redline | e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe
Size

928KB
MD5

70cb75d4a40cb285ab95e00e8348acfc
SHA1

8572fa8891ea828493b6c230f04e88c91ccd72c0
SHA256

e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27
SHA512

5c0c36c74b64590ec68d1a3394933086668298e1c43594288349a35f278cf95d9973a1c435fd12164d2d2e3df5149354ef45f8db6980220efd26f3bd46dac4fc
SSDEEP

24576:Syp3NfPsrDhJrxA7n/L33PzUqXXhBTJs9WSHF8IqJS1q:5p9fP+dJrxo/LHPzVnDlz

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000002306d-34.dat	family_redline
behavioral1/files/0x000600000002306d-35.dat	family_redline
behavioral1/memory/2364-37-0x0000000000AE0000-0x0000000000B10000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3592	x3209738.exe
4456	x7789539.exe
2836	x1422453.exe
1420	g4500786.exe
2364	h9041638.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7789539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1422453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3209738.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 4656	1420	g4500786.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1384	4656	WerFault.exe	92
3872	1420	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3592	3968	e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe	87
PID 3968 wrote to memory of 3592	3968	e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe	87
PID 3968 wrote to memory of 3592	3968	e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe	87
PID 3592 wrote to memory of 4456	3592	x3209738.exe	88
PID 3592 wrote to memory of 4456	3592	x3209738.exe	88
PID 3592 wrote to memory of 4456	3592	x3209738.exe	88
PID 4456 wrote to memory of 2836	4456	x7789539.exe	89
PID 4456 wrote to memory of 2836	4456	x7789539.exe	89
PID 4456 wrote to memory of 2836	4456	x7789539.exe	89
PID 2836 wrote to memory of 1420	2836	x1422453.exe	90
PID 2836 wrote to memory of 1420	2836	x1422453.exe	90
PID 2836 wrote to memory of 1420	2836	x1422453.exe	90
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 1420 wrote to memory of 4656	1420	g4500786.exe	92
PID 2836 wrote to memory of 2364	2836	x1422453.exe	99
PID 2836 wrote to memory of 2364	2836	x1422453.exe	99
PID 2836 wrote to memory of 2364	2836	x1422453.exe	99

C:\Users\Admin\AppData\Local\Temp\e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe
"C:\Users\Admin\AppData\Local\Temp\e284c7dce287a6e32d40d7df2352017d7893e150485ea35f3b9c715758779d27.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3209738.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3209738.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7789539.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7789539.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1422453.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1422453.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4500786.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4500786.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 540
        7⤵
        Program crash
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 556
        6⤵
        Program crash
        
        PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9041638.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9041638.exe
        5⤵
        Executes dropped EXE
        
        PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1420 -ip 1420
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4656 -ip 4656
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3209738.exe

Filesize
826KB

MD5
d26e7efa061c106fa1023ae9d161e332

SHA1
ad7c08b368a0b08d55783b15d0599be336efdcb5

SHA256
3ccaa6d24e06b2c0699550b931a4af4a384927bce48aca2f2271a0f43e5bbe7d

SHA512
0bf0abc00c6a937947f56d8b34fdf477070cc9ae32ac3aa64398b16aae6897b391a10b998192a8793c5003adde82219f7508da820c0a487fa61632a268abf855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3209738.exe

Filesize
826KB

MD5
d26e7efa061c106fa1023ae9d161e332

SHA1
ad7c08b368a0b08d55783b15d0599be336efdcb5

SHA256
3ccaa6d24e06b2c0699550b931a4af4a384927bce48aca2f2271a0f43e5bbe7d

SHA512
0bf0abc00c6a937947f56d8b34fdf477070cc9ae32ac3aa64398b16aae6897b391a10b998192a8793c5003adde82219f7508da820c0a487fa61632a268abf855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7789539.exe

Filesize
566KB

MD5
98b1da815d8a78778cc7445270c85b2a

SHA1
0861446abbb238040836c606e3d976e85ef0dfd2

SHA256
0ceb2bcbe5bc7d6430a89ecdbd2bb34e97bb50f0817d76fd9b6d6d00087a2858

SHA512
f19b174db823d4dc56d7bfa2f0c650f167c3723b597b9ecd37f7970186bd5ac1fb5143cc6c69739879f891a2d7fc1515daaa323da0332846f3664e7ad9040fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7789539.exe

Filesize
566KB

MD5
98b1da815d8a78778cc7445270c85b2a

SHA1
0861446abbb238040836c606e3d976e85ef0dfd2

SHA256
0ceb2bcbe5bc7d6430a89ecdbd2bb34e97bb50f0817d76fd9b6d6d00087a2858

SHA512
f19b174db823d4dc56d7bfa2f0c650f167c3723b597b9ecd37f7970186bd5ac1fb5143cc6c69739879f891a2d7fc1515daaa323da0332846f3664e7ad9040fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1422453.exe

Filesize
389KB

MD5
4fb7e6bd25d3e1bd543b1e32c86f747c

SHA1
74452757ed0667e90b3487401dfa1c9020ae0ea0

SHA256
7d6cd881cd110a441b5876bff5355712fb6fdb70e1a0f92aad2b72dd882cab7a

SHA512
b60e239b169cd8578ab44094ff1d2cbfdceeeacb97631530e85580a952b4976cf913cb26f7ab536660336f9d892b42c1916119a15685df796c8291d80f95a2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1422453.exe

Filesize
389KB

MD5
4fb7e6bd25d3e1bd543b1e32c86f747c

SHA1
74452757ed0667e90b3487401dfa1c9020ae0ea0

SHA256
7d6cd881cd110a441b5876bff5355712fb6fdb70e1a0f92aad2b72dd882cab7a

SHA512
b60e239b169cd8578ab44094ff1d2cbfdceeeacb97631530e85580a952b4976cf913cb26f7ab536660336f9d892b42c1916119a15685df796c8291d80f95a2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4500786.exe

Filesize
364KB

MD5
cc832662dd3714a9c2adeda81dc99d3c

SHA1
c25c303e8aad37bfa8b0ad5a026c8245acb17516

SHA256
4d4fa84d64d521ef5fcc3fc29674cb96107582feaac452f403957da7ac007483

SHA512
0eea500618192ff3fdc2c23542e314c0c5a458ed0f3a7621cbbec076ed01006236b172d0b38629511650581f1662effe5153f1d13bd85fdb70791e327f4832b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4500786.exe

Filesize
364KB

MD5
cc832662dd3714a9c2adeda81dc99d3c

SHA1
c25c303e8aad37bfa8b0ad5a026c8245acb17516

SHA256
4d4fa84d64d521ef5fcc3fc29674cb96107582feaac452f403957da7ac007483

SHA512
0eea500618192ff3fdc2c23542e314c0c5a458ed0f3a7621cbbec076ed01006236b172d0b38629511650581f1662effe5153f1d13bd85fdb70791e327f4832b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9041638.exe

Filesize
174KB

MD5
1405814c600d3766e51209fd2668cfa5

SHA1
7fecea14976fad196d538a6fb5525a1c756f9777

SHA256
9f21589dd05179c8dbacd7bad7c33dc82736c7729565859311fddadb1db34be2

SHA512
b18bd942df347ef9a170596d436c4e56534c67e00c9f73d58b45b5bffcd122269df360b169da0f306088e0ba1888a279185b44bf2736793136468b1a4a2b57de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9041638.exe

Filesize
174KB

MD5
1405814c600d3766e51209fd2668cfa5

SHA1
7fecea14976fad196d538a6fb5525a1c756f9777

SHA256
9f21589dd05179c8dbacd7bad7c33dc82736c7729565859311fddadb1db34be2

SHA512
b18bd942df347ef9a170596d436c4e56534c67e00c9f73d58b45b5bffcd122269df360b169da0f306088e0ba1888a279185b44bf2736793136468b1a4a2b57de

Download Submit
memory/2364-39-0x000000000AEB0000-0x000000000B4C8000-memory.dmp

Filesize
6.1MB

Download
memory/2364-42-0x000000000A890000-0x000000000A8A2000-memory.dmp

Filesize
72KB

Download
memory/2364-46-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/2364-45-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/2364-36-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/2364-37-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/2364-44-0x000000000A930000-0x000000000A97C000-memory.dmp

Filesize
304KB

Download
memory/2364-40-0x000000000A9A0000-0x000000000AAAA000-memory.dmp

Filesize
1.0MB

Download
memory/2364-38-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/2364-41-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/2364-43-0x000000000A8F0000-0x000000000A92C000-memory.dmp

Filesize
240KB

Download
memory/4656-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4656-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4656-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4656-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads