redline | 211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 02:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe
Size

1.0MB
MD5

06a28aa2e12e49ed7c3e935a050cf856
SHA1

afa4fa6f499c3d5a7e7adc133005d25e5e58ef39
SHA256

211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd
SHA512

811d3f851aa761b132069b168cd5ee38f73e0f0c0e9df8a80908998faf02f0a36d1eb06b710ef1aad16505a24d95d0b1c9132dd8e6117b28e7652654a6a50252
SSDEEP

24576:5yRhBmCLMYcvaQT8PBI1hzL2QSa5cuChk:spPLEaOz1hz9Saoh

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023202-33.dat	family_redline
behavioral1/files/0x0007000000023202-35.dat	family_redline
behavioral1/memory/5000-36-0x0000000000610000-0x0000000000640000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
872	x1347276.exe
4592	x0551064.exe
4712	x2092177.exe
2716	g2218876.exe
5000	h2681675.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1347276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0551064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2092177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 4952	2716	g2218876.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1308	2716	WerFault.exe	88
1868	4952	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 872	4452	211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe	85
PID 4452 wrote to memory of 872	4452	211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe	85
PID 4452 wrote to memory of 872	4452	211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe	85
PID 872 wrote to memory of 4592	872	x1347276.exe	86
PID 872 wrote to memory of 4592	872	x1347276.exe	86
PID 872 wrote to memory of 4592	872	x1347276.exe	86
PID 4592 wrote to memory of 4712	4592	x0551064.exe	87
PID 4592 wrote to memory of 4712	4592	x0551064.exe	87
PID 4592 wrote to memory of 4712	4592	x0551064.exe	87
PID 4712 wrote to memory of 2716	4712	x2092177.exe	88
PID 4712 wrote to memory of 2716	4712	x2092177.exe	88
PID 4712 wrote to memory of 2716	4712	x2092177.exe	88
PID 2716 wrote to memory of 3836	2716	g2218876.exe	92
PID 2716 wrote to memory of 3836	2716	g2218876.exe	92
PID 2716 wrote to memory of 3836	2716	g2218876.exe	92
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 2716 wrote to memory of 4952	2716	g2218876.exe	93
PID 4712 wrote to memory of 5000	4712	x2092177.exe	98
PID 4712 wrote to memory of 5000	4712	x2092177.exe	98
PID 4712 wrote to memory of 5000	4712	x2092177.exe	98

C:\Users\Admin\AppData\Local\Temp\211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe
"C:\Users\Admin\AppData\Local\Temp\211c82899570f8a74385d9903991602319ab34ec3ef80fe7e409d41509b864bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1347276.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1347276.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0551064.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0551064.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2092177.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2092177.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2218876.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2218876.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3836
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 540
        7⤵
        Program crash
        
        PID:1868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 572
        6⤵
        Program crash
        
        PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2681675.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2681675.exe
        5⤵
        Executes dropped EXE
        
        PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2716 -ip 2716
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4952 -ip 4952
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1347276.exe

Filesize
933KB

MD5
9c7ee52b364f6267ab0b3ec38be2df9d

SHA1
41688d9fcfa47f094cc32766948b22434b223f06

SHA256
1ffc52f13bbadb2b39bcfc82f1390e8a66d0967f328e60176981366403ecf424

SHA512
df943e16ec45c01349fadbb7030104e04a7004d46f19e6a0de5092a3c0c893ab348996b988bb316d99a91e254762b1ff0e30e7d38079c651e242f90176479324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1347276.exe

Filesize
933KB

MD5
9c7ee52b364f6267ab0b3ec38be2df9d

SHA1
41688d9fcfa47f094cc32766948b22434b223f06

SHA256
1ffc52f13bbadb2b39bcfc82f1390e8a66d0967f328e60176981366403ecf424

SHA512
df943e16ec45c01349fadbb7030104e04a7004d46f19e6a0de5092a3c0c893ab348996b988bb316d99a91e254762b1ff0e30e7d38079c651e242f90176479324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0551064.exe

Filesize
629KB

MD5
44f52306b944e3301558272d5626b6c7

SHA1
f9fd4e3b2f63883284508d4c62de36061e885a96

SHA256
2eddb34138016e9fd3434b07a2042ae815c33355696e17a5e2a1fb4094ff012a

SHA512
32566e0bee83a09a5982039d86d357b72636719b48f8f3dbfe6426390211bb3fa62d035ad08853bbc83c128f8b5d40b3d9d483c55d36a8ae9cb78e115e973c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0551064.exe

Filesize
629KB

MD5
44f52306b944e3301558272d5626b6c7

SHA1
f9fd4e3b2f63883284508d4c62de36061e885a96

SHA256
2eddb34138016e9fd3434b07a2042ae815c33355696e17a5e2a1fb4094ff012a

SHA512
32566e0bee83a09a5982039d86d357b72636719b48f8f3dbfe6426390211bb3fa62d035ad08853bbc83c128f8b5d40b3d9d483c55d36a8ae9cb78e115e973c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2092177.exe

Filesize
443KB

MD5
5873c61590f1206e69dd603295bbafaa

SHA1
0fdc2b66279c90feba3a8cd600e47d9451a9682b

SHA256
022109054f1cf5704ddb1fc7093bb56a22770c5a3664011328313ef2c3b407f9

SHA512
e2eceb1e94c3fe1c2c99709946406dc0aad8f52a3c0efbe221c24f37ba0d747b86c7b436c4dc316509bb1cd23c0d5d456589843926ebbb89a092cc6dd18002be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2092177.exe

Filesize
443KB

MD5
5873c61590f1206e69dd603295bbafaa

SHA1
0fdc2b66279c90feba3a8cd600e47d9451a9682b

SHA256
022109054f1cf5704ddb1fc7093bb56a22770c5a3664011328313ef2c3b407f9

SHA512
e2eceb1e94c3fe1c2c99709946406dc0aad8f52a3c0efbe221c24f37ba0d747b86c7b436c4dc316509bb1cd23c0d5d456589843926ebbb89a092cc6dd18002be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2218876.exe

Filesize
700KB

MD5
d3efccccd8fff659f072df9d0eba1d95

SHA1
9c380b1162404ef9bbb615b8e314d4351d854c18

SHA256
2fffa6e689f74b3329bbd7767acae7637ce4d04621a461139de92ef3ea3afc5f

SHA512
71192584a2b28bd48badb20bcac53ea22aaaf3dd62860c49bf4d6be4799fafd1de6aacad12deec09c81d8b95b66babc297f6a267f326b57c4c61ae31a9cf7e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2218876.exe

Filesize
700KB

MD5
d3efccccd8fff659f072df9d0eba1d95

SHA1
9c380b1162404ef9bbb615b8e314d4351d854c18

SHA256
2fffa6e689f74b3329bbd7767acae7637ce4d04621a461139de92ef3ea3afc5f

SHA512
71192584a2b28bd48badb20bcac53ea22aaaf3dd62860c49bf4d6be4799fafd1de6aacad12deec09c81d8b95b66babc297f6a267f326b57c4c61ae31a9cf7e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2681675.exe

Filesize
174KB

MD5
eea25241dcf05fe30c4539fa41ba27b5

SHA1
1f285ab4aad4a388f5caf2bd54328ce52c4e304c

SHA256
4d0b55ab749d2ae1c02097c94ca3dd1a57928d87cd5039658c4f3bb358340666

SHA512
23b5fe42f9b09a2889b3d5936cf7db8d6d4bd9d9a08f3f2f289f3a079175dcb3c97ed6da927eec165b236429e41e1863d67b225699e5623e459267ba646d0459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2681675.exe

Filesize
174KB

MD5
eea25241dcf05fe30c4539fa41ba27b5

SHA1
1f285ab4aad4a388f5caf2bd54328ce52c4e304c

SHA256
4d0b55ab749d2ae1c02097c94ca3dd1a57928d87cd5039658c4f3bb358340666

SHA512
23b5fe42f9b09a2889b3d5936cf7db8d6d4bd9d9a08f3f2f289f3a079175dcb3c97ed6da927eec165b236429e41e1863d67b225699e5623e459267ba646d0459

Download Submit
memory/4952-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-39-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/5000-37-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/5000-38-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/5000-36-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/5000-40-0x00000000051A0000-0x00000000052AA000-memory.dmp

Filesize
1.0MB

Download
memory/5000-41-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/5000-42-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/5000-43-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/5000-44-0x00000000052B0000-0x00000000052FC000-memory.dmp

Filesize
304KB

Download
memory/5000-45-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/5000-46-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads