0x000000000006E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3492	AN6TL2ZP.exe
364	Jq0lb8GM.exe
3788	AG7QM6Bs.exe
1852	zE6Hr6LR.exe
1772	1pL35qN7.exe
3012	2kT374UW.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AG7QM6Bs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zE6Hr6LR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AN6TL2ZP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Jq0lb8GM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 2792	1772	1pL35qN7.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	2792	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3492	5004	bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe	82
PID 5004 wrote to memory of 3492	5004	bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe	82
PID 5004 wrote to memory of 3492	5004	bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe	82
PID 3492 wrote to memory of 364	3492	AN6TL2ZP.exe	83
PID 3492 wrote to memory of 364	3492	AN6TL2ZP.exe	83
PID 3492 wrote to memory of 364	3492	AN6TL2ZP.exe	83
PID 364 wrote to memory of 3788	364	Jq0lb8GM.exe	84
PID 364 wrote to memory of 3788	364	Jq0lb8GM.exe	84
PID 364 wrote to memory of 3788	364	Jq0lb8GM.exe	84
PID 3788 wrote to memory of 1852	3788	AG7QM6Bs.exe	85
PID 3788 wrote to memory of 1852	3788	AG7QM6Bs.exe	85
PID 3788 wrote to memory of 1852	3788	AG7QM6Bs.exe	85
PID 1852 wrote to memory of 1772	1852	zE6Hr6LR.exe	86
PID 1852 wrote to memory of 1772	1852	zE6Hr6LR.exe	86
PID 1852 wrote to memory of 1772	1852	zE6Hr6LR.exe	86
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1772 wrote to memory of 2792	1772	1pL35qN7.exe	92
PID 1852 wrote to memory of 3012	1852	zE6Hr6LR.exe	93
PID 1852 wrote to memory of 3012	1852	zE6Hr6LR.exe	93
PID 1852 wrote to memory of 3012	1852	zE6Hr6LR.exe	93

C:\Users\Admin\AppData\Local\Temp\bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe
"C:\Users\Admin\AppData\Local\Temp\bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AN6TL2ZP.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AN6TL2ZP.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jq0lb8GM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jq0lb8GM.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AG7QM6Bs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AG7QM6Bs.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zE6Hr6LR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zE6Hr6LR.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pL35qN7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pL35qN7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 540
        8⤵
        Program crash
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kT374UW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kT374UW.exe
        6⤵
        Executes dropped EXE
        
        PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 2792
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AN6TL2ZP.exe

Filesize
1.1MB

MD5
d8a04b5af47706c2f7015bd9d42114e1

SHA1
0f88c17f8bbfdaaedec6f9e370fb72cc2dc404c7

SHA256
2ddc976bcbded54f92b387c15b315165271a70a8a73146dcc4305c9e4b74c134

SHA512
621bf33ae38556a17ab55836decba15f9e6472878432b0fb2fccd594f5e16148452fcfeac31667d0c2c3c61bd07d5bdd4774a085fe11c5f2b23eaf2266a493fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AN6TL2ZP.exe

Filesize
1.1MB

MD5
d8a04b5af47706c2f7015bd9d42114e1

SHA1
0f88c17f8bbfdaaedec6f9e370fb72cc2dc404c7

SHA256
2ddc976bcbded54f92b387c15b315165271a70a8a73146dcc4305c9e4b74c134

SHA512
621bf33ae38556a17ab55836decba15f9e6472878432b0fb2fccd594f5e16148452fcfeac31667d0c2c3c61bd07d5bdd4774a085fe11c5f2b23eaf2266a493fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jq0lb8GM.exe

Filesize
917KB

MD5
5d93888405ce40e4997b2de51bd93ac7

SHA1
f8c3ab9ffeac10a4b10380f09adc19fac2e5622e

SHA256
5e00d3a7ef680aadbf661d6fb205320714ef6ca1b172a59d8bdb17de859b5345

SHA512
46fb9bf0283a613bc03745760905834ab205e1510253cd6d601882282195996362ffd1545a86c9bbe044b6c426fcdf45d0e23a770d23b2fff75be052abad8d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jq0lb8GM.exe

Filesize
917KB

MD5
5d93888405ce40e4997b2de51bd93ac7

SHA1
f8c3ab9ffeac10a4b10380f09adc19fac2e5622e

SHA256
5e00d3a7ef680aadbf661d6fb205320714ef6ca1b172a59d8bdb17de859b5345

SHA512
46fb9bf0283a613bc03745760905834ab205e1510253cd6d601882282195996362ffd1545a86c9bbe044b6c426fcdf45d0e23a770d23b2fff75be052abad8d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AG7QM6Bs.exe

Filesize
630KB

MD5
3b49a144b046ef9ac85ee834d9c1c40a

SHA1
167c45ec3cc831665706b1990e4a44d90317ec87

SHA256
8818cabd5ef226261744fad967f5a073076d7a60acc39c7e2c0376ed3a5927e5

SHA512
16a3e20dd8ccf38145c949eff95abe28c10795f4d65118ee5b4c7cf301517323866a85008aea0a96c061ac019ba6b676296f5e130072ce9beaf5e7f81a78d0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AG7QM6Bs.exe

Filesize
630KB

MD5
3b49a144b046ef9ac85ee834d9c1c40a

SHA1
167c45ec3cc831665706b1990e4a44d90317ec87

SHA256
8818cabd5ef226261744fad967f5a073076d7a60acc39c7e2c0376ed3a5927e5

SHA512
16a3e20dd8ccf38145c949eff95abe28c10795f4d65118ee5b4c7cf301517323866a85008aea0a96c061ac019ba6b676296f5e130072ce9beaf5e7f81a78d0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zE6Hr6LR.exe

Filesize
434KB

MD5
21e67d1f92094568f63a488f2090ed5e

SHA1
93aa437034470403164477d216a0ede3aff8c46d

SHA256
dbe78050b607de390bc74bb02c57a79fab265866f70afb1809a825e00308d658

SHA512
fe8c14132c28fe2b6998219dcf4e4ab522d52c1827d8a51c25aca86aef88e26e80a0d885a54c845004cb6f4ade00ef9a349796ecb9ab3b4190e720a45e217a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zE6Hr6LR.exe

Filesize
434KB

MD5
21e67d1f92094568f63a488f2090ed5e

SHA1
93aa437034470403164477d216a0ede3aff8c46d

SHA256
dbe78050b607de390bc74bb02c57a79fab265866f70afb1809a825e00308d658

SHA512
fe8c14132c28fe2b6998219dcf4e4ab522d52c1827d8a51c25aca86aef88e26e80a0d885a54c845004cb6f4ade00ef9a349796ecb9ab3b4190e720a45e217a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pL35qN7.exe

Filesize
418KB

MD5
7de2eeaa17f9efd917c5417abb267a56

SHA1
11685c5f60033603e160b8ff399024ec36424a45

SHA256
6883b05e30132bfa790f2e441a19ded5b9bbaf46d6988c2ca9b35c87b3b84fef

SHA512
70d65e288cdea2e3d77d65748c630f9a674c3741fc394db29e4d23e415de39b4dad432e7974509f8720969b4fbb2e2f8ea1f91dc21674269721f1afbca6b5d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pL35qN7.exe

Filesize
418KB

MD5
7de2eeaa17f9efd917c5417abb267a56

SHA1
11685c5f60033603e160b8ff399024ec36424a45

SHA256
6883b05e30132bfa790f2e441a19ded5b9bbaf46d6988c2ca9b35c87b3b84fef

SHA512
70d65e288cdea2e3d77d65748c630f9a674c3741fc394db29e4d23e415de39b4dad432e7974509f8720969b4fbb2e2f8ea1f91dc21674269721f1afbca6b5d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kT374UW.exe

Filesize
221KB

MD5
f77bb2b09f7851109de877f66e39baae

SHA1
8bbfe47b04fb08aa05f07d9b924fdc4203e59d8d

SHA256
aece250378d680005b85432e93b5974dcd7f40bc559396ea6067e4aaad151390

SHA512
419b288cc4ee6a3debd4717b1f6879318f796c27692fa1a73904b23746df2f30bf71774fba7137cc78808fb7c74ed597bbe42029aa9764a298cb2357269e0593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kT374UW.exe

Filesize
221KB

MD5
f77bb2b09f7851109de877f66e39baae

SHA1
8bbfe47b04fb08aa05f07d9b924fdc4203e59d8d

SHA256
aece250378d680005b85432e93b5974dcd7f40bc559396ea6067e4aaad151390

SHA512
419b288cc4ee6a3debd4717b1f6879318f796c27692fa1a73904b23746df2f30bf71774fba7137cc78808fb7c74ed597bbe42029aa9764a298cb2357269e0593

Download Submit
memory/2792-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2792-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2792-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2792-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3012-46-0x0000000006F60000-0x0000000006FF2000-memory.dmp

Filesize
584KB

Download
memory/3012-44-0x0000000000030000-0x000000000006E000-memory.dmp

Filesize
248KB

Download
memory/3012-45-0x0000000007470000-0x0000000007A14000-memory.dmp

Filesize
5.6MB

Download
memory/3012-43-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3012-47-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download
memory/3012-48-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/3012-49-0x0000000008040000-0x0000000008658000-memory.dmp

Filesize
6.1MB

Download
memory/3012-50-0x0000000007310000-0x000000000741A000-memory.dmp

Filesize
1.0MB

Download
memory/3012-51-0x00000000071C0000-0x00000000071D2000-memory.dmp

Filesize
72KB

Download
memory/3012-52-0x0000000007240000-0x000000000727C000-memory.dmp

Filesize
240KB

Download
memory/3012-53-0x0000000007280000-0x00000000072CC000-memory.dmp

Filesize
304KB

Download
memory/3012-54-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3012-55-0x0000000006F20000-0x0000000006F30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads