redline | bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2023 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe
Size

1.0MB
MD5

436d44532ff198258bbc0b93292dd66c
SHA1

1297812fb8fe2bb4827f8e6f0dba83fac87988d4
SHA256

bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed
SHA512

13735ea25226f6ed904797a4888e344f13af185f6982b1fcb858441c4c5599f438ae22875f14614e8cf48c8ca760f39b6cad7a5a7eaf56b10d5d9769bb63933a
SSDEEP

24576:FyDLoyfhL3eCRwJ0eyEZNg9o2DVXr8AUefH3r:gXoYwCi07CMoaT3

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023070-34.dat	family_redline
behavioral1/files/0x0006000000023070-35.dat	family_redline
behavioral1/memory/1524-37-0x00000000000D0000-0x0000000000100000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
484	x8141581.exe
4188	x3536999.exe
5112	x7289024.exe
1360	g0736413.exe
1524	h6324609.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8141581.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3536999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7289024.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 1420	1360	g0736413.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3464	1420	WerFault.exe	94
4224	1360	WerFault.exe	89

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 484	2840	bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe	85
PID 2840 wrote to memory of 484	2840	bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe	85
PID 2840 wrote to memory of 484	2840	bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe	85
PID 484 wrote to memory of 4188	484	x8141581.exe	86
PID 484 wrote to memory of 4188	484	x8141581.exe	86
PID 484 wrote to memory of 4188	484	x8141581.exe	86
PID 4188 wrote to memory of 5112	4188	x3536999.exe	88
PID 4188 wrote to memory of 5112	4188	x3536999.exe	88
PID 4188 wrote to memory of 5112	4188	x3536999.exe	88
PID 5112 wrote to memory of 1360	5112	x7289024.exe	89
PID 5112 wrote to memory of 1360	5112	x7289024.exe	89
PID 5112 wrote to memory of 1360	5112	x7289024.exe	89
PID 1360 wrote to memory of 4128	1360	g0736413.exe	92
PID 1360 wrote to memory of 4128	1360	g0736413.exe	92
PID 1360 wrote to memory of 4128	1360	g0736413.exe	92
PID 1360 wrote to memory of 4552	1360	g0736413.exe	93
PID 1360 wrote to memory of 4552	1360	g0736413.exe	93
PID 1360 wrote to memory of 4552	1360	g0736413.exe	93
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 1360 wrote to memory of 1420	1360	g0736413.exe	94
PID 5112 wrote to memory of 1524	5112	x7289024.exe	99
PID 5112 wrote to memory of 1524	5112	x7289024.exe	99
PID 5112 wrote to memory of 1524	5112	x7289024.exe	99

C:\Users\Admin\AppData\Local\Temp\bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe
"C:\Users\Admin\AppData\Local\Temp\bae95ea0ebe16f3f32e9632637af56124e8b3f785f62240acea9516b4a036bed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8141581.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8141581.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3536999.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3536999.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7289024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7289024.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0736413.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0736413.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4552
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 540
        7⤵
        Program crash
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 592
        6⤵
        Program crash
        
        PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6324609.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6324609.exe
        5⤵
        Executes dropped EXE
        
        PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1360 -ip 1360
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1420 -ip 1420
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8141581.exe

Filesize
932KB

MD5
754ce1cd4bdf6fd22a1bcd179c9820b0

SHA1
ad26f437c00aea7408ed9bc3fa39bcd8358e412d

SHA256
3de0d7972cd98c0089b776f3bb40a1f10f168c3af065bf33c1acca028267209e

SHA512
b3b7f7392b357d1c834dcd548b7ad84f2d9532b47264284ede417d00b640b0ed3ede72c10b5cedde448149d3e012ea094cb8036b5a38a5c976f3a6a65cb097ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8141581.exe

Filesize
932KB

MD5
754ce1cd4bdf6fd22a1bcd179c9820b0

SHA1
ad26f437c00aea7408ed9bc3fa39bcd8358e412d

SHA256
3de0d7972cd98c0089b776f3bb40a1f10f168c3af065bf33c1acca028267209e

SHA512
b3b7f7392b357d1c834dcd548b7ad84f2d9532b47264284ede417d00b640b0ed3ede72c10b5cedde448149d3e012ea094cb8036b5a38a5c976f3a6a65cb097ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3536999.exe

Filesize
628KB

MD5
db4e0cd5965599caddf8394eb8d9917c

SHA1
78e07c3fa4ab97fcace27a8ffa164e5c71d691e4

SHA256
f770040f62de14f1a437e6b6745902371244b3d121fdb8339d3f340a953d1ebc

SHA512
e1875805304a6996c260e6daa7a0c2b0dae0f1f4a273b96debd41cad3d3a1142bdff6a6942bbd618b1dace675c20589649091fde73fec89bcde29a5540c20833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3536999.exe

Filesize
628KB

MD5
db4e0cd5965599caddf8394eb8d9917c

SHA1
78e07c3fa4ab97fcace27a8ffa164e5c71d691e4

SHA256
f770040f62de14f1a437e6b6745902371244b3d121fdb8339d3f340a953d1ebc

SHA512
e1875805304a6996c260e6daa7a0c2b0dae0f1f4a273b96debd41cad3d3a1142bdff6a6942bbd618b1dace675c20589649091fde73fec89bcde29a5540c20833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7289024.exe

Filesize
443KB

MD5
1da31a7858678ef768bc47917326d4cd

SHA1
a83cd4ef94c2660b29ef3c06722c27f57dd4c7bf

SHA256
dccf6c37485cb6ba863e3e97c30988480e617142dec42f5051a577429c9f59cd

SHA512
22a83a5f8c45a7871c79bc58289c6eaa25cfcdf14331c19df12946770218299cf5229b8616f9bbd98729dab414f98e517d2915270e5ca1c7b0af91a3bc746d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7289024.exe

Filesize
443KB

MD5
1da31a7858678ef768bc47917326d4cd

SHA1
a83cd4ef94c2660b29ef3c06722c27f57dd4c7bf

SHA256
dccf6c37485cb6ba863e3e97c30988480e617142dec42f5051a577429c9f59cd

SHA512
22a83a5f8c45a7871c79bc58289c6eaa25cfcdf14331c19df12946770218299cf5229b8616f9bbd98729dab414f98e517d2915270e5ca1c7b0af91a3bc746d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0736413.exe

Filesize
700KB

MD5
7dcbecfb6b744ea9852a7c2513603779

SHA1
68e080de697600a1a4f1b5c7532c0ebc3a99b546

SHA256
efc145bead174df09ecfe6496b3212f29abd6498ce8ed3137febffb9a65ab762

SHA512
e1f55acb1de4cab3a6b72021355ae19aad876baf2cde172e790d1279cc69331b24603e3e56a19c7a7774ab7c51b307130285b8fac74c4eba437779e5a6b6989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0736413.exe

Filesize
700KB

MD5
7dcbecfb6b744ea9852a7c2513603779

SHA1
68e080de697600a1a4f1b5c7532c0ebc3a99b546

SHA256
efc145bead174df09ecfe6496b3212f29abd6498ce8ed3137febffb9a65ab762

SHA512
e1f55acb1de4cab3a6b72021355ae19aad876baf2cde172e790d1279cc69331b24603e3e56a19c7a7774ab7c51b307130285b8fac74c4eba437779e5a6b6989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6324609.exe

Filesize
174KB

MD5
68d1e5e1c7cc0c7a060f8b243e240f78

SHA1
4277464f8135b7d644ac37df25297dadf2c2161e

SHA256
fe328aaf7ce111be3877f2349df84e254e98a73f0be49e0432b699d9ff886f2b

SHA512
56db6598f8ae3f09de17efcd4b3126777bd0c8f7532177746956c3794dc12fb06fe7e6a1c489429ecb8c2f661aa2356749980b95fb56662da5f9e346e70b843a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6324609.exe

Filesize
174KB

MD5
68d1e5e1c7cc0c7a060f8b243e240f78

SHA1
4277464f8135b7d644ac37df25297dadf2c2161e

SHA256
fe328aaf7ce111be3877f2349df84e254e98a73f0be49e0432b699d9ff886f2b

SHA512
56db6598f8ae3f09de17efcd4b3126777bd0c8f7532177746956c3794dc12fb06fe7e6a1c489429ecb8c2f661aa2356749980b95fb56662da5f9e346e70b843a

Download Submit
memory/1420-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-39-0x000000000A580000-0x000000000AB98000-memory.dmp

Filesize
6.1MB

Download
memory/1524-37-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1524-38-0x00000000023F0000-0x00000000023F6000-memory.dmp

Filesize
24KB

Download
memory/1524-36-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/1524-40-0x000000000A080000-0x000000000A18A000-memory.dmp

Filesize
1.0MB

Download
memory/1524-41-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1524-42-0x0000000009FC0000-0x0000000009FD2000-memory.dmp

Filesize
72KB

Download
memory/1524-43-0x000000000A020000-0x000000000A05C000-memory.dmp

Filesize
240KB

Download
memory/1524-44-0x000000000A190000-0x000000000A1DC000-memory.dmp

Filesize
304KB

Download
memory/1524-45-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/1524-46-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads