redline | 8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd

General

Target

8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe
Size

696KB
MD5

afded750051093d03a74fff5eebc9b39
SHA1

5c57d9acdf477021372111cbc096da0030217b6f
SHA256

8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd
SHA512

dba3be98195ba4f0b62e3cffa4d25bda8f2ad34ccc61325e3deb324e265f67a136e7bcb1f3ab9142a998b1ae52ddb9b9ff3af5839fe92f7fd85a33e4d2d2a3f0
SSDEEP

12288:/Mr5y90UroYxj48HVRDdsdAlusZ+WARAjIvWpWILs+S:uygSj48V8euUOKIvWpG+S

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

C2

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231c7-19.dat	family_redline
behavioral1/files/0x00080000000231c7-20.dat	family_redline
behavioral1/memory/4276-21-0x00000000006B0000-0x00000000006E0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
620	x9112948.exe
4660	x3104237.exe
4276	h7649751.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9112948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3104237.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 620	3992	8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe	85
PID 3992 wrote to memory of 620	3992	8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe	85
PID 3992 wrote to memory of 620	3992	8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe	85
PID 620 wrote to memory of 4660	620	x9112948.exe	86
PID 620 wrote to memory of 4660	620	x9112948.exe	86
PID 620 wrote to memory of 4660	620	x9112948.exe	86
PID 4660 wrote to memory of 4276	4660	x3104237.exe	87
PID 4660 wrote to memory of 4276	4660	x3104237.exe	87
PID 4660 wrote to memory of 4276	4660	x3104237.exe	87

C:\Users\Admin\AppData\Local\Temp\8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe
"C:\Users\Admin\AppData\Local\Temp\8e729676586171ff474ce8ea524400d6aa99607ce7c9ab3efc5db20a6f910fdd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9112948.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9112948.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3104237.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3104237.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7649751.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7649751.exe
      4⤵
      Executes dropped EXE
      PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9112948.exe

Filesize
594KB

MD5
297859ea1fbd9a58222bde2f1f32547a

SHA1
ab94a5543650c601a41ef7df7750fbf6b87d8bdc

SHA256
6989363a6ac6dd65c45dc2fbc133498804856c5495aca2c15386521ae008638e

SHA512
0c9189e339019713b79568134741b2205d838211d311769dd2e69fd0126a1caceef240b6f8edff4818c979f5b0475e702cfdefd394b0e18cb145ffbd0f42a508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9112948.exe

Filesize
594KB

MD5
297859ea1fbd9a58222bde2f1f32547a

SHA1
ab94a5543650c601a41ef7df7750fbf6b87d8bdc

SHA256
6989363a6ac6dd65c45dc2fbc133498804856c5495aca2c15386521ae008638e

SHA512
0c9189e339019713b79568134741b2205d838211d311769dd2e69fd0126a1caceef240b6f8edff4818c979f5b0475e702cfdefd394b0e18cb145ffbd0f42a508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3104237.exe

Filesize
292KB

MD5
401c6db8360670caf05694ded218903d

SHA1
35b78a0c50af53c72c945bfe681c80a95110f53a

SHA256
b8b6a39990ce25cc87d1863df794c33594cce595b72ec7037bce94c2c1efa1e5

SHA512
337d46779744c4de5083d5eeb093ec8e24aa2204809afd66de0ffa2682615a1c8c845d1bc3974817d262e88226883d2ac6336ba45f3caaba53861550b18c0811

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3104237.exe

Filesize
292KB

MD5
401c6db8360670caf05694ded218903d

SHA1
35b78a0c50af53c72c945bfe681c80a95110f53a

SHA256
b8b6a39990ce25cc87d1863df794c33594cce595b72ec7037bce94c2c1efa1e5

SHA512
337d46779744c4de5083d5eeb093ec8e24aa2204809afd66de0ffa2682615a1c8c845d1bc3974817d262e88226883d2ac6336ba45f3caaba53861550b18c0811

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7649751.exe

Filesize
174KB

MD5
1d910d29389e4b66f3740548d1f8100b

SHA1
ce29121ec934dee543d0c87efb064c0fdb469b1f

SHA256
c1bca7b9b8c3e10235b0cd654fee478e16d1d037fe3e88d9c714e35a7419d2a4

SHA512
8b2405c792e46089106a0763e88b70b508baf124c68341946fcdfc107a062b3ddc15f76408fede99509ba5ef404bfb53709a9413f2b1dc348695ba9b8b56f6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7649751.exe

Filesize
174KB

MD5
1d910d29389e4b66f3740548d1f8100b

SHA1
ce29121ec934dee543d0c87efb064c0fdb469b1f

SHA256
c1bca7b9b8c3e10235b0cd654fee478e16d1d037fe3e88d9c714e35a7419d2a4

SHA512
8b2405c792e46089106a0763e88b70b508baf124c68341946fcdfc107a062b3ddc15f76408fede99509ba5ef404bfb53709a9413f2b1dc348695ba9b8b56f6e9

Download Submit
memory/4276-21-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/4276-22-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4276-23-0x0000000004FD0000-0x0000000004FD6000-memory.dmp

Filesize
24KB

Download
memory/4276-24-0x0000000005710000-0x0000000005D28000-memory.dmp

Filesize
6.1MB

Download
memory/4276-25-0x0000000005240000-0x000000000534A000-memory.dmp

Filesize
1.0MB

Download
memory/4276-26-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/4276-27-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4276-28-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/4276-29-0x0000000005350000-0x000000000539C000-memory.dmp

Filesize
304KB

Download
memory/4276-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4276-31-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads