redline | 7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2023 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe
Size

954KB
MD5

d91e53962f8a6e0d7022eaf0122c6e81
SHA1

6abc5b6160b315746b941cbd3399ccad56dd02de
SHA256

7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6
SHA512

6d8b48b92fbd195a65d60e7e66a9178c88190338468219004b7a2c39c20ef71c5a8d5884b6fe848d24672a6dc66eca62e573bedfa7dc9e8def4cec99b594ed82
SSDEEP

24576:Dy9mGN2po5JRnXp4oOXajw4HUCnjabrM7ZlBGURV:WsGN9bZuqjn0uaPMtlBGM

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023203-34.dat	family_redline
behavioral1/files/0x0006000000023203-35.dat	family_redline
behavioral1/memory/4504-36-0x0000000000710000-0x0000000000740000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3624	x1556320.exe
2776	x4551906.exe
4464	x6564743.exe
4652	g2442774.exe
4504	h5612646.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4551906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6564743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1556320.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 2028	4652	g2442774.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2640	4652	WerFault.exe	89
4552	2028	WerFault.exe	93

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3624	3752	7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe	86
PID 3752 wrote to memory of 3624	3752	7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe	86
PID 3752 wrote to memory of 3624	3752	7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe	86
PID 3624 wrote to memory of 2776	3624	x1556320.exe	87
PID 3624 wrote to memory of 2776	3624	x1556320.exe	87
PID 3624 wrote to memory of 2776	3624	x1556320.exe	87
PID 2776 wrote to memory of 4464	2776	x4551906.exe	88
PID 2776 wrote to memory of 4464	2776	x4551906.exe	88
PID 2776 wrote to memory of 4464	2776	x4551906.exe	88
PID 4464 wrote to memory of 4652	4464	x6564743.exe	89
PID 4464 wrote to memory of 4652	4464	x6564743.exe	89
PID 4464 wrote to memory of 4652	4464	x6564743.exe	89
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4652 wrote to memory of 2028	4652	g2442774.exe	93
PID 4464 wrote to memory of 4504	4464	x6564743.exe	101
PID 4464 wrote to memory of 4504	4464	x6564743.exe	101
PID 4464 wrote to memory of 4504	4464	x6564743.exe	101

C:\Users\Admin\AppData\Local\Temp\7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe
"C:\Users\Admin\AppData\Local\Temp\7be2d6a309b966ef0ee162834c9077813eeb1c30ad60074766eed4388a17f2a6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1556320.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1556320.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4551906.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4551906.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6564743.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6564743.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2442774.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2442774.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 540
        7⤵
        Program crash
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 580
        6⤵
        Program crash
        
        PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5612646.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5612646.exe
        5⤵
        Executes dropped EXE
        
        PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2028 -ip 2028
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4652 -ip 4652
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1556320.exe

Filesize
852KB

MD5
ea7db16182f9f05b359712f1b40e9f48

SHA1
8896d670a3aca7776b36dd0be384f4eb74613339

SHA256
a8ac7656c359649b0d082010eebad9bdc3a60693f240866d67acd3f1d7c10046

SHA512
4cf081795605605d14ff2adc9a6a5013e43d2c5469b4ac2d3a4a75eeca5773b0e518acaadb86422464ae84b7bab90577dcad9cf960afd2db6111073836daf958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1556320.exe

Filesize
852KB

MD5
ea7db16182f9f05b359712f1b40e9f48

SHA1
8896d670a3aca7776b36dd0be384f4eb74613339

SHA256
a8ac7656c359649b0d082010eebad9bdc3a60693f240866d67acd3f1d7c10046

SHA512
4cf081795605605d14ff2adc9a6a5013e43d2c5469b4ac2d3a4a75eeca5773b0e518acaadb86422464ae84b7bab90577dcad9cf960afd2db6111073836daf958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4551906.exe

Filesize
588KB

MD5
9b379cafd681f422bb9c1d010b3189fe

SHA1
27c5465006b24653a6adc18eb20b832307d5992a

SHA256
91d38bff6252bdcd96cc357c692f256b4017fbd6f5d479514c4cb2e6dfb9d350

SHA512
617f4af26b9aa800b58cf9e8c3f3c0088ac890f361d7639806c8c87c98a81a051f50bbb77e9c72903e2ec94c94836d535cafbf7f7246644db485c7120291c78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4551906.exe

Filesize
588KB

MD5
9b379cafd681f422bb9c1d010b3189fe

SHA1
27c5465006b24653a6adc18eb20b832307d5992a

SHA256
91d38bff6252bdcd96cc357c692f256b4017fbd6f5d479514c4cb2e6dfb9d350

SHA512
617f4af26b9aa800b58cf9e8c3f3c0088ac890f361d7639806c8c87c98a81a051f50bbb77e9c72903e2ec94c94836d535cafbf7f7246644db485c7120291c78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6564743.exe

Filesize
403KB

MD5
6c08d82d3ff55a5ff9a4a092d155f90f

SHA1
118e8b4a327c54421dec41ef52dffcd3ba4c010f

SHA256
d182959a8902b7b1e0aa6271f2fcb86c909da50178e9a4fe8239c8f62571684f

SHA512
81a5deefbd978d7dccc17df28624f97cdfcba749f2b0e7b3a07156bcbaf839bc19b4f8ca62d78c4db1d3f6a3bec97b906e370fdde60f702fa0083a5bf40a0563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6564743.exe

Filesize
403KB

MD5
6c08d82d3ff55a5ff9a4a092d155f90f

SHA1
118e8b4a327c54421dec41ef52dffcd3ba4c010f

SHA256
d182959a8902b7b1e0aa6271f2fcb86c909da50178e9a4fe8239c8f62571684f

SHA512
81a5deefbd978d7dccc17df28624f97cdfcba749f2b0e7b3a07156bcbaf839bc19b4f8ca62d78c4db1d3f6a3bec97b906e370fdde60f702fa0083a5bf40a0563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2442774.exe

Filesize
378KB

MD5
0b7fa52999393069f73b9f4aea7e0645

SHA1
c38f69566b9d75caaeabe72c8c8706d460aacd41

SHA256
b7bb42ef1535ca0bde9d5f71555dca2f32d79e4721b153f5c450d73bcc64fd31

SHA512
31862456f26382da03f0cf5474c415d50fa136634771f1c6a990deddc644e86be84a3c54df2052df4e334c10dab38db0da7e2c79497c48b1582ed68450658517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2442774.exe

Filesize
378KB

MD5
0b7fa52999393069f73b9f4aea7e0645

SHA1
c38f69566b9d75caaeabe72c8c8706d460aacd41

SHA256
b7bb42ef1535ca0bde9d5f71555dca2f32d79e4721b153f5c450d73bcc64fd31

SHA512
31862456f26382da03f0cf5474c415d50fa136634771f1c6a990deddc644e86be84a3c54df2052df4e334c10dab38db0da7e2c79497c48b1582ed68450658517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5612646.exe

Filesize
174KB

MD5
6f6d81f5999c03f0aeb4550d108f8431

SHA1
b289343dcfc9daec2bf8387d7ca5501ee6d62976

SHA256
d8ac58c10e6351246edb9fdccf2e1016f6696d21a39b3d4dd33b734aa6205efd

SHA512
f1f5d92d5be3865d770e4b5e648fb51031fbab82e339845df6158da9fbf8d2decb188635634f7e5860d8f1a6ec9ab91d6df916a305e3ba1a32d62de4475c5eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5612646.exe

Filesize
174KB

MD5
6f6d81f5999c03f0aeb4550d108f8431

SHA1
b289343dcfc9daec2bf8387d7ca5501ee6d62976

SHA256
d8ac58c10e6351246edb9fdccf2e1016f6696d21a39b3d4dd33b734aa6205efd

SHA512
f1f5d92d5be3865d770e4b5e648fb51031fbab82e339845df6158da9fbf8d2decb188635634f7e5860d8f1a6ec9ab91d6df916a305e3ba1a32d62de4475c5eda

Download Submit
memory/2028-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-39-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/4504-37-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4504-38-0x0000000002930000-0x0000000002936000-memory.dmp

Filesize
24KB

Download
memory/4504-36-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download
memory/4504-40-0x0000000005370000-0x000000000547A000-memory.dmp

Filesize
1.0MB

Download
memory/4504-42-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4504-41-0x00000000050F0000-0x0000000005102000-memory.dmp

Filesize
72KB

Download
memory/4504-43-0x0000000005260000-0x000000000529C000-memory.dmp

Filesize
240KB

Download
memory/4504-44-0x00000000052A0000-0x00000000052EC000-memory.dmp

Filesize
304KB

Download
memory/4504-45-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4504-46-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads