redline | 5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81

General

Target

xY1ol9cz.exe
Size

782KB
MD5

40b509736f2336f0ae4798e08093be25
SHA1

aef0b5561edf2078238e0550b1468910c0730d2b
SHA256

5570e3901d5acc58fb38547e39a9784bf614606e68618789df0d7e29da683d81
SHA512

1e42ec6f3e618a4259c5c4b809f3109ff8807e5d83b7f37f541b3eba599f3fe153ea43002eabdfcc2bd4e5e21fc3ece00f95f35ae8c9c4cc09a61e0c07dad22d
SSDEEP

12288:/Mray90a9vSkBkezQqbtzOyWHCqr8pJ+FqGQplIkXEFS1+gz4HRLhQWy:JywckLqdpC8efQDtEFS4gEHVy

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001abc4-18.dat	family_redline
behavioral2/files/0x000600000001abc4-19.dat	family_redline
behavioral2/memory/1368-24-0x0000000000C30000-0x0000000000C6E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3540	Lv0ai3dz.exe
2604	1pm49Un8.exe
1368	2hp794uB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lv0ai3dz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	xY1ol9cz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 4804	2604	1pm49Un8.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2856	4804	WerFault.exe	74

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3540	2364	xY1ol9cz.exe	71
PID 2364 wrote to memory of 3540	2364	xY1ol9cz.exe	71
PID 2364 wrote to memory of 3540	2364	xY1ol9cz.exe	71
PID 3540 wrote to memory of 2604	3540	Lv0ai3dz.exe	72
PID 3540 wrote to memory of 2604	3540	Lv0ai3dz.exe	72
PID 3540 wrote to memory of 2604	3540	Lv0ai3dz.exe	72
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 2604 wrote to memory of 4804	2604	1pm49Un8.exe	74
PID 3540 wrote to memory of 1368	3540	Lv0ai3dz.exe	75
PID 3540 wrote to memory of 1368	3540	Lv0ai3dz.exe	75
PID 3540 wrote to memory of 1368	3540	Lv0ai3dz.exe	75

C:\Users\Admin\AppData\Local\Temp\xY1ol9cz.exe
"C:\Users\Admin\AppData\Local\Temp\xY1ol9cz.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 568
        5⤵
        Program crash
        
        PID:2856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe
    3⤵
    - Executes dropped EXE
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lv0ai3dz.exe

Filesize
581KB

MD5
47faacabe3e611fee8ca21df0ee60a3a

SHA1
d7ce2a93a642faa7760fa90088472e04dadaa38c

SHA256
bfed9559148c0f2b326d1f171a302f4bde8440ff3a1a4fc1bcba1a3f69a0a5cf

SHA512
5f0429f0da1a4a9ab3d4ea585eaa22666d545d943875e4a7b70b70cfedc4678fed99e9f9296f4d320ca1ad657d5d2da9c8576e177fd7d02e4aa286d98d00fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pm49Un8.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hp794uB.exe

Filesize
222KB

MD5
d049270ff6e8fdefaafc53820f3ea25a

SHA1
606c65b1c7a3c2400e14f4e97bac91027ce600ea

SHA256
e0914346800baf7dd7a64af17a4cca8def0eb6c5df5da8376299c5ee9a901e6e

SHA512
74d08cc70eb0094dca50553f825fb4f240bbbd9a0e274accde47a0c46c3463ac33575c204757183dbaa09afc8fb2e1bbd6aa8464a3539758982eb9a1ce38d347

Download Submit
memory/1368-25-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1368-30-0x00000000082B0000-0x00000000083BA000-memory.dmp

Filesize
1.0MB

Download
memory/1368-34-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1368-33-0x0000000007CB0000-0x0000000007CFB000-memory.dmp

Filesize
300KB

Download
memory/1368-32-0x0000000007C70000-0x0000000007CAE000-memory.dmp

Filesize
248KB

Download
memory/1368-24-0x0000000000C30000-0x0000000000C6E000-memory.dmp

Filesize
248KB

Download
memory/1368-26-0x0000000007DB0000-0x00000000082AE000-memory.dmp

Filesize
5.0MB

Download
memory/1368-27-0x0000000007990000-0x0000000007A22000-memory.dmp

Filesize
584KB

Download
memory/1368-28-0x0000000007A40000-0x0000000007A4A000-memory.dmp

Filesize
40KB

Download
memory/1368-29-0x00000000088C0000-0x0000000008EC6000-memory.dmp

Filesize
6.0MB

Download
memory/1368-31-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/4804-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4804-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4804-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4804-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads