redline | 742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe
Size

1.0MB
MD5

9885d72406191d15b6bcdd007be1aafa
SHA1

0bfdeeaf72f6cb55fb6925bacf460a0ada4833be
SHA256

742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143
SHA512

d403d1ca467e96b1a7afaa6fd35fb5df39241198630ff942daad8a337d3e29d72ffbe137a68295bf20f2ba992745d6b68b3b2e878f975a91a945c79d5aae9c6c
SSDEEP

24576:PybrdEOLWcCDBWS8KUrCStbGZVTkQcjBJdjq7HX0RckaYS:aJLW/KKUGobwTUZjq7HERK

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1756	x5756850.exe
4784	x7726917.exe
1144	x2019301.exe
496	g4314176.exe
3204	h9626184.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5756850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7726917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2019301.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 496 set thread context of 896	496	g4314176.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1784	496	WerFault.exe	90
3744	896	WerFault.exe	94

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1756	1888	742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe	86
PID 1888 wrote to memory of 1756	1888	742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe	86
PID 1888 wrote to memory of 1756	1888	742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe	86
PID 1756 wrote to memory of 4784	1756	x5756850.exe	87
PID 1756 wrote to memory of 4784	1756	x5756850.exe	87
PID 1756 wrote to memory of 4784	1756	x5756850.exe	87
PID 4784 wrote to memory of 1144	4784	x7726917.exe	89
PID 4784 wrote to memory of 1144	4784	x7726917.exe	89
PID 4784 wrote to memory of 1144	4784	x7726917.exe	89
PID 1144 wrote to memory of 496	1144	x2019301.exe	90
PID 1144 wrote to memory of 496	1144	x2019301.exe	90
PID 1144 wrote to memory of 496	1144	x2019301.exe	90
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 496 wrote to memory of 896	496	g4314176.exe	94
PID 1144 wrote to memory of 3204	1144	x2019301.exe	99
PID 1144 wrote to memory of 3204	1144	x2019301.exe	99
PID 1144 wrote to memory of 3204	1144	x2019301.exe	99

C:\Users\Admin\AppData\Local\Temp\742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe
"C:\Users\Admin\AppData\Local\Temp\742c77f5470b4bd9191e8617b62a99f4f66e6c3436c36bc812542d5d2051d143.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5756850.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5756850.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7726917.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7726917.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2019301.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2019301.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4314176.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4314176.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:496
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 540
        7⤵
        Program crash
        
        PID:3744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 136
        6⤵
        Program crash
        
        PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9626184.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9626184.exe
        5⤵
        Executes dropped EXE
        
        PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 496 -ip 496
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 896 -ip 896
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5756850.exe

Filesize
932KB

MD5
df626d2df9c044958f8bd6f4afd4adbc

SHA1
5915d5826155d2f363a60c4ee2b92ef9c2816cf7

SHA256
c09ad771e345fb5c58b056572914f006f58aa30d3a872834015a68ff327ccc91

SHA512
f99440baf2d2632b0ab1c61e2c39248b7f51d7d145dc7952a6585025b9cfc725bc93f0a04e3030ba03bc2a18e41eb82d05d297119bc6e49d13aec2cc13c6b421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5756850.exe

Filesize
932KB

MD5
df626d2df9c044958f8bd6f4afd4adbc

SHA1
5915d5826155d2f363a60c4ee2b92ef9c2816cf7

SHA256
c09ad771e345fb5c58b056572914f006f58aa30d3a872834015a68ff327ccc91

SHA512
f99440baf2d2632b0ab1c61e2c39248b7f51d7d145dc7952a6585025b9cfc725bc93f0a04e3030ba03bc2a18e41eb82d05d297119bc6e49d13aec2cc13c6b421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7726917.exe

Filesize
628KB

MD5
63e388b7b68846f00d7a75d249d2b57e

SHA1
ccc0a264011bf937186c19beeafb47961dbd3141

SHA256
15fed4ce3d025479cbd1e32388a78edb7b6baf87f0c886d35b5596d95d383dc6

SHA512
a55fd463b5b63eb56ed08faed4b443ad77a4e2ad7cb8bb1019b92d75b2a0ee2acca0288ffb8f94f12f526ff718452db4daa21e1874da788996b8ef4f6427c47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7726917.exe

Filesize
628KB

MD5
63e388b7b68846f00d7a75d249d2b57e

SHA1
ccc0a264011bf937186c19beeafb47961dbd3141

SHA256
15fed4ce3d025479cbd1e32388a78edb7b6baf87f0c886d35b5596d95d383dc6

SHA512
a55fd463b5b63eb56ed08faed4b443ad77a4e2ad7cb8bb1019b92d75b2a0ee2acca0288ffb8f94f12f526ff718452db4daa21e1874da788996b8ef4f6427c47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2019301.exe

Filesize
443KB

MD5
e308a4a869a8b68482c57d48cdefe8be

SHA1
51ff06052fc0f3c5c51e38421de9efd90d44bbaa

SHA256
a969b421b78cb7a2f4b444d17f83bb1b68fb9c120165a9e56cc96cac6d400e8c

SHA512
4a78c76edf8e5e3c509cde960cb1def98a8ebb5ec1e4143850169f6231452cf51909c4832a950f189dac5d2d77b715529662f507a6707e578908e43ac5a89bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2019301.exe

Filesize
443KB

MD5
e308a4a869a8b68482c57d48cdefe8be

SHA1
51ff06052fc0f3c5c51e38421de9efd90d44bbaa

SHA256
a969b421b78cb7a2f4b444d17f83bb1b68fb9c120165a9e56cc96cac6d400e8c

SHA512
4a78c76edf8e5e3c509cde960cb1def98a8ebb5ec1e4143850169f6231452cf51909c4832a950f189dac5d2d77b715529662f507a6707e578908e43ac5a89bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4314176.exe

Filesize
700KB

MD5
7a6bc785e31017ff12856b3dac96dc5f

SHA1
fba63f6a5abfb11623f56b84f91203221868dbf6

SHA256
5d63e3ede9679266e1fdeaacda5ab6b928e6fbee302d2b8932ffd94056cb862c

SHA512
0bacb2574ed832ff643f59ae63cc357aabee968161b3749cc59e8607c9b6957168a9611dbf2e31728fada1a6cd1445c99d254271815594367ef9abfb3f7fdea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4314176.exe

Filesize
700KB

MD5
7a6bc785e31017ff12856b3dac96dc5f

SHA1
fba63f6a5abfb11623f56b84f91203221868dbf6

SHA256
5d63e3ede9679266e1fdeaacda5ab6b928e6fbee302d2b8932ffd94056cb862c

SHA512
0bacb2574ed832ff643f59ae63cc357aabee968161b3749cc59e8607c9b6957168a9611dbf2e31728fada1a6cd1445c99d254271815594367ef9abfb3f7fdea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9626184.exe

Filesize
174KB

MD5
c194fe3fa8531d7a0777ecd1bd860e22

SHA1
7f22ba8975ec4784f435a402583af411bf7b711a

SHA256
49b2d48dd3b2ad0d38ffe9df487d78a676f045fae143774a5c1a3a0b043f5c42

SHA512
de30bee6a553dfc4f783b88831a765fa33962e11f7d9c1b731a775c533408af1ba14fe891d3a92aa4e20f8308895132b5aaa45fd9bc07a53bc9db7dc7dd2c17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9626184.exe

Filesize
174KB

MD5
c194fe3fa8531d7a0777ecd1bd860e22

SHA1
7f22ba8975ec4784f435a402583af411bf7b711a

SHA256
49b2d48dd3b2ad0d38ffe9df487d78a676f045fae143774a5c1a3a0b043f5c42

SHA512
de30bee6a553dfc4f783b88831a765fa33962e11f7d9c1b731a775c533408af1ba14fe891d3a92aa4e20f8308895132b5aaa45fd9bc07a53bc9db7dc7dd2c17d

Download Submit
memory/896-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-39-0x0000000005E60000-0x0000000006478000-memory.dmp

Filesize
6.1MB

Download
memory/3204-37-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3204-38-0x00000000055F0000-0x00000000055F6000-memory.dmp

Filesize
24KB

Download
memory/3204-36-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/3204-40-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/3204-41-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3204-42-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/3204-43-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/3204-44-0x0000000005A70000-0x0000000005ABC000-memory.dmp

Filesize
304KB

Download
memory/3204-45-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3204-46-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads