redline | f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504

Analysis

max time kernel
287s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
22/10/2023, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe
Size

1.1MB
MD5

d31549c62f36bb6910880a4e621ec890
SHA1

18242b20daf81c2d9fb144c41f782ec7c53028e7
SHA256

f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504
SHA512

5b1d64b0940efe36e794235d8e4358933a56f1657d7d31a27728a8825963d4952c50e1fce84492055b573ee429b38a8b26ffb73f6d3c69d651cfbdaade571ad0
SSDEEP

24576:ayDqKzQ22INnFuCQJ1mSo6LHEEq7vxsPqhsHEDrEfW6C:hDBzHzDkEEi2qeHqwfW6

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ac3a-39.dat	family_redline
behavioral2/files/0x000600000001ac3a-40.dat	family_redline
behavioral2/memory/308-45-0x0000000000310000-0x000000000034E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2472	uJ9LL1Bk.exe
4520	ax6WB3TS.exe
1652	jb0Cp7gG.exe
4448	qc0Cb6GH.exe
2616	1LU39YQ5.exe
308	2Gt192Uj.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uJ9LL1Bk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ax6WB3TS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jb0Cp7gG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	qc0Cb6GH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 168	2616	1LU39YQ5.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4128	168	WerFault.exe	76

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 2472	3648	f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe	71
PID 3648 wrote to memory of 2472	3648	f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe	71
PID 3648 wrote to memory of 2472	3648	f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe	71
PID 2472 wrote to memory of 4520	2472	uJ9LL1Bk.exe	72
PID 2472 wrote to memory of 4520	2472	uJ9LL1Bk.exe	72
PID 2472 wrote to memory of 4520	2472	uJ9LL1Bk.exe	72
PID 4520 wrote to memory of 1652	4520	ax6WB3TS.exe	73
PID 4520 wrote to memory of 1652	4520	ax6WB3TS.exe	73
PID 4520 wrote to memory of 1652	4520	ax6WB3TS.exe	73
PID 1652 wrote to memory of 4448	1652	jb0Cp7gG.exe	74
PID 1652 wrote to memory of 4448	1652	jb0Cp7gG.exe	74
PID 1652 wrote to memory of 4448	1652	jb0Cp7gG.exe	74
PID 4448 wrote to memory of 2616	4448	qc0Cb6GH.exe	75
PID 4448 wrote to memory of 2616	4448	qc0Cb6GH.exe	75
PID 4448 wrote to memory of 2616	4448	qc0Cb6GH.exe	75
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 2616 wrote to memory of 168	2616	1LU39YQ5.exe	76
PID 4448 wrote to memory of 308	4448	qc0Cb6GH.exe	77
PID 4448 wrote to memory of 308	4448	qc0Cb6GH.exe	77
PID 4448 wrote to memory of 308	4448	qc0Cb6GH.exe	77

C:\Users\Admin\AppData\Local\Temp\f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe
"C:\Users\Admin\AppData\Local\Temp\f8ad97e73a0c1549e2033862fbacb49f179c7c92e36b19a27bff0c7b275b3504.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJ9LL1Bk.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJ9LL1Bk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ax6WB3TS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ax6WB3TS.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jb0Cp7gG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jb0Cp7gG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qc0Cb6GH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qc0Cb6GH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU39YQ5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU39YQ5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 168 -s 568
        8⤵
        Program crash
        
        PID:4128
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gt192Uj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gt192Uj.exe
        6⤵
        Executes dropped EXE
        
        PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJ9LL1Bk.exe

Filesize
1.0MB

MD5
dbdcdb1cde294de9c8cbddee99e0f8b0

SHA1
5f8ef1045334298376161324e4ecce8cc3d86192

SHA256
4350b190efcec9b78992be24f5131c24bfdb0617d1297aa74cdf96692b2ac056

SHA512
dcea87b7d4bea51cb31a7034cee7244892b41f931302ebfd4c8b8c687950a28ea8d16aa191616bcb06a4a29f30e15410f525f26daf205d0802f86a5a2973ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uJ9LL1Bk.exe

Filesize
1.0MB

MD5
dbdcdb1cde294de9c8cbddee99e0f8b0

SHA1
5f8ef1045334298376161324e4ecce8cc3d86192

SHA256
4350b190efcec9b78992be24f5131c24bfdb0617d1297aa74cdf96692b2ac056

SHA512
dcea87b7d4bea51cb31a7034cee7244892b41f931302ebfd4c8b8c687950a28ea8d16aa191616bcb06a4a29f30e15410f525f26daf205d0802f86a5a2973ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ax6WB3TS.exe

Filesize
843KB

MD5
070848152214a72aec282eee0109a501

SHA1
a90bffb2c8f0de0bba32ef58d8ba26ceff87dc20

SHA256
97205ce5995083bdf5c2369ba7a4c443b583a290383af0cd10b57d799d1c1c77

SHA512
3dd73b492d25fabddc79dfc091b4972e0327ba4cd6029c02045735482bbc4bb578180e12b24f09beb87b0cee45141f1c4201618a7bb2046bf0804c0975723816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ax6WB3TS.exe

Filesize
843KB

MD5
070848152214a72aec282eee0109a501

SHA1
a90bffb2c8f0de0bba32ef58d8ba26ceff87dc20

SHA256
97205ce5995083bdf5c2369ba7a4c443b583a290383af0cd10b57d799d1c1c77

SHA512
3dd73b492d25fabddc79dfc091b4972e0327ba4cd6029c02045735482bbc4bb578180e12b24f09beb87b0cee45141f1c4201618a7bb2046bf0804c0975723816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jb0Cp7gG.exe

Filesize
593KB

MD5
7573b4633bff6cf0a548a2c6f05723d1

SHA1
394f6efcae97b60635b20f37385532d822d2602b

SHA256
6f11f090903a948dc44b0a39dc83b0d0698dc1014f61fe1da5b7db23e79c60ea

SHA512
dbd39dce8daa3d703ee9263555260a0166c04bc1d87756a4e2cb49b1dc775b7b1fca1468b7eacb5ccc42b5c28da0cd99144d64d6df49d55a9f10c5167ee54ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jb0Cp7gG.exe

Filesize
593KB

MD5
7573b4633bff6cf0a548a2c6f05723d1

SHA1
394f6efcae97b60635b20f37385532d822d2602b

SHA256
6f11f090903a948dc44b0a39dc83b0d0698dc1014f61fe1da5b7db23e79c60ea

SHA512
dbd39dce8daa3d703ee9263555260a0166c04bc1d87756a4e2cb49b1dc775b7b1fca1468b7eacb5ccc42b5c28da0cd99144d64d6df49d55a9f10c5167ee54ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qc0Cb6GH.exe

Filesize
398KB

MD5
17d4fdc6880b99a20d99038b87fb29a5

SHA1
af015129a2c4a0644f07103adbb9eb1e591216c9

SHA256
1f551bd34e2ca950d297d8ffd748b4c16be555e0a7578b0c1dd502e31cfaf277

SHA512
9e6045af3f6c0bbea82c1fa2e216045478c9dd639d6ffde1606c7d98a44469301341445e8d4ac080f6d41482205c4424fe65324a838d715556c2ffd07e142164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qc0Cb6GH.exe

Filesize
398KB

MD5
17d4fdc6880b99a20d99038b87fb29a5

SHA1
af015129a2c4a0644f07103adbb9eb1e591216c9

SHA256
1f551bd34e2ca950d297d8ffd748b4c16be555e0a7578b0c1dd502e31cfaf277

SHA512
9e6045af3f6c0bbea82c1fa2e216045478c9dd639d6ffde1606c7d98a44469301341445e8d4ac080f6d41482205c4424fe65324a838d715556c2ffd07e142164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU39YQ5.exe

Filesize
320KB

MD5
9419c3cff65d99855cffd56f94a73c99

SHA1
c36716081f649ce638cedd4f052adacafaa5bafa

SHA256
d82af63a0ed8dee4d59b15a5bc1fab1b544da78f33fb18c862e71bd2698bd24e

SHA512
ad598870ea94b3f3841d67a9bf511d87481b599915d1da2c09857e36d21618675f96975c4d1d3b4828fd66fa20406a83deb59d9a00c2d0eb7eb58f5a5c26ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LU39YQ5.exe

Filesize
320KB

MD5
9419c3cff65d99855cffd56f94a73c99

SHA1
c36716081f649ce638cedd4f052adacafaa5bafa

SHA256
d82af63a0ed8dee4d59b15a5bc1fab1b544da78f33fb18c862e71bd2698bd24e

SHA512
ad598870ea94b3f3841d67a9bf511d87481b599915d1da2c09857e36d21618675f96975c4d1d3b4828fd66fa20406a83deb59d9a00c2d0eb7eb58f5a5c26ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gt192Uj.exe

Filesize
222KB

MD5
bf4559ec513ad2dc641ac343fbe748ce

SHA1
c865a0c2cabfe4f9d755203ceb25b6afc53b0709

SHA256
771a7fc4e260da9fd5e4be41cdb42a75742f6a3ece96f319a641fb8e13e7f2dc

SHA512
d9dc11e9c2c656baba7cb8ce24570bf74d432dac49ad2f6293dfa02195dde077c48e36a04fc098432314e99a44a96c5d6c2c5b2c4bd2a75c865a8c9302099854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gt192Uj.exe

Filesize
222KB

MD5
bf4559ec513ad2dc641ac343fbe748ce

SHA1
c865a0c2cabfe4f9d755203ceb25b6afc53b0709

SHA256
771a7fc4e260da9fd5e4be41cdb42a75742f6a3ece96f319a641fb8e13e7f2dc

SHA512
d9dc11e9c2c656baba7cb8ce24570bf74d432dac49ad2f6293dfa02195dde077c48e36a04fc098432314e99a44a96c5d6c2c5b2c4bd2a75c865a8c9302099854

Download Submit
memory/168-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/168-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/168-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/168-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/308-47-0x00000000074F0000-0x00000000079EE000-memory.dmp

Filesize
5.0MB

Download
memory/308-46-0x0000000073630000-0x0000000073D1E000-memory.dmp

Filesize
6.9MB

Download
memory/308-45-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/308-48-0x0000000007090000-0x0000000007122000-memory.dmp

Filesize
584KB

Download
memory/308-49-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/308-50-0x0000000008000000-0x0000000008606000-memory.dmp

Filesize
6.0MB

Download
memory/308-51-0x00000000073B0000-0x00000000074BA000-memory.dmp

Filesize
1.0MB

Download
memory/308-52-0x00000000072E0000-0x00000000072F2000-memory.dmp

Filesize
72KB

Download
memory/308-53-0x0000000007340000-0x000000000737E000-memory.dmp

Filesize
248KB

Download
memory/308-54-0x00000000079F0000-0x0000000007A3B000-memory.dmp

Filesize
300KB

Download
memory/308-55-0x0000000073630000-0x0000000073D1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads