redline | 6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe
Size

929KB
MD5

3755ec6ff61be24c7f3270251e310201
SHA1

bd8602f8f69de61cc6d0402a19941700e9f87ee8
SHA256

6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7
SHA512

4e948e4af57b3a9ddff258ff6961819bef240a9d8ec1efc032dbab652f71bae9a898071081f02f5301e07284e89b1fbf4011ab8332194da23aeee82de8d13810
SSDEEP

12288:/MrQy900smtl3kLPvEfte09n9TpRaRPRZXr3o9wZ4bLOVlhrVd8IF+86hUBGE6KH:zyu0leWtfXXYC2VVd6/hUBGEJ+p8HJ

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023215-34.dat	family_redline
behavioral1/files/0x0007000000023215-35.dat	family_redline
behavioral1/memory/2204-36-0x0000000000050000-0x0000000000080000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4600	x4137107.exe
2116	x0353427.exe
4816	x0924198.exe
1332	g2832800.exe
2204	h3835555.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4137107.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0353427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0924198.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 5104	1332	g2832800.exe	96

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3284	5104	WerFault.exe	96
4120	1332	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4600	2188	6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe	85
PID 2188 wrote to memory of 4600	2188	6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe	85
PID 2188 wrote to memory of 4600	2188	6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe	85
PID 4600 wrote to memory of 2116	4600	x4137107.exe	86
PID 4600 wrote to memory of 2116	4600	x4137107.exe	86
PID 4600 wrote to memory of 2116	4600	x4137107.exe	86
PID 2116 wrote to memory of 4816	2116	x0353427.exe	88
PID 2116 wrote to memory of 4816	2116	x0353427.exe	88
PID 2116 wrote to memory of 4816	2116	x0353427.exe	88
PID 4816 wrote to memory of 1332	4816	x0924198.exe	89
PID 4816 wrote to memory of 1332	4816	x0924198.exe	89
PID 4816 wrote to memory of 1332	4816	x0924198.exe	89
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 1332 wrote to memory of 5104	1332	g2832800.exe	96
PID 4816 wrote to memory of 2204	4816	x0924198.exe	101
PID 4816 wrote to memory of 2204	4816	x0924198.exe	101
PID 4816 wrote to memory of 2204	4816	x0924198.exe	101

C:\Users\Admin\AppData\Local\Temp\6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe
"C:\Users\Admin\AppData\Local\Temp\6bb6c751a7dc254a2de88a09832fd0f5a0d67c1a237a2d3a549bfcb575100ae7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4137107.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4137107.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0353427.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0353427.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0924198.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0924198.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2832800.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2832800.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 540
        7⤵
        Program crash
        
        PID:3284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 552
        6⤵
        Program crash
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3835555.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3835555.exe
        5⤵
        Executes dropped EXE
        
        PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1332 -ip 1332
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5104 -ip 5104
1⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4137107.exe

Filesize
827KB

MD5
177707a4315cf12f52a4974b68b17b4f

SHA1
e3944ca7841894114c9b10200d84527fa78cd3d9

SHA256
e37d1bbebcc8011fe95831bd2a574716fda688d8aa74efcc2d004c4a9cb6df5f

SHA512
18c5006315cee0c265c3aa12b113ea8a7c73fb882cd86c504981d02d94b07b6d769c58524b9f407d3bf90262dafc41fd8b2357f5136bd9fd51f24e3255457357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4137107.exe

Filesize
827KB

MD5
177707a4315cf12f52a4974b68b17b4f

SHA1
e3944ca7841894114c9b10200d84527fa78cd3d9

SHA256
e37d1bbebcc8011fe95831bd2a574716fda688d8aa74efcc2d004c4a9cb6df5f

SHA512
18c5006315cee0c265c3aa12b113ea8a7c73fb882cd86c504981d02d94b07b6d769c58524b9f407d3bf90262dafc41fd8b2357f5136bd9fd51f24e3255457357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0353427.exe

Filesize
566KB

MD5
24f13206823fa83258f19413ea28f2f8

SHA1
916f95fabd9a33d69fda16bd574c4b43d90b9f37

SHA256
dbf2ca66fa577ba8f35e62b87a797e019538c3bd475c41c3f300abd8bc0abff5

SHA512
9d3b9065cef147783226935059de3f00dd2bfbcc9f24ec5c6f2507999b25ca6f55257f54d3e4d381f1bbbe5666702fc2a4a9ef6975b1fa9b0bf6bcef8dfec13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0353427.exe

Filesize
566KB

MD5
24f13206823fa83258f19413ea28f2f8

SHA1
916f95fabd9a33d69fda16bd574c4b43d90b9f37

SHA256
dbf2ca66fa577ba8f35e62b87a797e019538c3bd475c41c3f300abd8bc0abff5

SHA512
9d3b9065cef147783226935059de3f00dd2bfbcc9f24ec5c6f2507999b25ca6f55257f54d3e4d381f1bbbe5666702fc2a4a9ef6975b1fa9b0bf6bcef8dfec13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0924198.exe

Filesize
390KB

MD5
65a3307428cca717b3935a4f75b788b5

SHA1
278c1da1382b0fd055d6738cf57728ccb6f80ab2

SHA256
7af2eb60cdc68a25fff0e1c6b78789f18a9d21f964b8fdc361c9b54bafb05962

SHA512
2cafca93de61c7922f03d226e0cae03aa4193ca06c54862a1f91b078a8168b6ed2841c5071714d118a861de1f0118fbb3a1875b9b542449960e27f21d01f0bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0924198.exe

Filesize
390KB

MD5
65a3307428cca717b3935a4f75b788b5

SHA1
278c1da1382b0fd055d6738cf57728ccb6f80ab2

SHA256
7af2eb60cdc68a25fff0e1c6b78789f18a9d21f964b8fdc361c9b54bafb05962

SHA512
2cafca93de61c7922f03d226e0cae03aa4193ca06c54862a1f91b078a8168b6ed2841c5071714d118a861de1f0118fbb3a1875b9b542449960e27f21d01f0bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2832800.exe

Filesize
364KB

MD5
3fa43f5059ef361430a721571a192cc2

SHA1
c7b9e7abec5dea32cbfc650def0a8c2dd2b7ad1c

SHA256
de9b8fd598e75ec8a5a65c0af51bfcb15b36932e96fec11f13f72543e9f10b42

SHA512
e1ae0cb13d0bdb9132ef046d036d1870251cefdd3943b80d596fa855048bd16c6e99e84a3dca81ddf9d0ebc0ebfd95122d13e482ad631824f9d4027bcc317abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2832800.exe

Filesize
364KB

MD5
3fa43f5059ef361430a721571a192cc2

SHA1
c7b9e7abec5dea32cbfc650def0a8c2dd2b7ad1c

SHA256
de9b8fd598e75ec8a5a65c0af51bfcb15b36932e96fec11f13f72543e9f10b42

SHA512
e1ae0cb13d0bdb9132ef046d036d1870251cefdd3943b80d596fa855048bd16c6e99e84a3dca81ddf9d0ebc0ebfd95122d13e482ad631824f9d4027bcc317abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3835555.exe

Filesize
174KB

MD5
70a3fe649efc962a34db48bb7117f312

SHA1
43a39015555759e65b811dd93aaccafd7800b22d

SHA256
caec707a790a8ed7e31fc19852916ecb8be04d0eae9d5d2b39981ff04f66cac0

SHA512
674d535cd2ce7dfb33112cbf5f36e9ff9378869a86ca007aad04fbf97a07ff170195c3bb7bb2fe6deaeed41e343da804f1924f81b55c6e458377dce209563ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3835555.exe

Filesize
174KB

MD5
70a3fe649efc962a34db48bb7117f312

SHA1
43a39015555759e65b811dd93aaccafd7800b22d

SHA256
caec707a790a8ed7e31fc19852916ecb8be04d0eae9d5d2b39981ff04f66cac0

SHA512
674d535cd2ce7dfb33112cbf5f36e9ff9378869a86ca007aad04fbf97a07ff170195c3bb7bb2fe6deaeed41e343da804f1924f81b55c6e458377dce209563ac7

Download Submit
memory/2204-39-0x000000000A510000-0x000000000AB28000-memory.dmp

Filesize
6.1MB

Download
memory/2204-40-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/2204-46-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/2204-45-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2204-36-0x0000000000050000-0x0000000000080000-memory.dmp

Filesize
192KB

Download
memory/2204-37-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2204-44-0x000000000A110000-0x000000000A15C000-memory.dmp

Filesize
304KB

Download
memory/2204-43-0x0000000009FA0000-0x0000000009FDC000-memory.dmp

Filesize
240KB

Download
memory/2204-38-0x00000000022E0000-0x00000000022E6000-memory.dmp

Filesize
24KB

Download
memory/2204-42-0x0000000009F40000-0x0000000009F52000-memory.dmp

Filesize
72KB

Download
memory/2204-41-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/5104-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5104-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5104-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5104-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads