redline | 230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe
Size

928KB
MD5

fe805e96b91b7a8ce2495aca1be1431e
SHA1

dc795b154e3c184d122c060997d8cb8ce28df821
SHA256

230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52
SHA512

83eb86e1ef2c611e73cb732099465b248090b9ae3d220491a834101bcf04b4103a29e81d79559b67e8b1f6ed27203a911c2bef3c0fb579ade7054d3620bc0f94
SSDEEP

24576:Oyu8U8jCtGrHKV6vfkHR0CxD7u7dPIDp0Y5:dpjCIHKV7HRhxDE9up0

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023096-34.dat	family_redline
behavioral1/files/0x0006000000023096-35.dat	family_redline
behavioral1/memory/2924-37-0x0000000000080000-0x00000000000B0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4036	x3807497.exe
4188	x0721186.exe
3996	x4483559.exe
5076	g2436100.exe
2924	h0303941.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3807497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0721186.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4483559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 3308	5076	g2436100.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3780	5076	WerFault.exe	91
4072	3308	WerFault.exe	94

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4036	3136	230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe	88
PID 3136 wrote to memory of 4036	3136	230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe	88
PID 3136 wrote to memory of 4036	3136	230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe	88
PID 4036 wrote to memory of 4188	4036	x3807497.exe	89
PID 4036 wrote to memory of 4188	4036	x3807497.exe	89
PID 4036 wrote to memory of 4188	4036	x3807497.exe	89
PID 4188 wrote to memory of 3996	4188	x0721186.exe	90
PID 4188 wrote to memory of 3996	4188	x0721186.exe	90
PID 4188 wrote to memory of 3996	4188	x0721186.exe	90
PID 3996 wrote to memory of 5076	3996	x4483559.exe	91
PID 3996 wrote to memory of 5076	3996	x4483559.exe	91
PID 3996 wrote to memory of 5076	3996	x4483559.exe	91
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 5076 wrote to memory of 3308	5076	g2436100.exe	94
PID 3996 wrote to memory of 2924	3996	x4483559.exe	101
PID 3996 wrote to memory of 2924	3996	x4483559.exe	101
PID 3996 wrote to memory of 2924	3996	x4483559.exe	101

C:\Users\Admin\AppData\Local\Temp\230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe
"C:\Users\Admin\AppData\Local\Temp\230e3b79f172036cc9355a1b63795803a601d9f8d70eed31fcece6b2f7cf3c52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3807497.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3807497.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0721186.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0721186.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4483559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4483559.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2436100.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2436100.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 540
        7⤵
        Program crash
        
        PID:4072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 556
        6⤵
        Program crash
        
        PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0303941.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0303941.exe
        5⤵
        Executes dropped EXE
        
        PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5076 -ip 5076
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3308 -ip 3308
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3807497.exe

Filesize
827KB

MD5
b8b37da618d3382e13918aeace2078bc

SHA1
be92437932d21979ea7506432d0517cc7923e475

SHA256
7690631646ffe99e71af46066af3fa6e294e6c4f0cf98bf64d22cdf0ef74b5e9

SHA512
ee7dcc5197d99b4c2b27d7373f8f2df950995dae47374918d5e32ea2a1426d514e287e051318d8936501ce7fdfa751b23c7cde4fa12677329cf28537772a4858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3807497.exe

Filesize
827KB

MD5
b8b37da618d3382e13918aeace2078bc

SHA1
be92437932d21979ea7506432d0517cc7923e475

SHA256
7690631646ffe99e71af46066af3fa6e294e6c4f0cf98bf64d22cdf0ef74b5e9

SHA512
ee7dcc5197d99b4c2b27d7373f8f2df950995dae47374918d5e32ea2a1426d514e287e051318d8936501ce7fdfa751b23c7cde4fa12677329cf28537772a4858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0721186.exe

Filesize
567KB

MD5
a5ec00e857d41e702696418f933e9cf6

SHA1
193e3d9d4f8d38ac03fd57509ee3bfbf51aa6b2f

SHA256
874fd1639d9ee38ce25f1cb3d2f3bb164d5c3c862565272fd77cc3e7a76ba18a

SHA512
584f820672131d4ebb0623a5dc1dbe39ae4b356a04a80e77ab51f2349d5762cace72f68cea76f4f194dc930bbdf142463f95f3129bd1fc038edc79046d5a473d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0721186.exe

Filesize
567KB

MD5
a5ec00e857d41e702696418f933e9cf6

SHA1
193e3d9d4f8d38ac03fd57509ee3bfbf51aa6b2f

SHA256
874fd1639d9ee38ce25f1cb3d2f3bb164d5c3c862565272fd77cc3e7a76ba18a

SHA512
584f820672131d4ebb0623a5dc1dbe39ae4b356a04a80e77ab51f2349d5762cace72f68cea76f4f194dc930bbdf142463f95f3129bd1fc038edc79046d5a473d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4483559.exe

Filesize
390KB

MD5
2971af70b955be9bad0a039a840f830b

SHA1
eb9bf71e8bf87af9cbd298e7ba297ee6c71dcb00

SHA256
6c4b8dccd06e49d7dca0b295533d93fc75784ab3f747cffeae4498d97f38ea3e

SHA512
9a8ac869021a1c15b4d426b3df2adec54da11ffd3893b38ba7b271c0d6aafba4a16479ee83627a3cea602181021a1be0b42c57d63135606cda0eff12e236fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4483559.exe

Filesize
390KB

MD5
2971af70b955be9bad0a039a840f830b

SHA1
eb9bf71e8bf87af9cbd298e7ba297ee6c71dcb00

SHA256
6c4b8dccd06e49d7dca0b295533d93fc75784ab3f747cffeae4498d97f38ea3e

SHA512
9a8ac869021a1c15b4d426b3df2adec54da11ffd3893b38ba7b271c0d6aafba4a16479ee83627a3cea602181021a1be0b42c57d63135606cda0eff12e236fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2436100.exe

Filesize
364KB

MD5
d5b6e62087b791dfadcb9c1af5d93f7a

SHA1
e9c17c19a6c355de10f620baa4048a2ddc879cf0

SHA256
64bec2255a6d05630686dda275f45ea645b3286df4c890a2f01866a97bef4cc6

SHA512
a0bd7b4152077d1dd2513a0d0979292aaaaedb97bedca1b4ad185bc1d96d56c45aa5725c5a1a86d1da6dda327637fa799bc1702ad8e3ff11cdbf17c419fe0b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2436100.exe

Filesize
364KB

MD5
d5b6e62087b791dfadcb9c1af5d93f7a

SHA1
e9c17c19a6c355de10f620baa4048a2ddc879cf0

SHA256
64bec2255a6d05630686dda275f45ea645b3286df4c890a2f01866a97bef4cc6

SHA512
a0bd7b4152077d1dd2513a0d0979292aaaaedb97bedca1b4ad185bc1d96d56c45aa5725c5a1a86d1da6dda327637fa799bc1702ad8e3ff11cdbf17c419fe0b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0303941.exe

Filesize
174KB

MD5
d691c813b4bbfeb873b328ed7338a3c0

SHA1
1ac91f1dda2979d40a18f38e6baf039a2e26c4e9

SHA256
39e163ae0f03c7c7640e102e931a6b0e13a8b3d3fd56e90eaa9183e2c8263875

SHA512
1363b0166ca93d7ba97917476505f86f46d107b8ff7084a6bf554e9977f0b50a209182507f6d033cdf72077bbb6cf39416e8aa09bd0559f0478f769d035c8e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0303941.exe

Filesize
174KB

MD5
d691c813b4bbfeb873b328ed7338a3c0

SHA1
1ac91f1dda2979d40a18f38e6baf039a2e26c4e9

SHA256
39e163ae0f03c7c7640e102e931a6b0e13a8b3d3fd56e90eaa9183e2c8263875

SHA512
1363b0166ca93d7ba97917476505f86f46d107b8ff7084a6bf554e9977f0b50a209182507f6d033cdf72077bbb6cf39416e8aa09bd0559f0478f769d035c8e7a

Download Submit
memory/2924-39-0x000000000A3E0000-0x000000000A9F8000-memory.dmp

Filesize
6.1MB

Download
memory/2924-40-0x0000000009EF0000-0x0000000009FFA000-memory.dmp

Filesize
1.0MB

Download
memory/2924-46-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2924-45-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2924-36-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2924-37-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/2924-44-0x000000000A000000-0x000000000A04C000-memory.dmp

Filesize
304KB

Download
memory/2924-43-0x0000000009E90000-0x0000000009ECC000-memory.dmp

Filesize
240KB

Download
memory/2924-38-0x0000000004860000-0x0000000004866000-memory.dmp

Filesize
24KB

Download
memory/2924-41-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2924-42-0x0000000009E30000-0x0000000009E42000-memory.dmp

Filesize
72KB

Download
memory/3308-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3308-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3308-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3308-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads