redline | 6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe
Size

930KB
MD5

ee3695926729e19ef6e6904d529a1c9a
SHA1

f3f674492bccfbb72ffbd9d9ac4742ff63161600
SHA256

6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737
SHA512

813741382b6c685ce7d247ce119d41f9b714f0e726116ba4e2490d0d1f6e117896f972dff49c82408e1130154e9aae0f7bc219373d7f4565873fffc1a482a8bf
SSDEEP

24576:bymtBhZP0cCwbOiChNTLJIRU9ioL0/GlcnrU7qJ:OM0cCw6iCbJIRIioL0/G6nrUW

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4136	x0558670.exe
3000	x8233305.exe
4232	x4072693.exe
2664	g7145862.exe
624	h7541517.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0558670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8233305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4072693.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 3164	2664	g7145862.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4928	3164	WerFault.exe	95
3156	2664	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4136	4392	6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe	88
PID 4392 wrote to memory of 4136	4392	6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe	88
PID 4392 wrote to memory of 4136	4392	6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe	88
PID 4136 wrote to memory of 3000	4136	x0558670.exe	89
PID 4136 wrote to memory of 3000	4136	x0558670.exe	89
PID 4136 wrote to memory of 3000	4136	x0558670.exe	89
PID 3000 wrote to memory of 4232	3000	x8233305.exe	90
PID 3000 wrote to memory of 4232	3000	x8233305.exe	90
PID 3000 wrote to memory of 4232	3000	x8233305.exe	90
PID 4232 wrote to memory of 2664	4232	x4072693.exe	92
PID 4232 wrote to memory of 2664	4232	x4072693.exe	92
PID 4232 wrote to memory of 2664	4232	x4072693.exe	92
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 2664 wrote to memory of 3164	2664	g7145862.exe	95
PID 4232 wrote to memory of 624	4232	x4072693.exe	100
PID 4232 wrote to memory of 624	4232	x4072693.exe	100
PID 4232 wrote to memory of 624	4232	x4072693.exe	100

C:\Users\Admin\AppData\Local\Temp\6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe
"C:\Users\Admin\AppData\Local\Temp\6c13e45c935dd022c1449da817abd1f066d7a0d530c601b8c7f22cf523d66737.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0558670.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0558670.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8233305.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8233305.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4072693.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4072693.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7145862.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7145862.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 540
        7⤵
        Program crash
        
        PID:4928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 576
        6⤵
        Program crash
        
        PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7541517.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7541517.exe
        5⤵
        Executes dropped EXE
        
        PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2664 -ip 2664
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3164 -ip 3164
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0558670.exe

Filesize
828KB

MD5
87a4d1deef8bb18c9838cfb925b6dd3a

SHA1
20a33008163d64e53f78a4576c2696737b851d0e

SHA256
5fdb26c28a1ed973b7d536c4c966efda063d44377c7e518684908b30d3405fe5

SHA512
10d24d36787e0202e9fed3739ea3f4b987078b24ad4689aff8c902a2c8ae10dfb29d4002186e4522f536875c7cff25c0e5d475ab853a4e7ddafce3e120ab2ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0558670.exe

Filesize
828KB

MD5
87a4d1deef8bb18c9838cfb925b6dd3a

SHA1
20a33008163d64e53f78a4576c2696737b851d0e

SHA256
5fdb26c28a1ed973b7d536c4c966efda063d44377c7e518684908b30d3405fe5

SHA512
10d24d36787e0202e9fed3739ea3f4b987078b24ad4689aff8c902a2c8ae10dfb29d4002186e4522f536875c7cff25c0e5d475ab853a4e7ddafce3e120ab2ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8233305.exe

Filesize
556KB

MD5
44a176a7417e1a5d895c7facf5c14a74

SHA1
6eb6117abd20991eb997122bc74dc6d170e7634e

SHA256
ddab646f20ff580e3f72b27f59d3d43cd4eec9f31b71a23f90c27bd04ec15807

SHA512
d6469559b0370d4051f4186826680ba253000fff3febb3bd634a5501548cbbff72e80fb4181919fdf0ddb7ea8b4f143eb4392407798a89088d6acd9b94c3cc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8233305.exe

Filesize
556KB

MD5
44a176a7417e1a5d895c7facf5c14a74

SHA1
6eb6117abd20991eb997122bc74dc6d170e7634e

SHA256
ddab646f20ff580e3f72b27f59d3d43cd4eec9f31b71a23f90c27bd04ec15807

SHA512
d6469559b0370d4051f4186826680ba253000fff3febb3bd634a5501548cbbff72e80fb4181919fdf0ddb7ea8b4f143eb4392407798a89088d6acd9b94c3cc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4072693.exe

Filesize
390KB

MD5
b1a8b28e04bb390c99a15ca32d48e5e7

SHA1
e418633803a2688a7bda607b41c34a9e4ccbfc1a

SHA256
461616b1495eb2edbe55061575192a0eec0e19ee344161be0c98f4fbfda5cbb8

SHA512
eee35f41939fa4ba11926a248bb1a53ba9028b0119c41a1dc99b678069e7893f6256b1b83fc4b581d44b2b2c824ae742ddd2c93ff48208c0076969de956e9a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4072693.exe

Filesize
390KB

MD5
b1a8b28e04bb390c99a15ca32d48e5e7

SHA1
e418633803a2688a7bda607b41c34a9e4ccbfc1a

SHA256
461616b1495eb2edbe55061575192a0eec0e19ee344161be0c98f4fbfda5cbb8

SHA512
eee35f41939fa4ba11926a248bb1a53ba9028b0119c41a1dc99b678069e7893f6256b1b83fc4b581d44b2b2c824ae742ddd2c93ff48208c0076969de956e9a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7145862.exe

Filesize
356KB

MD5
7c1a04b4df5174df3a250abf0249d5dc

SHA1
fc3a43ce506821877682e3f525aa6e884c1de6e5

SHA256
68c5bd556db42bbe0e68cc2f5d04167bf982764926a9a78f57405f46a422a995

SHA512
e8f9b46861de05d0d5e6742d61319d36bb185a172d391867a82e370374cd87eb996aff5bf5c4abc9bf98e4c0a6e2d10d4bd4f2583b25d2dd9295c2ae7be9dd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7145862.exe

Filesize
356KB

MD5
7c1a04b4df5174df3a250abf0249d5dc

SHA1
fc3a43ce506821877682e3f525aa6e884c1de6e5

SHA256
68c5bd556db42bbe0e68cc2f5d04167bf982764926a9a78f57405f46a422a995

SHA512
e8f9b46861de05d0d5e6742d61319d36bb185a172d391867a82e370374cd87eb996aff5bf5c4abc9bf98e4c0a6e2d10d4bd4f2583b25d2dd9295c2ae7be9dd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7541517.exe

Filesize
174KB

MD5
986fabb3575a877c9b7560d9969cd81c

SHA1
2472e69330b0e963155e26a4e46a28a54972752b

SHA256
ecce2609d70b146fb78497b21a5d1bd92fa433ccab1d834373e04219b20b413f

SHA512
575490b4eee7bb4b522f344b94770446ae15c69738bf70261505050add50e264ac79bc21a5451621c5bf77d3aaebfc4a070af0d026c784725e0d2a456070e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7541517.exe

Filesize
174KB

MD5
986fabb3575a877c9b7560d9969cd81c

SHA1
2472e69330b0e963155e26a4e46a28a54972752b

SHA256
ecce2609d70b146fb78497b21a5d1bd92fa433ccab1d834373e04219b20b413f

SHA512
575490b4eee7bb4b522f344b94770446ae15c69738bf70261505050add50e264ac79bc21a5451621c5bf77d3aaebfc4a070af0d026c784725e0d2a456070e456

Download Submit
memory/624-39-0x00000000059A0000-0x0000000005FB8000-memory.dmp

Filesize
6.1MB

Download
memory/624-42-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/624-46-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/624-45-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/624-36-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/624-37-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/624-44-0x00000000053C0000-0x000000000540C000-memory.dmp

Filesize
304KB

Download
memory/624-40-0x0000000005490000-0x000000000559A000-memory.dmp

Filesize
1.0MB

Download
memory/624-38-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

Filesize
24KB

Download
memory/624-41-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/624-43-0x0000000005380000-0x00000000053BC000-memory.dmp

Filesize
240KB

Download
memory/3164-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3164-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3164-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3164-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads