redline | 7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe
Size

928KB
MD5

0a77358881fd21a86222f462cc7c28f3
SHA1

286d050930f425f8ae08ac49a1aa245e67283e78
SHA256

7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6
SHA512

30b9835dfc35e4f11fdbc254f6a2f4ba3d0305edf72ee1312e016b0274aaff2a08dd09a30a8761026accc35deb73850fdb6cb4a35ccb0d456fd03029607b5e9c
SSDEEP

12288:OMrfy90yABu9MbijZmebzTLTof7sf61TEoPBie5ZgM0HWshKDQk0CNKgHXmbD:VyJhbjTof7sfuXBmMgWoQQ5Cg9bD

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023244-34.dat	family_redline
behavioral1/files/0x0006000000023244-35.dat	family_redline
behavioral1/memory/4036-36-0x0000000000060000-0x0000000000090000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1132	x7755229.exe
3732	x5113244.exe
772	x9777205.exe
3504	g3398359.exe
4036	h0897387.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5113244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9777205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7755229.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 2572	3504	g3398359.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4060	3504	WerFault.exe	89
4000	2572	WerFault.exe	94

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 1132	3964	7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe	85
PID 3964 wrote to memory of 1132	3964	7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe	85
PID 3964 wrote to memory of 1132	3964	7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe	85
PID 1132 wrote to memory of 3732	1132	x7755229.exe	87
PID 1132 wrote to memory of 3732	1132	x7755229.exe	87
PID 1132 wrote to memory of 3732	1132	x7755229.exe	87
PID 3732 wrote to memory of 772	3732	x5113244.exe	88
PID 3732 wrote to memory of 772	3732	x5113244.exe	88
PID 3732 wrote to memory of 772	3732	x5113244.exe	88
PID 772 wrote to memory of 3504	772	x9777205.exe	89
PID 772 wrote to memory of 3504	772	x9777205.exe	89
PID 772 wrote to memory of 3504	772	x9777205.exe	89
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 3504 wrote to memory of 2572	3504	g3398359.exe	94
PID 772 wrote to memory of 4036	772	x9777205.exe	101
PID 772 wrote to memory of 4036	772	x9777205.exe	101
PID 772 wrote to memory of 4036	772	x9777205.exe	101

C:\Users\Admin\AppData\Local\Temp\7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe
"C:\Users\Admin\AppData\Local\Temp\7fb5107d42b436593be89b4c3be51c057278d5131859654dc4f48b123d5380f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7755229.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7755229.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5113244.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5113244.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9777205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9777205.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3398359.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3398359.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 540
        7⤵
        Program crash
        
        PID:4000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 552
        6⤵
        Program crash
        
        PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0897387.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0897387.exe
        5⤵
        Executes dropped EXE
        
        PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3504 -ip 3504
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2572 -ip 2572
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7755229.exe

Filesize
826KB

MD5
287e0145166e1bd07f8d0e0f4612597b

SHA1
056347981baae9437bfa871ae3314b11157d09d2

SHA256
904f58811e2c9ddc496de9ed8c9af598ff787993ed5cf1d4de584bd3305f2b1a

SHA512
6b527056e1b39a5e98cd53a46284bb27e762e6c6c77045134cba1a024f0a12b7ee5b9e76609074911f3254b79035ed738afe116c3d6803041dc1795ebccc8894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7755229.exe

Filesize
826KB

MD5
287e0145166e1bd07f8d0e0f4612597b

SHA1
056347981baae9437bfa871ae3314b11157d09d2

SHA256
904f58811e2c9ddc496de9ed8c9af598ff787993ed5cf1d4de584bd3305f2b1a

SHA512
6b527056e1b39a5e98cd53a46284bb27e762e6c6c77045134cba1a024f0a12b7ee5b9e76609074911f3254b79035ed738afe116c3d6803041dc1795ebccc8894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5113244.exe

Filesize
566KB

MD5
f656e5051aebbf49ba073a70c58ec21d

SHA1
b2dfa262f6eabb790314df595d4967a8cc491d3f

SHA256
6ab948be3dd48fc67521b64ddd7daebf24e2a0833b5578a7fc9d343f2744a768

SHA512
9634e91b400487d49a3a93268845b4c4510e622543be7600e623ebabce1798a99f3c1eeb9a3469fa87bd0dc41b74c040324589d04ffee3f857fe8c1d119c0ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5113244.exe

Filesize
566KB

MD5
f656e5051aebbf49ba073a70c58ec21d

SHA1
b2dfa262f6eabb790314df595d4967a8cc491d3f

SHA256
6ab948be3dd48fc67521b64ddd7daebf24e2a0833b5578a7fc9d343f2744a768

SHA512
9634e91b400487d49a3a93268845b4c4510e622543be7600e623ebabce1798a99f3c1eeb9a3469fa87bd0dc41b74c040324589d04ffee3f857fe8c1d119c0ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9777205.exe

Filesize
389KB

MD5
5c8377eafba93e6860c3ff8079e72314

SHA1
f027294ded8e693eb6a2b94d98d3d9e961654863

SHA256
eaa4d0d746fe115764a73d3173d1267d3c1a9aadf2b6a118f46c0d87e1a2c603

SHA512
f27d1a8f817ed17b587590e289836c0788f538faa33c28e9bb0295be3400a13f7a5a756cbc1bfeebbd624af4bf3c680738d08c3bcd86794ae6a78ab30f380d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9777205.exe

Filesize
389KB

MD5
5c8377eafba93e6860c3ff8079e72314

SHA1
f027294ded8e693eb6a2b94d98d3d9e961654863

SHA256
eaa4d0d746fe115764a73d3173d1267d3c1a9aadf2b6a118f46c0d87e1a2c603

SHA512
f27d1a8f817ed17b587590e289836c0788f538faa33c28e9bb0295be3400a13f7a5a756cbc1bfeebbd624af4bf3c680738d08c3bcd86794ae6a78ab30f380d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3398359.exe

Filesize
364KB

MD5
97016974c32e5d4583a662a7fd54d0fb

SHA1
b687dcb56e9b63d686e270750138bb2681a2b941

SHA256
e85831689d695dda1d2477872b3783ca64d423acf82c8490a81c852c80e10728

SHA512
e29097784f4209470d3d49bf36ff1cf034a857f49447ebd0f8f269589bea460c9ca61a20aaca4b131ec92a6e79f463de1391bc3e1b67085c2a7267293ad1df3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3398359.exe

Filesize
364KB

MD5
97016974c32e5d4583a662a7fd54d0fb

SHA1
b687dcb56e9b63d686e270750138bb2681a2b941

SHA256
e85831689d695dda1d2477872b3783ca64d423acf82c8490a81c852c80e10728

SHA512
e29097784f4209470d3d49bf36ff1cf034a857f49447ebd0f8f269589bea460c9ca61a20aaca4b131ec92a6e79f463de1391bc3e1b67085c2a7267293ad1df3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0897387.exe

Filesize
174KB

MD5
0e2625d2407ac75d73e03999ebe8b265

SHA1
9209214c70138d3f542bb68a657fe0e9f4fa3660

SHA256
a5e711a50c8701629618fd9c320922c66c3b342e755346544518636241a682f2

SHA512
e55681b645b4ad323ca73a80fb6bfb2b6c1b663d9cc15b5cc73e2a82d678943181cd3d44738c1228579057e8a27620aa61235ad0f9aae56d9e447fcba66d1de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0897387.exe

Filesize
174KB

MD5
0e2625d2407ac75d73e03999ebe8b265

SHA1
9209214c70138d3f542bb68a657fe0e9f4fa3660

SHA256
a5e711a50c8701629618fd9c320922c66c3b342e755346544518636241a682f2

SHA512
e55681b645b4ad323ca73a80fb6bfb2b6c1b663d9cc15b5cc73e2a82d678943181cd3d44738c1228579057e8a27620aa61235ad0f9aae56d9e447fcba66d1de5

Download Submit
memory/2572-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4036-39-0x00000000050A0000-0x00000000056B8000-memory.dmp

Filesize
6.1MB

Download
memory/4036-37-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4036-38-0x0000000000960000-0x0000000000966000-memory.dmp

Filesize
24KB

Download
memory/4036-36-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/4036-40-0x0000000004BF0000-0x0000000004CFA000-memory.dmp

Filesize
1.0MB

Download
memory/4036-41-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/4036-42-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/4036-43-0x0000000004B90000-0x0000000004BCC000-memory.dmp

Filesize
240KB

Download
memory/4036-44-0x0000000004D00000-0x0000000004D4C000-memory.dmp

Filesize
304KB

Download
memory/4036-45-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4036-46-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads