redline | 1d80a4b8261e6f3ca2860a38fd37d77deb396d6cb84a6cedd36bb9e4c12028e4

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2023, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe
Size

956KB
MD5

2a1ef00edfe378d2136ad96afa8a46ec
SHA1

6224f1a957ced73577e73f76ae648280ef8f0ba2
SHA256

efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c
SHA512

8eda290935a6bb4e38219c10593db4512548f6a7654045c03bb5e743efac8aa665d8a48caa2490a9aabd6ee6619c39f951ab7f2d59e516b572b2a36c7b77a26c
SSDEEP

24576:Ly16H9E4xqF5oAmNK4T02sBP/NpvucZb3Q9TN0U0D4uP:+18EvHoAerTVsBPlpWa3QUD

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231b9-33.dat	family_redline
behavioral2/files/0x00070000000231b9-35.dat	family_redline
behavioral2/memory/4848-36-0x0000000000610000-0x0000000000640000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4900	x6190423.exe
3656	x8543495.exe
1864	x7941102.exe
3540	g7788597.exe
4848	h8639604.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6190423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8543495.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7941102.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 796	3540	g7788597.exe	96

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4140	3540	WerFault.exe	89
1940	796	WerFault.exe	96

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4900	1752	efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe	85
PID 1752 wrote to memory of 4900	1752	efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe	85
PID 1752 wrote to memory of 4900	1752	efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe	85
PID 4900 wrote to memory of 3656	4900	x6190423.exe	87
PID 4900 wrote to memory of 3656	4900	x6190423.exe	87
PID 4900 wrote to memory of 3656	4900	x6190423.exe	87
PID 3656 wrote to memory of 1864	3656	x8543495.exe	88
PID 3656 wrote to memory of 1864	3656	x8543495.exe	88
PID 3656 wrote to memory of 1864	3656	x8543495.exe	88
PID 1864 wrote to memory of 3540	1864	x7941102.exe	89
PID 1864 wrote to memory of 3540	1864	x7941102.exe	89
PID 1864 wrote to memory of 3540	1864	x7941102.exe	89
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 3540 wrote to memory of 796	3540	g7788597.exe	96
PID 1864 wrote to memory of 4848	1864	x7941102.exe	101
PID 1864 wrote to memory of 4848	1864	x7941102.exe	101
PID 1864 wrote to memory of 4848	1864	x7941102.exe	101

C:\Users\Admin\AppData\Local\Temp\efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe
"C:\Users\Admin\AppData\Local\Temp\efbe6e47229a646410652946a5a792e8c3414bb244061a219aea650d068c7e1c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6190423.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6190423.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8543495.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8543495.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7941102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7941102.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7788597.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7788597.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 540
        7⤵
        Program crash
        
        PID:1940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 552
        6⤵
        Program crash
        
        PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8639604.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8639604.exe
        5⤵
        Executes dropped EXE
        
        PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3540 -ip 3540
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 796 -ip 796
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6190423.exe

Filesize
854KB

MD5
1e3ad421833a4dc86652b692c3182f48

SHA1
b2d2f3f37c585b4ce806c1f6863e90d733e6a302

SHA256
f54f5008a7084449be7ba395fb6a9ea088f11e69df40accc7979b575f37ea82a

SHA512
0c8b919e10c6044e0fd5bc45d1023c1f822ac8de40d75044dd234b03034f480999976c865817586cc18e656f93acd28698f27ec12c080c8348ef54a269582c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6190423.exe

Filesize
854KB

MD5
1e3ad421833a4dc86652b692c3182f48

SHA1
b2d2f3f37c585b4ce806c1f6863e90d733e6a302

SHA256
f54f5008a7084449be7ba395fb6a9ea088f11e69df40accc7979b575f37ea82a

SHA512
0c8b919e10c6044e0fd5bc45d1023c1f822ac8de40d75044dd234b03034f480999976c865817586cc18e656f93acd28698f27ec12c080c8348ef54a269582c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8543495.exe

Filesize
589KB

MD5
eb2285e63b7e0846d35751cc69933500

SHA1
5c95cc8f90a7388125ea8c656f477c02e4480aad

SHA256
3482b16666c3155ea3d5e3d7b649915ad46ab6c19c47364a2a7538d1907511e1

SHA512
4ab1c9726164f1624c3e3d69556a88cf31adddc6991e2c696274703b2305b180234a66e5562df2aee13f458fb4f11c893f170ebf3e8ea0b11609a23e050dacd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8543495.exe

Filesize
589KB

MD5
eb2285e63b7e0846d35751cc69933500

SHA1
5c95cc8f90a7388125ea8c656f477c02e4480aad

SHA256
3482b16666c3155ea3d5e3d7b649915ad46ab6c19c47364a2a7538d1907511e1

SHA512
4ab1c9726164f1624c3e3d69556a88cf31adddc6991e2c696274703b2305b180234a66e5562df2aee13f458fb4f11c893f170ebf3e8ea0b11609a23e050dacd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7941102.exe

Filesize
403KB

MD5
fe51894671f3158b4b6ae2340019153d

SHA1
57fcd217863dff7d20476d16423cfa9e903c2d89

SHA256
a07eec9b6e6c62cc6114c74ef44e4ea825b0d673d52433f0348fffa8e5456754

SHA512
33714b1bafcdb173c69faeefeb3e328ca16477da96fdda4b0c3714b09fb8509bb07548c87418455c126651d8f64545b0f98d9ceff4d79e6cf5c069256182fd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7941102.exe

Filesize
403KB

MD5
fe51894671f3158b4b6ae2340019153d

SHA1
57fcd217863dff7d20476d16423cfa9e903c2d89

SHA256
a07eec9b6e6c62cc6114c74ef44e4ea825b0d673d52433f0348fffa8e5456754

SHA512
33714b1bafcdb173c69faeefeb3e328ca16477da96fdda4b0c3714b09fb8509bb07548c87418455c126651d8f64545b0f98d9ceff4d79e6cf5c069256182fd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7788597.exe

Filesize
378KB

MD5
e2610018194265cf1b14e537f0ff70d5

SHA1
a5b558d0e511c48ae968216d111fc74ba22b2b37

SHA256
94f32b6c819663247619ada1608db85219617a9c859a63356474198289ee2b6d

SHA512
dc9964a9cd729e8506698664a2260d39ce85463e1e57aca843c55ffd74b816e5e3605b77e32ff5a0e533adfe157323d4849f3eb7f825b65fda2b95e004725bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7788597.exe

Filesize
378KB

MD5
e2610018194265cf1b14e537f0ff70d5

SHA1
a5b558d0e511c48ae968216d111fc74ba22b2b37

SHA256
94f32b6c819663247619ada1608db85219617a9c859a63356474198289ee2b6d

SHA512
dc9964a9cd729e8506698664a2260d39ce85463e1e57aca843c55ffd74b816e5e3605b77e32ff5a0e533adfe157323d4849f3eb7f825b65fda2b95e004725bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8639604.exe

Filesize
174KB

MD5
69eed1a4cf1620166a630ca76e7aa413

SHA1
6ee4a651feba691c41607f81db58f4f11788dcf1

SHA256
a11dd4025a00dc2848ee683dae526a28fa08f3ec67b85cac47dab282da81b37d

SHA512
fc35d12625292373a73ae73d63ced14ce696afcfb9d865987ab6e97cbe6af4cd7e6fe28d7e16e1654f0e16ee3c71769b03ba4fb460e0d9e58d622b3a134b423e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8639604.exe

Filesize
174KB

MD5
69eed1a4cf1620166a630ca76e7aa413

SHA1
6ee4a651feba691c41607f81db58f4f11788dcf1

SHA256
a11dd4025a00dc2848ee683dae526a28fa08f3ec67b85cac47dab282da81b37d

SHA512
fc35d12625292373a73ae73d63ced14ce696afcfb9d865987ab6e97cbe6af4cd7e6fe28d7e16e1654f0e16ee3c71769b03ba4fb460e0d9e58d622b3a134b423e

Download Submit
memory/796-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-39-0x000000000AA40000-0x000000000B058000-memory.dmp

Filesize
6.1MB

Download
memory/4848-37-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4848-38-0x0000000005030000-0x0000000005036000-memory.dmp

Filesize
24KB

Download
memory/4848-36-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/4848-40-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

Filesize
1.0MB

Download
memory/4848-41-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4848-42-0x000000000A500000-0x000000000A512000-memory.dmp

Filesize
72KB

Download
memory/4848-43-0x000000000A560000-0x000000000A59C000-memory.dmp

Filesize
240KB

Download
memory/4848-44-0x000000000A6D0000-0x000000000A71C000-memory.dmp

Filesize
304KB

Download
memory/4848-45-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4848-46-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads