redline | 5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81

Analysis

max time kernel
295s
max time network
306s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
24/10/2023, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xY1ol9cz.exe
Size

782KB
MD5

40b509736f2336f0ae4798e08093be25
SHA1

aef0b5561edf2078238e0550b1468910c0730d2b
SHA256

5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81
SHA512

1e42ec6f3e618a4259c5c4b809f3109ff8807e5d83b7f37f541b3eba599f3fe153ea43002eabdfcc2bd4e5e21fc3ece00f95f35ae8c9c4cc09a61e0c07dad22d
SSDEEP

12288:/Mray90a9vSkBkezQqbtzOyWHCqr8pJ+FqGQplIkXEFS1+gz4HRLhQWy:JywckLqdpC8efQDtEFS4gEHVy

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015c9d-38.dat	family_redline
behavioral1/files/0x0007000000015c9d-35.dat	family_redline
behavioral1/files/0x0007000000015c9d-40.dat	family_redline
behavioral1/files/0x0007000000015c9d-39.dat	family_redline
behavioral1/memory/824-41-0x0000000000220000-0x000000000025E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2420	Lv0ai3dz.exe
2140	1pm49Un8.exe
824	2hp794uB.exe

Loads dropped DLL 7 IoCs

pid	Process
1736	xY1ol9cz.exe
2420	Lv0ai3dz.exe
2420	Lv0ai3dz.exe
2420	Lv0ai3dz.exe
2140	1pm49Un8.exe
2420	Lv0ai3dz.exe
824	2hp794uB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	xY1ol9cz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lv0ai3dz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2748	2140	1pm49Un8.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	2748	WerFault.exe	31

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 1736 wrote to memory of 2420	1736	xY1ol9cz.exe	28
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2420 wrote to memory of 2140	2420	Lv0ai3dz.exe	29
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2140 wrote to memory of 2748	2140	1pm49Un8.exe	31
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2420 wrote to memory of 824	2420	Lv0ai3dz.exe	32
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33
PID 2748 wrote to memory of 2656	2748	AppLaunch.exe	33

C:\Users\Admin\AppData\Local\Temp\xY1ol9cz.exe
"C:\Users\Admin\AppData\Local\Temp\xY1ol9cz.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 268
        5⤵
        Program crash
        
        PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
memory/824-41-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2748-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads