redline | c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe
Size

1.0MB
MD5

5ed54ae5c7383a8a419f7e091364ac09
SHA1

54dcc755457727553aac347a9dfcea051b98680f
SHA256

c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28
SHA512

4339aba596549a84ff98eb871890b0522df61fe60b12956ee2cab9e7bd7f2e000f6208662c8d8fd65d68bd324c9345a73850c7443962819c31aee4b1b1b78b75
SSDEEP

24576:JydeNwpykhf9NYxrSNATaay8gvDIHJLJHV:8de2pFhluoOTVBADG

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023233-34.dat	family_redline
behavioral1/files/0x0006000000023233-35.dat	family_redline
behavioral1/memory/208-36-0x0000000000AF0000-0x0000000000B20000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
440	x2790130.exe
4716	x5125523.exe
4676	x7161467.exe
1800	g6406241.exe
208	h1630472.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2790130.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5125523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7161467.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 4408	1800	g6406241.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4540	4408	WerFault.exe	93
3400	1800	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 440	4504	c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe	85
PID 4504 wrote to memory of 440	4504	c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe	85
PID 4504 wrote to memory of 440	4504	c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe	85
PID 440 wrote to memory of 4716	440	x2790130.exe	87
PID 440 wrote to memory of 4716	440	x2790130.exe	87
PID 440 wrote to memory of 4716	440	x2790130.exe	87
PID 4716 wrote to memory of 4676	4716	x5125523.exe	88
PID 4716 wrote to memory of 4676	4716	x5125523.exe	88
PID 4716 wrote to memory of 4676	4716	x5125523.exe	88
PID 4676 wrote to memory of 1800	4676	x7161467.exe	89
PID 4676 wrote to memory of 1800	4676	x7161467.exe	89
PID 4676 wrote to memory of 1800	4676	x7161467.exe	89
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 1800 wrote to memory of 4408	1800	g6406241.exe	93
PID 4676 wrote to memory of 208	4676	x7161467.exe	98
PID 4676 wrote to memory of 208	4676	x7161467.exe	98
PID 4676 wrote to memory of 208	4676	x7161467.exe	98

C:\Users\Admin\AppData\Local\Temp\c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe
"C:\Users\Admin\AppData\Local\Temp\c1150aaaa0b895b14d2c00af74166823c4f33bdd1b015ec90a4ccc4761060c28.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790130.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790130.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5125523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5125523.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7161467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7161467.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6406241.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6406241.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 540
        7⤵
        Program crash
        
        PID:4540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 556
        6⤵
        Program crash
        
        PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1630472.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1630472.exe
        5⤵
        Executes dropped EXE
        
        PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1800 -ip 1800
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4408 -ip 4408
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790130.exe

Filesize
932KB

MD5
856a5573ad62fdc52b6896d61184f3a0

SHA1
827e76e2e9e372fc519792f8927edd8bc5092cc6

SHA256
332e94887a0030e06bb9eaedc021f1207a3353b9dae957e5291e22581a890452

SHA512
b3f1eb01dede5a711a61725aa109eec4eec5075fe6b904d51c4b1b4df21294b019b296d00af94a2bf5d9906ebb4871c4440858cd951ba0af62c68b871cabafbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790130.exe

Filesize
932KB

MD5
856a5573ad62fdc52b6896d61184f3a0

SHA1
827e76e2e9e372fc519792f8927edd8bc5092cc6

SHA256
332e94887a0030e06bb9eaedc021f1207a3353b9dae957e5291e22581a890452

SHA512
b3f1eb01dede5a711a61725aa109eec4eec5075fe6b904d51c4b1b4df21294b019b296d00af94a2bf5d9906ebb4871c4440858cd951ba0af62c68b871cabafbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5125523.exe

Filesize
628KB

MD5
1966740c13a0e3abf57bd22edb646aa0

SHA1
70d9c16dcc67d675a3379e176257fad7f572dd2b

SHA256
10e3888a21605d2b01238f40924f956c43a1a5d59ff109b7136e05a81e123ce8

SHA512
254cc919aa9c37adb6312a4eaa0ddf5db2986fc3101b0d48a520806c3d4ddbc8a3ded5dcaf8c8637bf5a3ceed0588fab4586d97dcc5c86b0f155a20f53b5de98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5125523.exe

Filesize
628KB

MD5
1966740c13a0e3abf57bd22edb646aa0

SHA1
70d9c16dcc67d675a3379e176257fad7f572dd2b

SHA256
10e3888a21605d2b01238f40924f956c43a1a5d59ff109b7136e05a81e123ce8

SHA512
254cc919aa9c37adb6312a4eaa0ddf5db2986fc3101b0d48a520806c3d4ddbc8a3ded5dcaf8c8637bf5a3ceed0588fab4586d97dcc5c86b0f155a20f53b5de98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7161467.exe

Filesize
443KB

MD5
02b911d087ef8b2ec3dd8e6e44d3eb6e

SHA1
b4aac4d99816710fe532885cebd9f77fb56ffa67

SHA256
e95b65a11377bdb4681895c7a9c128758616ade34e90e31035f29c20baf26b09

SHA512
20bc9570bb5fbb14361160024eb64ddba14e9d38fd560a3e7b55fb58683f01f8f423091e3c3f49f581617d2e685d1402bd533a4b80843f0a0b590e0425430980

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7161467.exe

Filesize
443KB

MD5
02b911d087ef8b2ec3dd8e6e44d3eb6e

SHA1
b4aac4d99816710fe532885cebd9f77fb56ffa67

SHA256
e95b65a11377bdb4681895c7a9c128758616ade34e90e31035f29c20baf26b09

SHA512
20bc9570bb5fbb14361160024eb64ddba14e9d38fd560a3e7b55fb58683f01f8f423091e3c3f49f581617d2e685d1402bd533a4b80843f0a0b590e0425430980

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6406241.exe

Filesize
700KB

MD5
2fdd99b05da657570ac62713b9850d7e

SHA1
722328f14606e66793537533e577b63e6973d66a

SHA256
ef812e35ce7e77ac51c452a75861722c147b8bc617668c307592440dce7f6dc3

SHA512
4438c7cabd2699b115618861088b52759cdf2f3e47efec70fbe9119f6f931a31549dc5ce1d7265048da01fd733ba2db7db7e7fb5a573b31340978b12c6f56b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6406241.exe

Filesize
700KB

MD5
2fdd99b05da657570ac62713b9850d7e

SHA1
722328f14606e66793537533e577b63e6973d66a

SHA256
ef812e35ce7e77ac51c452a75861722c147b8bc617668c307592440dce7f6dc3

SHA512
4438c7cabd2699b115618861088b52759cdf2f3e47efec70fbe9119f6f931a31549dc5ce1d7265048da01fd733ba2db7db7e7fb5a573b31340978b12c6f56b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1630472.exe

Filesize
174KB

MD5
33bc069b05929faf2f58b243d98e9ca2

SHA1
76bbb50196fe1fc8fb86412da21aa650118c6f61

SHA256
0e46cc19fc1c971c4565a6b49d84a9f28a8d6c7682b877465913e63aa74ee167

SHA512
0c2460556341191f0609af08e08175c2dde939224df2a646f124221a58032fd62e86e0539a23439bf09f3df70353dda83ee84ee192163804e0119a1e681f15aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1630472.exe

Filesize
174KB

MD5
33bc069b05929faf2f58b243d98e9ca2

SHA1
76bbb50196fe1fc8fb86412da21aa650118c6f61

SHA256
0e46cc19fc1c971c4565a6b49d84a9f28a8d6c7682b877465913e63aa74ee167

SHA512
0c2460556341191f0609af08e08175c2dde939224df2a646f124221a58032fd62e86e0539a23439bf09f3df70353dda83ee84ee192163804e0119a1e681f15aa

Download Submit
memory/208-39-0x0000000005BD0000-0x00000000061E8000-memory.dmp

Filesize
6.1MB

Download
memory/208-42-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/208-46-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/208-45-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/208-37-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/208-36-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/208-44-0x0000000005670000-0x00000000056BC000-memory.dmp

Filesize
304KB

Download
memory/208-40-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/208-38-0x0000000002DD0000-0x0000000002DD6000-memory.dmp

Filesize
24KB

Download
memory/208-41-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/208-43-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/4408-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads