redline | 807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 01:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe
Size

1.0MB
MD5

a3f40755c687b9f2bb1559ae88e29e58
SHA1

a0fa2e549298a09c6e57d4ae22edeaf5ff31f3d2
SHA256

807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27
SHA512

f4e416b04a0ac395c87ea7a9392f62e3f506aad0047792f29c53852f80046b3e66b7c6d3586af57806dda7208405ca230adb17c21142340a629aea7d13c79faf
SSDEEP

24576:6y48N7uTh8q2h02IFsHeea21i1Ct5ArPM:BDVuThn2qbFs+i1CCt5Q

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023206-34.dat	family_redline
behavioral1/files/0x0007000000023206-35.dat	family_redline
behavioral1/memory/3172-36-0x0000000000150000-0x0000000000180000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4476	x9271751.exe
3808	x1253592.exe
1736	x3075685.exe
4632	g1515049.exe
3172	h2453540.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1253592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3075685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9271751.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4632 set thread context of 1600	4632	g1515049.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1028	1600	WerFault.exe	93
3524	4632	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4476	4136	807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe	86
PID 4136 wrote to memory of 4476	4136	807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe	86
PID 4136 wrote to memory of 4476	4136	807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe	86
PID 4476 wrote to memory of 3808	4476	x9271751.exe	87
PID 4476 wrote to memory of 3808	4476	x9271751.exe	87
PID 4476 wrote to memory of 3808	4476	x9271751.exe	87
PID 3808 wrote to memory of 1736	3808	x1253592.exe	88
PID 3808 wrote to memory of 1736	3808	x1253592.exe	88
PID 3808 wrote to memory of 1736	3808	x1253592.exe	88
PID 1736 wrote to memory of 4632	1736	x3075685.exe	89
PID 1736 wrote to memory of 4632	1736	x3075685.exe	89
PID 1736 wrote to memory of 4632	1736	x3075685.exe	89
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 4632 wrote to memory of 1600	4632	g1515049.exe	93
PID 1736 wrote to memory of 3172	1736	x3075685.exe	98
PID 1736 wrote to memory of 3172	1736	x3075685.exe	98
PID 1736 wrote to memory of 3172	1736	x3075685.exe	98

C:\Users\Admin\AppData\Local\Temp\807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe
"C:\Users\Admin\AppData\Local\Temp\807b69019bfc072f1be908e269ba322d5cbf67654c62b5eb294c236d56bbca27.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9271751.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9271751.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1253592.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1253592.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3075685.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3075685.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1515049.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1515049.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4632
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 544
        7⤵
        Program crash
        
        PID:1028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 556
        6⤵
        Program crash
        
        PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2453540.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2453540.exe
        5⤵
        Executes dropped EXE
        
        PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4632 -ip 4632
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1600 -ip 1600
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9271751.exe

Filesize
932KB

MD5
b18f02aad8b742cff729c3b7cdd2236c

SHA1
61185f34247169558b980857794ebdffad20e065

SHA256
5a66ab6c96575b7d1015e65664eee87f446c1d5cd8eb55a05e5f350ef2ac650d

SHA512
94361c83551c487f95e146ad8a7ba2d1bfd613b417a3cb0ead9f85a696cace3e41f619b0e50884e0a90bcb5318594061221743a3226148568936a2f2d8ce75a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9271751.exe

Filesize
932KB

MD5
b18f02aad8b742cff729c3b7cdd2236c

SHA1
61185f34247169558b980857794ebdffad20e065

SHA256
5a66ab6c96575b7d1015e65664eee87f446c1d5cd8eb55a05e5f350ef2ac650d

SHA512
94361c83551c487f95e146ad8a7ba2d1bfd613b417a3cb0ead9f85a696cace3e41f619b0e50884e0a90bcb5318594061221743a3226148568936a2f2d8ce75a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1253592.exe

Filesize
628KB

MD5
8aba613c912eab7a62fc845b70eb1b4c

SHA1
2483a513a46444f0b63e906cb43f0a0adaed6ecd

SHA256
276a49f3b28d4eae4edc41936d179d37b59e1e8fd96361e5b508be311aa902cb

SHA512
28495b9d99d73bd359b8d055d1a5b49dcc93654b9a89066685ddbb7a9285ca7381d23ff87f86ee360ee0e94b857e016c387369a8ae792782c26d5eccd97f3ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1253592.exe

Filesize
628KB

MD5
8aba613c912eab7a62fc845b70eb1b4c

SHA1
2483a513a46444f0b63e906cb43f0a0adaed6ecd

SHA256
276a49f3b28d4eae4edc41936d179d37b59e1e8fd96361e5b508be311aa902cb

SHA512
28495b9d99d73bd359b8d055d1a5b49dcc93654b9a89066685ddbb7a9285ca7381d23ff87f86ee360ee0e94b857e016c387369a8ae792782c26d5eccd97f3ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3075685.exe

Filesize
442KB

MD5
b628baeda1d1f0fd185f04d5ef851bf0

SHA1
21e965409d7494626a31706b91802b9ef74839fe

SHA256
c4c29c523c8dcd8a59e04bf3045ea0b01d58125a746af88cd3c1b2da3c1c31c8

SHA512
47dab2ce64c6266328c77878a817dc7ac9aeb2c6fc10e80d71bf2632190c1fded21a12cbbfecd74260ceb48ce6695cfed6ae14eb21d460f61753678888f4e0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3075685.exe

Filesize
442KB

MD5
b628baeda1d1f0fd185f04d5ef851bf0

SHA1
21e965409d7494626a31706b91802b9ef74839fe

SHA256
c4c29c523c8dcd8a59e04bf3045ea0b01d58125a746af88cd3c1b2da3c1c31c8

SHA512
47dab2ce64c6266328c77878a817dc7ac9aeb2c6fc10e80d71bf2632190c1fded21a12cbbfecd74260ceb48ce6695cfed6ae14eb21d460f61753678888f4e0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1515049.exe

Filesize
700KB

MD5
fdc1bb50293c37a0696abe5b7d91b384

SHA1
b4cb567f373c8abf1478a3351e665303eb164202

SHA256
65a25d1e6cec27044480e169f20416a513e6068d5fe93b65dfb10dc097017e27

SHA512
8cfe8d121a035fcae13f7716d9f195eec57cb333d9fc8573df9041f60b1f2ae7c2e32ec923149dc308cbf2c36f22f904ee2b3495e75b7832e03ff23bd4231697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1515049.exe

Filesize
700KB

MD5
fdc1bb50293c37a0696abe5b7d91b384

SHA1
b4cb567f373c8abf1478a3351e665303eb164202

SHA256
65a25d1e6cec27044480e169f20416a513e6068d5fe93b65dfb10dc097017e27

SHA512
8cfe8d121a035fcae13f7716d9f195eec57cb333d9fc8573df9041f60b1f2ae7c2e32ec923149dc308cbf2c36f22f904ee2b3495e75b7832e03ff23bd4231697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2453540.exe

Filesize
174KB

MD5
9973bf7db097009554db787b6be2bc3a

SHA1
5d8d49e9a9bf90ad867361a4ac9b3774a2cced0f

SHA256
555670bb513a5c5ae840798395c89363b810e4c2f5acb2ddeb3292f1b9d5d894

SHA512
eb229d9bde8d16421ad5920b7da2c8e13610123b20fa56d0ea8ae293b3e35715b8926964a660de79ea9d30628fb38dc91d479db2d2ff29dfa1edb29fac9007f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2453540.exe

Filesize
174KB

MD5
9973bf7db097009554db787b6be2bc3a

SHA1
5d8d49e9a9bf90ad867361a4ac9b3774a2cced0f

SHA256
555670bb513a5c5ae840798395c89363b810e4c2f5acb2ddeb3292f1b9d5d894

SHA512
eb229d9bde8d16421ad5920b7da2c8e13610123b20fa56d0ea8ae293b3e35715b8926964a660de79ea9d30628fb38dc91d479db2d2ff29dfa1edb29fac9007f0

Download Submit
memory/1600-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-39-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/3172-37-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3172-38-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/3172-36-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download
memory/3172-40-0x0000000004D90000-0x0000000004E9A000-memory.dmp

Filesize
1.0MB

Download
memory/3172-42-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3172-41-0x00000000046D0000-0x00000000046E2000-memory.dmp

Filesize
72KB

Download
memory/3172-43-0x0000000004C80000-0x0000000004CBC000-memory.dmp

Filesize
240KB

Download
memory/3172-44-0x0000000004CC0000-0x0000000004D0C000-memory.dmp

Filesize
304KB

Download
memory/3172-45-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3172-46-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads