redline | 4350b190efcec9b78992be24f5131c24bfdb0617d1297aa74cdf96692b2ac056

Analysis

max time kernel
300s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/10/2023, 06:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

uJ9LL1Bk.exe
Size

1.0MB
MD5

dbdcdb1cde294de9c8cbddee99e0f8b0
SHA1

5f8ef1045334298376161324e4ecce8cc3d86192
SHA256

4350b190efcec9b78992be24f5131c24bfdb0617d1297aa74cdf96692b2ac056
SHA512

dcea87b7d4bea51cb31a7034cee7244892b41f931302ebfd4c8b8c687950a28ea8d16aa191616bcb06a4a29f30e15410f525f26daf205d0802f86a5a2973ee18
SSDEEP

24576:py6Kqw223NAhePQJRmAj67tEbqFNldBdhjHTDlPF:cRqnnA1Eb6DdJH/h

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ac16-31.dat	family_redline
behavioral2/files/0x000600000001ac16-33.dat	family_redline
behavioral2/memory/4568-38-0x00000000009D0000-0x0000000000A0E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4524	ax6WB3TS.exe
1120	jb0Cp7gG.exe
1292	qc0Cb6GH.exe
4660	1LU39YQ5.exe
4568	2Gt192Uj.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	uJ9LL1Bk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ax6WB3TS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jb0Cp7gG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qc0Cb6GH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4660 set thread context of 4684	4660	1LU39YQ5.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	4684	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4524	4500	uJ9LL1Bk.exe	71
PID 4500 wrote to memory of 4524	4500	uJ9LL1Bk.exe	71
PID 4500 wrote to memory of 4524	4500	uJ9LL1Bk.exe	71
PID 4524 wrote to memory of 1120	4524	ax6WB3TS.exe	72
PID 4524 wrote to memory of 1120	4524	ax6WB3TS.exe	72
PID 4524 wrote to memory of 1120	4524	ax6WB3TS.exe	72
PID 1120 wrote to memory of 1292	1120	jb0Cp7gG.exe	73
PID 1120 wrote to memory of 1292	1120	jb0Cp7gG.exe	73
PID 1120 wrote to memory of 1292	1120	jb0Cp7gG.exe	73
PID 1292 wrote to memory of 4660	1292	qc0Cb6GH.exe	74
PID 1292 wrote to memory of 4660	1292	qc0Cb6GH.exe	74
PID 1292 wrote to memory of 4660	1292	qc0Cb6GH.exe	74
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 4660 wrote to memory of 4684	4660	1LU39YQ5.exe	75
PID 1292 wrote to memory of 4568	1292	qc0Cb6GH.exe	76
PID 1292 wrote to memory of 4568	1292	qc0Cb6GH.exe	76
PID 1292 wrote to memory of 4568	1292	qc0Cb6GH.exe	76

C:\Users\Admin\AppData\Local\Temp\uJ9LL1Bk.exe
"C:\Users\Admin\AppData\Local\Temp\uJ9LL1Bk.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax6WB3TS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax6WB3TS.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jb0Cp7gG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jb0Cp7gG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc0Cb6GH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc0Cb6GH.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LU39YQ5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LU39YQ5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 568
        7⤵
        Program crash
        
        PID:1000
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Gt192Uj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Gt192Uj.exe
        5⤵
        Executes dropped EXE
        
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax6WB3TS.exe

Filesize
843KB

MD5
070848152214a72aec282eee0109a501

SHA1
a90bffb2c8f0de0bba32ef58d8ba26ceff87dc20

SHA256
97205ce5995083bdf5c2369ba7a4c443b583a290383af0cd10b57d799d1c1c77

SHA512
3dd73b492d25fabddc79dfc091b4972e0327ba4cd6029c02045735482bbc4bb578180e12b24f09beb87b0cee45141f1c4201618a7bb2046bf0804c0975723816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ax6WB3TS.exe

Filesize
843KB

MD5
070848152214a72aec282eee0109a501

SHA1
a90bffb2c8f0de0bba32ef58d8ba26ceff87dc20

SHA256
97205ce5995083bdf5c2369ba7a4c443b583a290383af0cd10b57d799d1c1c77

SHA512
3dd73b492d25fabddc79dfc091b4972e0327ba4cd6029c02045735482bbc4bb578180e12b24f09beb87b0cee45141f1c4201618a7bb2046bf0804c0975723816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jb0Cp7gG.exe

Filesize
593KB

MD5
7573b4633bff6cf0a548a2c6f05723d1

SHA1
394f6efcae97b60635b20f37385532d822d2602b

SHA256
6f11f090903a948dc44b0a39dc83b0d0698dc1014f61fe1da5b7db23e79c60ea

SHA512
dbd39dce8daa3d703ee9263555260a0166c04bc1d87756a4e2cb49b1dc775b7b1fca1468b7eacb5ccc42b5c28da0cd99144d64d6df49d55a9f10c5167ee54ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jb0Cp7gG.exe

Filesize
593KB

MD5
7573b4633bff6cf0a548a2c6f05723d1

SHA1
394f6efcae97b60635b20f37385532d822d2602b

SHA256
6f11f090903a948dc44b0a39dc83b0d0698dc1014f61fe1da5b7db23e79c60ea

SHA512
dbd39dce8daa3d703ee9263555260a0166c04bc1d87756a4e2cb49b1dc775b7b1fca1468b7eacb5ccc42b5c28da0cd99144d64d6df49d55a9f10c5167ee54ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc0Cb6GH.exe

Filesize
398KB

MD5
17d4fdc6880b99a20d99038b87fb29a5

SHA1
af015129a2c4a0644f07103adbb9eb1e591216c9

SHA256
1f551bd34e2ca950d297d8ffd748b4c16be555e0a7578b0c1dd502e31cfaf277

SHA512
9e6045af3f6c0bbea82c1fa2e216045478c9dd639d6ffde1606c7d98a44469301341445e8d4ac080f6d41482205c4424fe65324a838d715556c2ffd07e142164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qc0Cb6GH.exe

Filesize
398KB

MD5
17d4fdc6880b99a20d99038b87fb29a5

SHA1
af015129a2c4a0644f07103adbb9eb1e591216c9

SHA256
1f551bd34e2ca950d297d8ffd748b4c16be555e0a7578b0c1dd502e31cfaf277

SHA512
9e6045af3f6c0bbea82c1fa2e216045478c9dd639d6ffde1606c7d98a44469301341445e8d4ac080f6d41482205c4424fe65324a838d715556c2ffd07e142164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LU39YQ5.exe

Filesize
320KB

MD5
9419c3cff65d99855cffd56f94a73c99

SHA1
c36716081f649ce638cedd4f052adacafaa5bafa

SHA256
d82af63a0ed8dee4d59b15a5bc1fab1b544da78f33fb18c862e71bd2698bd24e

SHA512
ad598870ea94b3f3841d67a9bf511d87481b599915d1da2c09857e36d21618675f96975c4d1d3b4828fd66fa20406a83deb59d9a00c2d0eb7eb58f5a5c26ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LU39YQ5.exe

Filesize
320KB

MD5
9419c3cff65d99855cffd56f94a73c99

SHA1
c36716081f649ce638cedd4f052adacafaa5bafa

SHA256
d82af63a0ed8dee4d59b15a5bc1fab1b544da78f33fb18c862e71bd2698bd24e

SHA512
ad598870ea94b3f3841d67a9bf511d87481b599915d1da2c09857e36d21618675f96975c4d1d3b4828fd66fa20406a83deb59d9a00c2d0eb7eb58f5a5c26ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Gt192Uj.exe

Filesize
222KB

MD5
bf4559ec513ad2dc641ac343fbe748ce

SHA1
c865a0c2cabfe4f9d755203ceb25b6afc53b0709

SHA256
771a7fc4e260da9fd5e4be41cdb42a75742f6a3ece96f319a641fb8e13e7f2dc

SHA512
d9dc11e9c2c656baba7cb8ce24570bf74d432dac49ad2f6293dfa02195dde077c48e36a04fc098432314e99a44a96c5d6c2c5b2c4bd2a75c865a8c9302099854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Gt192Uj.exe

Filesize
222KB

MD5
bf4559ec513ad2dc641ac343fbe748ce

SHA1
c865a0c2cabfe4f9d755203ceb25b6afc53b0709

SHA256
771a7fc4e260da9fd5e4be41cdb42a75742f6a3ece96f319a641fb8e13e7f2dc

SHA512
d9dc11e9c2c656baba7cb8ce24570bf74d432dac49ad2f6293dfa02195dde077c48e36a04fc098432314e99a44a96c5d6c2c5b2c4bd2a75c865a8c9302099854

Download Submit
memory/4568-42-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/4568-41-0x0000000007760000-0x00000000077F2000-memory.dmp

Filesize
584KB

Download
memory/4568-48-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/4568-47-0x0000000007B50000-0x0000000007B9B000-memory.dmp

Filesize
300KB

Download
memory/4568-38-0x00000000009D0000-0x0000000000A0E000-memory.dmp

Filesize
248KB

Download
memory/4568-39-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/4568-40-0x0000000007BC0000-0x00000000080BE000-memory.dmp

Filesize
5.0MB

Download
memory/4568-46-0x0000000007B10000-0x0000000007B4E000-memory.dmp

Filesize
248KB

Download
memory/4568-45-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/4568-43-0x00000000086D0000-0x0000000008CD6000-memory.dmp

Filesize
6.0MB

Download
memory/4568-44-0x00000000081D0000-0x00000000082DA000-memory.dmp

Filesize
1.0MB

Download
memory/4684-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4684-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4684-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4684-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads