redline | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe
Size

900KB
MD5

4a9648d4eb38e033a991e4a829fb3e93
SHA1

85836d217cb987fe87348137629345e06a2a8993
SHA256

7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14
SHA512

55d564f97226b83e81cb888ba0ee310996e200a9f0d455eb454d9f9760b8b361476c04061d59b4e0bce2252bb905058fab40503bf76b8eebd835193ca2858345
SSDEEP

12288:WMr6y90lQmdp8Bbof4EIKdniEMeYP/CynvCNCGGEsqbZZACGKvuMm7hD16RYTlSx:cyvGfXUE5YPq4qRsqbZZAzqaDkR3RHL

Score

10^/10

redline kukish infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x000800000002344e-27.dat	family_redline
behavioral10/memory/4644-28-0x0000000000900000-0x000000000093E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2988	vu3TL0Hs.exe
1216	zY9dr4eN.exe
2248	lU3px6NV.exe
4644	2jg404Ua.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lU3px6NV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vu3TL0Hs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zY9dr4eN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2988	4724	7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe	85
PID 4724 wrote to memory of 2988	4724	7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe	85
PID 4724 wrote to memory of 2988	4724	7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe	85
PID 2988 wrote to memory of 1216	2988	vu3TL0Hs.exe	86
PID 2988 wrote to memory of 1216	2988	vu3TL0Hs.exe	86
PID 2988 wrote to memory of 1216	2988	vu3TL0Hs.exe	86
PID 1216 wrote to memory of 2248	1216	zY9dr4eN.exe	87
PID 1216 wrote to memory of 2248	1216	zY9dr4eN.exe	87
PID 1216 wrote to memory of 2248	1216	zY9dr4eN.exe	87
PID 2248 wrote to memory of 4644	2248	lU3px6NV.exe	88
PID 2248 wrote to memory of 4644	2248	lU3px6NV.exe	88
PID 2248 wrote to memory of 4644	2248	lU3px6NV.exe	88

C:\Users\Admin\AppData\Local\Temp\7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe
"C:\Users\Admin\AppData\Local\Temp\7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu3TL0Hs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu3TL0Hs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zY9dr4eN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zY9dr4eN.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lU3px6NV.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lU3px6NV.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jg404Ua.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jg404Ua.exe
        5⤵
        Executes dropped EXE
        
        PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu3TL0Hs.exe

Filesize
762KB

MD5
1ad30cef5c76b81a9d82dd67b0227903

SHA1
98ab551662b38a0b9b69573bdc5a4f3000a0456b

SHA256
e1fe1de92ff0d6209d577e1a66bcd7114f8abaf693e238486a5ebb3791b5a2ae

SHA512
1073205310b43371d4ceb144b5546597504bed134ccf08c198ccdacc0a2367277addc33c81a32e517143488e8d650b1b67f3e175405b5578b303bca8f72e59b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zY9dr4eN.exe

Filesize
572KB

MD5
4d75e6a141f9c4e73b17ce94218ce811

SHA1
b52f6f6b4216406034070e037e5086106819d8e7

SHA256
4399506548e854c876d5d7d94b3e573d233e9817cb400394f3e140ec764ee129

SHA512
d6747ab945a4b07ba8faca5f8dcc50a4f30b6425133bca87e93b2a8c5c41d7760294999f9e5521518d645912c26d719b6b79bae841e9d02115f9ecf192364fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lU3px6NV.exe

Filesize
319KB

MD5
2d429496d81a18af4360c8efc51a945a

SHA1
e85dd3a0c052ae719a0888b28af83c77a847bff8

SHA256
ac5f7f06b7a73d51ce886c2da418d2cb033cf3450dc6090550a4f1a2521579aa

SHA512
1ea65ab5e763e85c5dbf4bd9b9462968a8f9752e7ad1572c200235b3b4862b2f64fafa87f008173d36731d168ccfa3df5c5e82e65fbee9508cb5a0ee46f7adcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jg404Ua.exe

Filesize
222KB

MD5
049ae0ce153eb5d6319ae68484daa191

SHA1
7651770111521e43181c748da3cddf96046ec12f

SHA256
0ae87eb661e0191c2fe16b40dac6ee5f3a8deaecafdddca0e5bd62362d4b9db6

SHA512
6307a7448c416cd7c5d4e9420becde2166a297c26d6a5a535f663cf5843d59b572680888fbe2a9d262dbbc130d1f0c584cf4927dd59820130bbeccb4df914101

Download Submit
memory/4644-28-0x0000000000900000-0x000000000093E000-memory.dmp

Filesize
248KB

Download
memory/4644-30-0x00000000077E0000-0x0000000007872000-memory.dmp

Filesize
584KB

Download
memory/4644-29-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/4644-31-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/4644-32-0x0000000008880000-0x0000000008E98000-memory.dmp

Filesize
6.1MB

Download
memory/4644-33-0x0000000007B30000-0x0000000007C3A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-34-0x00000000079F0000-0x0000000007A02000-memory.dmp

Filesize
72KB

Download
memory/4644-35-0x0000000007A60000-0x0000000007A9C000-memory.dmp

Filesize
240KB

Download
memory/4644-36-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads