redline | 04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da

Analysis

max time kernel
137s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
20-09-2023 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe
Size

1.4MB
MD5

387d1293c9803a0f01d295c618f4abc0
SHA1

d9066f9d18f74c297ccf423b1e7bbdc87dd3fc67
SHA256

04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da
SHA512

40c1d78417adedb7f49018455c2dc1c90d63fcde0b8af3b0df82bddef842dc63990cf7cda71c9b42ab8a54f0851f3c5d8859f7ff981651e3601380952302f079
SSDEEP

24576:EyCO8gce52H6yP9QMSWoDVzTmU1btad01UVLGcO0HyAGrGnlWncV/p2R23:TCO8W2HdCaoVTh1btaFLGcO1rklT/

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3340	z3525941.exe
2704	z0727965.exe
4640	z9934105.exe
380	z7410865.exe
4460	q4859057.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0727965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9934105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7410865.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3525941.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 4432	4460	q4859057.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2200	4460	WerFault.exe	72

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3340	1792	04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe	68
PID 1792 wrote to memory of 3340	1792	04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe	68
PID 1792 wrote to memory of 3340	1792	04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe	68
PID 3340 wrote to memory of 2704	3340	z3525941.exe	69
PID 3340 wrote to memory of 2704	3340	z3525941.exe	69
PID 3340 wrote to memory of 2704	3340	z3525941.exe	69
PID 2704 wrote to memory of 4640	2704	z0727965.exe	70
PID 2704 wrote to memory of 4640	2704	z0727965.exe	70
PID 2704 wrote to memory of 4640	2704	z0727965.exe	70
PID 4640 wrote to memory of 380	4640	z9934105.exe	71
PID 4640 wrote to memory of 380	4640	z9934105.exe	71
PID 4640 wrote to memory of 380	4640	z9934105.exe	71
PID 380 wrote to memory of 4460	380	z7410865.exe	72
PID 380 wrote to memory of 4460	380	z7410865.exe	72
PID 380 wrote to memory of 4460	380	z7410865.exe	72
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74
PID 4460 wrote to memory of 4432	4460	q4859057.exe	74

C:\Users\Admin\AppData\Local\Temp\04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe
"C:\Users\Admin\AppData\Local\Temp\04c7412847994129e5af7483ec3d90cd60951413b857190da79fb82ea979b2da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3525941.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3525941.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0727965.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0727965.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9934105.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9934105.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7410865.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7410865.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4859057.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4859057.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 580
        7⤵
        Program crash
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3525941.exe

Filesize
1.3MB

MD5
3acc1e50bde18a7d2b86e3ee17b49324

SHA1
04239eba2aa20e6ef580eaf2cff051aef91a5e43

SHA256
32bb4e349d7246da41b928ac18ef305fd472ee241d88fb504a43044a13328be3

SHA512
5af9fcfd363140d64a8e6cc2052120a7b04c4204917cc06273ed0e42d895314b24cf5d160321dc756ea316b7530b60f800ef2273d73c64d526ff8ead5b544f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3525941.exe

Filesize
1.3MB

MD5
3acc1e50bde18a7d2b86e3ee17b49324

SHA1
04239eba2aa20e6ef580eaf2cff051aef91a5e43

SHA256
32bb4e349d7246da41b928ac18ef305fd472ee241d88fb504a43044a13328be3

SHA512
5af9fcfd363140d64a8e6cc2052120a7b04c4204917cc06273ed0e42d895314b24cf5d160321dc756ea316b7530b60f800ef2273d73c64d526ff8ead5b544f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0727965.exe

Filesize
941KB

MD5
e1a18dabdee6f19ad108a8b3773d6041

SHA1
ecc1ddfbeb3d15a9bf942ab26396e179780d644d

SHA256
cb4c6ba61d8068625150b6556ced81a56d8d986f77fa0670d78f77c034252c17

SHA512
1a2804a9fc88b4ed439c3ce1b4f089b3479b71ef4a68c0da265d8d8ab694055583b4c12ceda9277916bde28cc744a03f48202c3320cc0974bd85c8b97f3e18ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0727965.exe

Filesize
941KB

MD5
e1a18dabdee6f19ad108a8b3773d6041

SHA1
ecc1ddfbeb3d15a9bf942ab26396e179780d644d

SHA256
cb4c6ba61d8068625150b6556ced81a56d8d986f77fa0670d78f77c034252c17

SHA512
1a2804a9fc88b4ed439c3ce1b4f089b3479b71ef4a68c0da265d8d8ab694055583b4c12ceda9277916bde28cc744a03f48202c3320cc0974bd85c8b97f3e18ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9934105.exe

Filesize
758KB

MD5
cccada86d46c6aca70964af89d7a79ad

SHA1
51ba9f905d3783344fab894670bcfac46df66a15

SHA256
bdee475393bedfb2dfc2cb50c4675719dbac0f249f9dd38914b3259242614aaa

SHA512
41a99b306fa74c99a00debb23848f5ac637b59aef7a5efaf1dbd4cc3adc58882fa82f9f85a23a4f5a656f3c86ebb6446dc2e5ba5ca3f2ad715e90f1a0022efb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9934105.exe

Filesize
758KB

MD5
cccada86d46c6aca70964af89d7a79ad

SHA1
51ba9f905d3783344fab894670bcfac46df66a15

SHA256
bdee475393bedfb2dfc2cb50c4675719dbac0f249f9dd38914b3259242614aaa

SHA512
41a99b306fa74c99a00debb23848f5ac637b59aef7a5efaf1dbd4cc3adc58882fa82f9f85a23a4f5a656f3c86ebb6446dc2e5ba5ca3f2ad715e90f1a0022efb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7410865.exe

Filesize
576KB

MD5
5b36d2e94a6feaf316fb8182f149bd1c

SHA1
b7b3311a893e39b35e94a31de1cce6bff88a5693

SHA256
258d29371a2cbcc74f712f4f1c2b8bfc8c449ea4f9867dc4503723e6c1b3b7e9

SHA512
5e8a46d92e6a8f1fa80ff2279d5a9693cc0319c1e12bfc4731e3cffaf3cecf43dee0d5515332ea15f24685e84e42f8f90d3b10569f709a04b705b0a6cfa88c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7410865.exe

Filesize
576KB

MD5
5b36d2e94a6feaf316fb8182f149bd1c

SHA1
b7b3311a893e39b35e94a31de1cce6bff88a5693

SHA256
258d29371a2cbcc74f712f4f1c2b8bfc8c449ea4f9867dc4503723e6c1b3b7e9

SHA512
5e8a46d92e6a8f1fa80ff2279d5a9693cc0319c1e12bfc4731e3cffaf3cecf43dee0d5515332ea15f24685e84e42f8f90d3b10569f709a04b705b0a6cfa88c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4859057.exe

Filesize
1.1MB

MD5
6ef83b31b0308f9128f57d3b85d5dc99

SHA1
8276cf2c6ae1f30ef8d916f846d4ed06a258cdf8

SHA256
4f606237c7fb96f122f3c633029ba0ef136283ca595dece16cd4cc1156e55990

SHA512
d8a86dd424c53035b2b5a63cc4dc144f4f3e9fbefeeebbfbdee728ad2702aa58aaad253ab4c49323ffa233ec5d7dc9335d058614c158ca6729c6f10a57a717c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4859057.exe

Filesize
1.1MB

MD5
6ef83b31b0308f9128f57d3b85d5dc99

SHA1
8276cf2c6ae1f30ef8d916f846d4ed06a258cdf8

SHA256
4f606237c7fb96f122f3c633029ba0ef136283ca595dece16cd4cc1156e55990

SHA512
d8a86dd424c53035b2b5a63cc4dc144f4f3e9fbefeeebbfbdee728ad2702aa58aaad253ab4c49323ffa233ec5d7dc9335d058614c158ca6729c6f10a57a717c0

Download Submit
memory/4432-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4432-39-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download
memory/4432-40-0x0000000000B50000-0x0000000000B56000-memory.dmp

Filesize
24KB

Download
memory/4432-41-0x000000000E810000-0x000000000EE16000-memory.dmp

Filesize
6.0MB

Download
memory/4432-42-0x000000000E310000-0x000000000E41A000-memory.dmp

Filesize
1.0MB

Download
memory/4432-43-0x0000000008D40000-0x0000000008D52000-memory.dmp

Filesize
72KB

Download
memory/4432-44-0x000000000E240000-0x000000000E27E000-memory.dmp

Filesize
248KB

Download
memory/4432-45-0x000000000E280000-0x000000000E2CB000-memory.dmp

Filesize
300KB

Download
memory/4432-50-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads