redline | 7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe
Size

1.0MB
MD5

2b93b37d76b5c1e2505269178244f698
SHA1

611242a662d48070e35f8a27a3aa064db65b0be4
SHA256

7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc
SHA512

d030d526eb817dd9151e1e40079f29ea711be7b636b41574cc0034e1211fdc260ec81644d13417c7ccfc1df88668f9e211063521317caa8e3d9f4fc83b2f3b7d
SSDEEP

24576:qy4lQcjbX99MKasX4puRZrpkpSoAcZMn:x4lQcLlasX4CZt0Rr

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023266-33.dat	family_redline
behavioral1/files/0x0006000000023266-35.dat	family_redline
behavioral1/memory/808-36-0x0000000000070000-0x00000000000A0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
708	x0034734.exe
4384	x9023988.exe
4200	x7019421.exe
4188	g9434273.exe
808	h3997627.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0034734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9023988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7019421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4188 set thread context of 1460	4188	g9434273.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1452	4188	WerFault.exe	86
4512	1460	WerFault.exe	88

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 708	3516	7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe	82
PID 3516 wrote to memory of 708	3516	7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe	82
PID 3516 wrote to memory of 708	3516	7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe	82
PID 708 wrote to memory of 4384	708	x0034734.exe	84
PID 708 wrote to memory of 4384	708	x0034734.exe	84
PID 708 wrote to memory of 4384	708	x0034734.exe	84
PID 4384 wrote to memory of 4200	4384	x9023988.exe	85
PID 4384 wrote to memory of 4200	4384	x9023988.exe	85
PID 4384 wrote to memory of 4200	4384	x9023988.exe	85
PID 4200 wrote to memory of 4188	4200	x7019421.exe	86
PID 4200 wrote to memory of 4188	4200	x7019421.exe	86
PID 4200 wrote to memory of 4188	4200	x7019421.exe	86
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4188 wrote to memory of 1460	4188	g9434273.exe	88
PID 4200 wrote to memory of 808	4200	x7019421.exe	94
PID 4200 wrote to memory of 808	4200	x7019421.exe	94
PID 4200 wrote to memory of 808	4200	x7019421.exe	94

C:\Users\Admin\AppData\Local\Temp\7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe
"C:\Users\Admin\AppData\Local\Temp\7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0034734.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0034734.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9023988.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9023988.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7019421.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7019421.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9434273.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9434273.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 200
        7⤵
        Program crash
        
        PID:4512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 556
        6⤵
        Program crash
        
        PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3997627.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3997627.exe
        5⤵
        Executes dropped EXE
        
        PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4188 -ip 4188
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 1460
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0034734.exe

Filesize
933KB

MD5
d2d49ce8ab4d9c9da068672d2f080f12

SHA1
f731ba50ab39f03b5d647dd64f1a8f4327c5d24f

SHA256
7df7db2dd3b7bde622195590a4823b29a4bca07e549d89427f1e3dbffe01f469

SHA512
04eaf923f7dd881382baf379fa838ad52718766e84b124c47f6fd723a0aad87c2a045b81e8540a24cbcb54db341200c798a227062d1ac031959c8a362fbdcdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0034734.exe

Filesize
933KB

MD5
d2d49ce8ab4d9c9da068672d2f080f12

SHA1
f731ba50ab39f03b5d647dd64f1a8f4327c5d24f

SHA256
7df7db2dd3b7bde622195590a4823b29a4bca07e549d89427f1e3dbffe01f469

SHA512
04eaf923f7dd881382baf379fa838ad52718766e84b124c47f6fd723a0aad87c2a045b81e8540a24cbcb54db341200c798a227062d1ac031959c8a362fbdcdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9023988.exe

Filesize
629KB

MD5
5f0c18a1d80569b22766bdf64193e708

SHA1
94cf13ef1c163c2acafd80ab9c20875cb28b9e1c

SHA256
1d66bb529be98d1c8cc5dfdae3384ade01c215a31cd59b050c4062ed830183aa

SHA512
f9e0c53d49c5e0088ecd4427b0f328c6330c8d6bd495cb89d29ddf2f58272c5f01d2d87136ffb7ca6e975ecc73f93df2fba56dc6913de1b0888b1120498c9e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9023988.exe

Filesize
629KB

MD5
5f0c18a1d80569b22766bdf64193e708

SHA1
94cf13ef1c163c2acafd80ab9c20875cb28b9e1c

SHA256
1d66bb529be98d1c8cc5dfdae3384ade01c215a31cd59b050c4062ed830183aa

SHA512
f9e0c53d49c5e0088ecd4427b0f328c6330c8d6bd495cb89d29ddf2f58272c5f01d2d87136ffb7ca6e975ecc73f93df2fba56dc6913de1b0888b1120498c9e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7019421.exe

Filesize
443KB

MD5
b00ff1d91cf2aa2d12053c03efddc9e0

SHA1
ba57f93a520f718fbd96130553aee1c4f348026a

SHA256
14b900d674f85163139ce4c1440a1ebd331719b4fb7948e5c258e136cc878c8d

SHA512
7d38275b052af5e4c8d0ab1018e8cc883dae5a5f96a50e286290b91aa33fc3ca4e43dd65533024f80990a6c5f0c2f39cd2d08d1ea2567cf171504bd75a10f80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7019421.exe

Filesize
443KB

MD5
b00ff1d91cf2aa2d12053c03efddc9e0

SHA1
ba57f93a520f718fbd96130553aee1c4f348026a

SHA256
14b900d674f85163139ce4c1440a1ebd331719b4fb7948e5c258e136cc878c8d

SHA512
7d38275b052af5e4c8d0ab1018e8cc883dae5a5f96a50e286290b91aa33fc3ca4e43dd65533024f80990a6c5f0c2f39cd2d08d1ea2567cf171504bd75a10f80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9434273.exe

Filesize
700KB

MD5
779ee8c566e614b7215a24f34f138f3f

SHA1
c56bb2d2dbbb2908e7e88028bbe3de903c42e415

SHA256
c0f70df2140dc739191a44e9fb6298825ff57a4a79e541a8ead6c9fca688f698

SHA512
06ffa4a893ee10ec3e1f3c5041357a95c1f5f01671cb83deb5ca02fcc8ab7b516823dec1b1baa278708c92cdaaa8bf89ceb2e958514893836d2eda091cf51265

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9434273.exe

Filesize
700KB

MD5
779ee8c566e614b7215a24f34f138f3f

SHA1
c56bb2d2dbbb2908e7e88028bbe3de903c42e415

SHA256
c0f70df2140dc739191a44e9fb6298825ff57a4a79e541a8ead6c9fca688f698

SHA512
06ffa4a893ee10ec3e1f3c5041357a95c1f5f01671cb83deb5ca02fcc8ab7b516823dec1b1baa278708c92cdaaa8bf89ceb2e958514893836d2eda091cf51265

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3997627.exe

Filesize
174KB

MD5
8666c247137e6c98c2a17d541521a590

SHA1
463593cb6eaa2719891c22ecb59456ea60ccb347

SHA256
9685ec124e8300775fc939805f7339b372b9d82722df9af250c6a8dcb0c1aa8b

SHA512
797ff05b8ce8c4b711db2a547e04399acba910ce7988202a8293432ba22a179f3dcfee7b1d9ee97bcdcc9cddc26de08084d02296e278410c60ef3e3817fca337

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3997627.exe

Filesize
174KB

MD5
8666c247137e6c98c2a17d541521a590

SHA1
463593cb6eaa2719891c22ecb59456ea60ccb347

SHA256
9685ec124e8300775fc939805f7339b372b9d82722df9af250c6a8dcb0c1aa8b

SHA512
797ff05b8ce8c4b711db2a547e04399acba910ce7988202a8293432ba22a179f3dcfee7b1d9ee97bcdcc9cddc26de08084d02296e278410c60ef3e3817fca337

Download Submit
memory/808-39-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/808-42-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/808-46-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/808-45-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/808-36-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/808-37-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/808-44-0x0000000004BE0000-0x0000000004C2C000-memory.dmp

Filesize
304KB

Download
memory/808-40-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

Filesize
1.0MB

Download
memory/808-38-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download
memory/808-41-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/808-43-0x0000000004A90000-0x0000000004ACC000-memory.dmp

Filesize
240KB

Download
memory/1460-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads