redline | 1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe
Size

929KB
MD5

76b3a40fd758959fec86fd5a4c865b50
SHA1

f4f223739a155d32e88b6289a2a6c501e066340a
SHA256

1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba
SHA512

3eddf821e0acc072caf7db042db5875081240c2ec3cf520d062ecb2568736d0cbd54c7b93d1cda9f3bba13778e2982f6086e0839a7b3934bc8e8403de85aafcc
SSDEEP

12288:pMrey90iklQJ7PNUZ+wAeUhY2Tsy0VOcxQc41lfeQ83DE1nYeA7s6BrWRYso2VHp:byZkGJG+HluvxQDeQ5us6p5+IE6nEjV

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1096	x2432706.exe
3268	x9173000.exe
5088	x7771566.exe
3564	g1649024.exe
496	h6930288.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2432706.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9173000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7771566.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3564 set thread context of 2828	3564	g1649024.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1976	3564	WerFault.exe	90
4516	2828	WerFault.exe	93

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1096	3492	1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe	86
PID 3492 wrote to memory of 1096	3492	1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe	86
PID 3492 wrote to memory of 1096	3492	1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe	86
PID 1096 wrote to memory of 3268	1096	x2432706.exe	87
PID 1096 wrote to memory of 3268	1096	x2432706.exe	87
PID 1096 wrote to memory of 3268	1096	x2432706.exe	87
PID 3268 wrote to memory of 5088	3268	x9173000.exe	89
PID 3268 wrote to memory of 5088	3268	x9173000.exe	89
PID 3268 wrote to memory of 5088	3268	x9173000.exe	89
PID 5088 wrote to memory of 3564	5088	x7771566.exe	90
PID 5088 wrote to memory of 3564	5088	x7771566.exe	90
PID 5088 wrote to memory of 3564	5088	x7771566.exe	90
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 3564 wrote to memory of 2828	3564	g1649024.exe	93
PID 5088 wrote to memory of 496	5088	x7771566.exe	98
PID 5088 wrote to memory of 496	5088	x7771566.exe	98
PID 5088 wrote to memory of 496	5088	x7771566.exe	98

C:\Users\Admin\AppData\Local\Temp\1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe
"C:\Users\Admin\AppData\Local\Temp\1634b65f8e3942bbb06b6c0c3685e42d6cb0f8681f9cf1fba21b78277e3b20ba.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432706.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432706.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9173000.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9173000.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7771566.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7771566.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1649024.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1649024.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 540
        7⤵
        Program crash
        
        PID:4516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 580
        6⤵
        Program crash
        
        PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6930288.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6930288.exe
        5⤵
        Executes dropped EXE
        
        PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2828 -ip 2828
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3564 -ip 3564
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432706.exe

Filesize
827KB

MD5
a3c742568d8c3404de042ec93a9fde96

SHA1
6cc79755d951e1bb9e16ec1447b95b88c1dca6df

SHA256
a7d00b0b1357cdc2436c52db41056190ff3fba9e5833c2bfe4e00ff79fa19ed0

SHA512
05255d3f453acc8e277c515639a2caa39b6e23bed39f7a74b8132fc683a3c5a4f03ae81d060aa4f1919e3c36cffd967c46231ef011730d04dfcf535ee75264c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2432706.exe

Filesize
827KB

MD5
a3c742568d8c3404de042ec93a9fde96

SHA1
6cc79755d951e1bb9e16ec1447b95b88c1dca6df

SHA256
a7d00b0b1357cdc2436c52db41056190ff3fba9e5833c2bfe4e00ff79fa19ed0

SHA512
05255d3f453acc8e277c515639a2caa39b6e23bed39f7a74b8132fc683a3c5a4f03ae81d060aa4f1919e3c36cffd967c46231ef011730d04dfcf535ee75264c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9173000.exe

Filesize
555KB

MD5
25608f3d2df8f9942ffc22c4934c33c8

SHA1
6ec3088502d2a790075a67dc44e994349595d919

SHA256
7c9553a8bbeee64e0fd4212b02ce74b19fa32db2a4d6af9f102fe29a05f8b58f

SHA512
c5d5b09a8628c6ef1b11250b2a5ca8e1af1df6624a5a27a188d83afc824fa1a0f5bcd6fadbfb121d1a03c0eb48b1d10ae219d615064036df83d592e356a300c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9173000.exe

Filesize
555KB

MD5
25608f3d2df8f9942ffc22c4934c33c8

SHA1
6ec3088502d2a790075a67dc44e994349595d919

SHA256
7c9553a8bbeee64e0fd4212b02ce74b19fa32db2a4d6af9f102fe29a05f8b58f

SHA512
c5d5b09a8628c6ef1b11250b2a5ca8e1af1df6624a5a27a188d83afc824fa1a0f5bcd6fadbfb121d1a03c0eb48b1d10ae219d615064036df83d592e356a300c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7771566.exe

Filesize
390KB

MD5
39aee690e64063c13009a8fd09334a01

SHA1
f96fecc48400217691851e9901f42f6fad18bd86

SHA256
b90bb13f3e439d6ac567654eae06f10a262ebaf022acf7cba312959e99dca1c8

SHA512
81d11cf7407e5a86a3c1ac34421d50be7bb30add4e78baac2dbdedaf98d20a14f77a270822e571b500783e333778203c0501a11fd3e33a877cfbf54549237c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7771566.exe

Filesize
390KB

MD5
39aee690e64063c13009a8fd09334a01

SHA1
f96fecc48400217691851e9901f42f6fad18bd86

SHA256
b90bb13f3e439d6ac567654eae06f10a262ebaf022acf7cba312959e99dca1c8

SHA512
81d11cf7407e5a86a3c1ac34421d50be7bb30add4e78baac2dbdedaf98d20a14f77a270822e571b500783e333778203c0501a11fd3e33a877cfbf54549237c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1649024.exe

Filesize
356KB

MD5
9de172cd2577e406add93bd4196f64b6

SHA1
f0e63406571b25177d94df7e8c8337b96550b7ec

SHA256
7c75a7717cf0b7accee9198e4c0f7f760a2888bcd1ca9436ccbde261ea6e31ca

SHA512
61a3953b4c54700512f8eb8ab8486d6da666167c887f7dd1298f96e72ec5f53b402645d117c038c0eec39d3436f4e495425884bb89488e8dec284a120e06d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1649024.exe

Filesize
356KB

MD5
9de172cd2577e406add93bd4196f64b6

SHA1
f0e63406571b25177d94df7e8c8337b96550b7ec

SHA256
7c75a7717cf0b7accee9198e4c0f7f760a2888bcd1ca9436ccbde261ea6e31ca

SHA512
61a3953b4c54700512f8eb8ab8486d6da666167c887f7dd1298f96e72ec5f53b402645d117c038c0eec39d3436f4e495425884bb89488e8dec284a120e06d767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6930288.exe

Filesize
174KB

MD5
c89ef065963cffacf8ded780fbd15a2b

SHA1
330d41785cd02c8cf90cdff50d4b39976518f231

SHA256
1805f3bb4986c2b17b7b9d84b59c763844098731236e6c80a8f2f91dafa66b80

SHA512
76af5da09a8ac3235302ecf20620bb32875bfb978e3203e22dd9613701a167d3c6803e51d55af6fed90cc7644e388619511b249f410d9dc66162612fcf4f3a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6930288.exe

Filesize
174KB

MD5
c89ef065963cffacf8ded780fbd15a2b

SHA1
330d41785cd02c8cf90cdff50d4b39976518f231

SHA256
1805f3bb4986c2b17b7b9d84b59c763844098731236e6c80a8f2f91dafa66b80

SHA512
76af5da09a8ac3235302ecf20620bb32875bfb978e3203e22dd9613701a167d3c6803e51d55af6fed90cc7644e388619511b249f410d9dc66162612fcf4f3a73

Download Submit
memory/496-39-0x000000000AEC0000-0x000000000B4D8000-memory.dmp

Filesize
6.1MB

Download
memory/496-42-0x000000000A950000-0x000000000A962000-memory.dmp

Filesize
72KB

Download
memory/496-46-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/496-45-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/496-36-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/496-37-0x0000000000BA0000-0x0000000000BD0000-memory.dmp

Filesize
192KB

Download
memory/496-44-0x000000000AB20000-0x000000000AB6C000-memory.dmp

Filesize
304KB

Download
memory/496-40-0x000000000AA10000-0x000000000AB1A000-memory.dmp

Filesize
1.0MB

Download
memory/496-38-0x0000000002E50000-0x0000000002E56000-memory.dmp

Filesize
24KB

Download
memory/496-41-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/496-43-0x000000000A9B0000-0x000000000A9EC000-memory.dmp

Filesize
240KB

Download
memory/2828-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2828-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2828-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2828-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads