redline | 1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4

Analysis

max time kernel
275s
max time network
291s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
22/10/2023, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe
Size

1.1MB
MD5

726211d761490028db412b94f41560cd
SHA1

35e2eaa4aef889f7ed15ba77c7a06790e983a507
SHA256

1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4
SHA512

290d47a1f42171474266fb2626ee9b0b02a81d337ccdbfd74355fe86c089fe4d8b63f7b804fe16ed0fed5ac27dcec2460ca13e91b252a399509d04bdd5da8abc
SSDEEP

24576:ey95/7BePPX9rVOgu6sz8O2K8UZhPfZnrwdidLlhl+2fYe:t9VEP1xOLP6SPWEHlTf

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001abf0-39.dat	family_redline
behavioral2/files/0x000600000001abf0-40.dat	family_redline
behavioral2/memory/4008-45-0x00000000006D0000-0x000000000070E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2536	Rs9Pc2fH.exe
2292	eR5fv0Ub.exe
3252	oG1hS0CJ.exe
3700	Go0AG3VT.exe
5020	1AE46Yf6.exe
4008	2ns475Vf.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rs9Pc2fH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	eR5fv0Ub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	oG1hS0CJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Go0AG3VT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 4940	5020	1AE46Yf6.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4084	4940	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2536	4420	1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe	71
PID 4420 wrote to memory of 2536	4420	1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe	71
PID 4420 wrote to memory of 2536	4420	1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe	71
PID 2536 wrote to memory of 2292	2536	Rs9Pc2fH.exe	72
PID 2536 wrote to memory of 2292	2536	Rs9Pc2fH.exe	72
PID 2536 wrote to memory of 2292	2536	Rs9Pc2fH.exe	72
PID 2292 wrote to memory of 3252	2292	eR5fv0Ub.exe	73
PID 2292 wrote to memory of 3252	2292	eR5fv0Ub.exe	73
PID 2292 wrote to memory of 3252	2292	eR5fv0Ub.exe	73
PID 3252 wrote to memory of 3700	3252	oG1hS0CJ.exe	74
PID 3252 wrote to memory of 3700	3252	oG1hS0CJ.exe	74
PID 3252 wrote to memory of 3700	3252	oG1hS0CJ.exe	74
PID 3700 wrote to memory of 5020	3700	Go0AG3VT.exe	75
PID 3700 wrote to memory of 5020	3700	Go0AG3VT.exe	75
PID 3700 wrote to memory of 5020	3700	Go0AG3VT.exe	75
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 5020 wrote to memory of 4940	5020	1AE46Yf6.exe	76
PID 3700 wrote to memory of 4008	3700	Go0AG3VT.exe	77
PID 3700 wrote to memory of 4008	3700	Go0AG3VT.exe	77
PID 3700 wrote to memory of 4008	3700	Go0AG3VT.exe	77

C:\Users\Admin\AppData\Local\Temp\1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe
"C:\Users\Admin\AppData\Local\Temp\1b3965a832f82cd3387c49ff87394ce8bceb3ac922ecbbb20155cac9aae014b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rs9Pc2fH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rs9Pc2fH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eR5fv0Ub.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eR5fv0Ub.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oG1hS0CJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oG1hS0CJ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Go0AG3VT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Go0AG3VT.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE46Yf6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE46Yf6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 568
        8⤵
        Program crash
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ns475Vf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ns475Vf.exe
        6⤵
        Executes dropped EXE
        
        PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rs9Pc2fH.exe

Filesize
1.0MB

MD5
3ffce82243bf0fa7a1cb87b066e33f2f

SHA1
9f19000b6406bc3a27f382bf643d5c40333c2828

SHA256
95781c67818a759372fb2e8544fd6bbef027c8577b3aab2775ebd7dc5aa997da

SHA512
7952f20c0c3f63db738c79c17c280dbe95c0c46b072b043b5320e89344c99332ca05aa0ea6064d6fb5965998541c215412748aaec25beb19ff28f774c6bae6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rs9Pc2fH.exe

Filesize
1.0MB

MD5
3ffce82243bf0fa7a1cb87b066e33f2f

SHA1
9f19000b6406bc3a27f382bf643d5c40333c2828

SHA256
95781c67818a759372fb2e8544fd6bbef027c8577b3aab2775ebd7dc5aa997da

SHA512
7952f20c0c3f63db738c79c17c280dbe95c0c46b072b043b5320e89344c99332ca05aa0ea6064d6fb5965998541c215412748aaec25beb19ff28f774c6bae6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eR5fv0Ub.exe

Filesize
843KB

MD5
05469b49b0091b2b9ef6330c14f152b1

SHA1
fa66d88036b3e1b2435af9569be4f6ef862edac8

SHA256
66d8ae38cfd8313488b09350fb8d3ef264afe4fad378d114e9f2895a7057cbfc

SHA512
225ad4cf527d947e200023710f02360ffc3d1b4582c97c4a3aef1ddd45513822a4d56b1ddace639535d9301b7ebf6ba3c570dc01436feaf71b79e2e1a7d75c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eR5fv0Ub.exe

Filesize
843KB

MD5
05469b49b0091b2b9ef6330c14f152b1

SHA1
fa66d88036b3e1b2435af9569be4f6ef862edac8

SHA256
66d8ae38cfd8313488b09350fb8d3ef264afe4fad378d114e9f2895a7057cbfc

SHA512
225ad4cf527d947e200023710f02360ffc3d1b4582c97c4a3aef1ddd45513822a4d56b1ddace639535d9301b7ebf6ba3c570dc01436feaf71b79e2e1a7d75c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oG1hS0CJ.exe

Filesize
593KB

MD5
5fcf4905afd88c3331bdeef226bcf1e3

SHA1
526c7c6c4f03098e64668218c36232f357555a36

SHA256
f4e71298168165ee46550537696fb2618c82fe702591c1a78fd0c320c397e853

SHA512
92fed6a808f8917f5015227aa411d7ee72be1a63120d06465b8b7a8535e74769799f128959a64c937b70e727c38e1566f4d5e54aed8d7c115d14f1b51765e4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oG1hS0CJ.exe

Filesize
593KB

MD5
5fcf4905afd88c3331bdeef226bcf1e3

SHA1
526c7c6c4f03098e64668218c36232f357555a36

SHA256
f4e71298168165ee46550537696fb2618c82fe702591c1a78fd0c320c397e853

SHA512
92fed6a808f8917f5015227aa411d7ee72be1a63120d06465b8b7a8535e74769799f128959a64c937b70e727c38e1566f4d5e54aed8d7c115d14f1b51765e4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Go0AG3VT.exe

Filesize
398KB

MD5
82b8ef7dc3016639519f61dab53fd45c

SHA1
72a48d09ddf862aa9fe876d999df45973c994ac1

SHA256
602ba5059b5ab005f43b419684ae2ebdde93abca409fb458a0fdb8675fbeb050

SHA512
5b30476707bdc657c4a2c36a8f098c143a8cea9250b6faff4d5495d726111ae4bbcac46f992e55b8cd1fdb690972dbad8df37655ba58eb29ca380d728e1defcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Go0AG3VT.exe

Filesize
398KB

MD5
82b8ef7dc3016639519f61dab53fd45c

SHA1
72a48d09ddf862aa9fe876d999df45973c994ac1

SHA256
602ba5059b5ab005f43b419684ae2ebdde93abca409fb458a0fdb8675fbeb050

SHA512
5b30476707bdc657c4a2c36a8f098c143a8cea9250b6faff4d5495d726111ae4bbcac46f992e55b8cd1fdb690972dbad8df37655ba58eb29ca380d728e1defcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE46Yf6.exe

Filesize
320KB

MD5
e941da6fe6a36a6e4c84d19a15d99743

SHA1
d557bd482ed220d9f1f6b06ec3791ad9d41af036

SHA256
6f955c6d0db18df11a8c1797208beb949eb30b5bd0443f7adb9731615b368aa8

SHA512
45a973c191368cc56f6ff79a235ad7103f54df6a5d32ee7d11d4e3346af1cc60996caa1c6e94a4fa21789ad9f7ee57a82dde607455ca8fb48407c60cbd023920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE46Yf6.exe

Filesize
320KB

MD5
e941da6fe6a36a6e4c84d19a15d99743

SHA1
d557bd482ed220d9f1f6b06ec3791ad9d41af036

SHA256
6f955c6d0db18df11a8c1797208beb949eb30b5bd0443f7adb9731615b368aa8

SHA512
45a973c191368cc56f6ff79a235ad7103f54df6a5d32ee7d11d4e3346af1cc60996caa1c6e94a4fa21789ad9f7ee57a82dde607455ca8fb48407c60cbd023920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ns475Vf.exe

Filesize
222KB

MD5
d630dd384dd7df38ecaf9e878432343b

SHA1
9f39065c4cc8e7d7c0890011e1b8a059551e8236

SHA256
2946cf3bff46d9cd413962bf01d5d440bfc5624bfef33b626349d8e3751c4f02

SHA512
d207b77d2c24f958a87948c9b24f000e86adff94b6c526ba3813661eb85fa8e75ff867602e0106c807770efd93a764f35a0a604bac05fb5000683dc2e213c4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ns475Vf.exe

Filesize
222KB

MD5
d630dd384dd7df38ecaf9e878432343b

SHA1
9f39065c4cc8e7d7c0890011e1b8a059551e8236

SHA256
2946cf3bff46d9cd413962bf01d5d440bfc5624bfef33b626349d8e3751c4f02

SHA512
d207b77d2c24f958a87948c9b24f000e86adff94b6c526ba3813661eb85fa8e75ff867602e0106c807770efd93a764f35a0a604bac05fb5000683dc2e213c4ba

Download Submit
memory/4008-50-0x00000000083B0000-0x00000000089B6000-memory.dmp

Filesize
6.0MB

Download
memory/4008-51-0x0000000007DA0000-0x0000000007EAA000-memory.dmp

Filesize
1.0MB

Download
memory/4008-55-0x0000000072D30000-0x000000007341E000-memory.dmp

Filesize
6.9MB

Download
memory/4008-54-0x0000000007730000-0x000000000777B000-memory.dmp

Filesize
300KB

Download
memory/4008-45-0x00000000006D0000-0x000000000070E000-memory.dmp

Filesize
248KB

Download
memory/4008-46-0x0000000072D30000-0x000000007341E000-memory.dmp

Filesize
6.9MB

Download
memory/4008-53-0x00000000076F0000-0x000000000772E000-memory.dmp

Filesize
248KB

Download
memory/4008-49-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/4008-47-0x00000000078A0000-0x0000000007D9E000-memory.dmp

Filesize
5.0MB

Download
memory/4008-52-0x0000000007690000-0x00000000076A2000-memory.dmp

Filesize
72KB

Download
memory/4008-48-0x0000000007440000-0x00000000074D2000-memory.dmp

Filesize
584KB

Download
memory/4940-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4940-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4940-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4940-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads