redline | d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe
Size

842KB
MD5

a07c28bde965f11b2878133c4bbb7c80
SHA1

cfc37932426514f48bdff5e2570fb67dcfd43468
SHA256

d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284
SHA512

4afbb9f9c6f3294f9d8cd6df8765b8e74b5ffbf2557f32102c5d28b21af454c9fc733e7385916bce5ff57ba6c2f24ddac2495f4d9e935f79bba459c62ee0c862
SSDEEP

12288:sMrYy90e2pQeztu003DgcsYdq7OtCFa+wmFRTUmqWyfOUi4M6jX5Hrm/:0yz2pTE0031s+t6hTbiJFj5rK

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4332	x2426292.exe
3840	x7708006.exe
1708	x3960767.exe
5080	g4888851.exe
4748	h1794779.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2426292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7708006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3960767.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 3508	5080	g4888851.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2784	3508	WerFault.exe	94
4160	5080	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4332	2988	d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe	88
PID 2988 wrote to memory of 4332	2988	d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe	88
PID 2988 wrote to memory of 4332	2988	d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe	88
PID 4332 wrote to memory of 3840	4332	x2426292.exe	89
PID 4332 wrote to memory of 3840	4332	x2426292.exe	89
PID 4332 wrote to memory of 3840	4332	x2426292.exe	89
PID 3840 wrote to memory of 1708	3840	x7708006.exe	91
PID 3840 wrote to memory of 1708	3840	x7708006.exe	91
PID 3840 wrote to memory of 1708	3840	x7708006.exe	91
PID 1708 wrote to memory of 5080	1708	x3960767.exe	92
PID 1708 wrote to memory of 5080	1708	x3960767.exe	92
PID 1708 wrote to memory of 5080	1708	x3960767.exe	92
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 5080 wrote to memory of 3508	5080	g4888851.exe	94
PID 1708 wrote to memory of 4748	1708	x3960767.exe	100
PID 1708 wrote to memory of 4748	1708	x3960767.exe	100
PID 1708 wrote to memory of 4748	1708	x3960767.exe	100

C:\Users\Admin\AppData\Local\Temp\d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe
"C:\Users\Admin\AppData\Local\Temp\d8682ab6d31732d201e8314106c3ee1fbb0ce61c300bd0f9bfb9ac08a2c2b284.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 196
        7⤵
        Program crash
        
        PID:2784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 152
        6⤵
        Program crash
        
        PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe
        5⤵
        Executes dropped EXE
        
        PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3508 -ip 3508
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5080 -ip 5080
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe

Filesize
747KB

MD5
ca42c052d5b62daf640d7f58ffa8012b

SHA1
7910389205ac156517b101929946487f9e06e137

SHA256
9644983cb74a03a2aa59287cf392602441351867f8337549ddb22aa7bc0d04de

SHA512
c7654a3a3beeb9ebb11dc24d2d0aa6785375406f0959542c17806f4d6bfac445c58529220dde131aaf50da63da769c1123ae192034b5294524340dfddcde98cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2426292.exe

Filesize
747KB

MD5
ca42c052d5b62daf640d7f58ffa8012b

SHA1
7910389205ac156517b101929946487f9e06e137

SHA256
9644983cb74a03a2aa59287cf392602441351867f8337549ddb22aa7bc0d04de

SHA512
c7654a3a3beeb9ebb11dc24d2d0aa6785375406f0959542c17806f4d6bfac445c58529220dde131aaf50da63da769c1123ae192034b5294524340dfddcde98cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe

Filesize
516KB

MD5
2c92ab862f5c2f268ba0b65dbc39833a

SHA1
9d0b1a12706a6d88d2027e04e71c0af00138f2bb

SHA256
cbb32a5ed4ba58bba0fd6339a32ecfd7e9445a6a03290aade0aea334fa398c50

SHA512
9f703eb1f07f13fc34f2fbd30e34bb2fb3450bbc098794638ffae2a3b5b66c1d167899ea4c50c5f8ffc6ad9dd64ca25b583bf50129d7fb6b4a1e6a5fa9a323fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7708006.exe

Filesize
516KB

MD5
2c92ab862f5c2f268ba0b65dbc39833a

SHA1
9d0b1a12706a6d88d2027e04e71c0af00138f2bb

SHA256
cbb32a5ed4ba58bba0fd6339a32ecfd7e9445a6a03290aade0aea334fa398c50

SHA512
9f703eb1f07f13fc34f2fbd30e34bb2fb3450bbc098794638ffae2a3b5b66c1d167899ea4c50c5f8ffc6ad9dd64ca25b583bf50129d7fb6b4a1e6a5fa9a323fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe

Filesize
350KB

MD5
95f8d18f7ada4b285644598fe6ad8015

SHA1
a3bb6834b1f6af280f2cbff74aaa59f1d846ac89

SHA256
14c667b102e8a2607aa49f65b626ce1e4b47d3c1eee7aa338c33d346848460fc

SHA512
7c2afdad28cf94d44071e5a7cf669bf8a3fd2366d5c875b0bfc2a36cb78dfda96bb47e7a0180d961e7b830b1c8382e8dd9d7e84b719845b375ba70abdf3af0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3960767.exe

Filesize
350KB

MD5
95f8d18f7ada4b285644598fe6ad8015

SHA1
a3bb6834b1f6af280f2cbff74aaa59f1d846ac89

SHA256
14c667b102e8a2607aa49f65b626ce1e4b47d3c1eee7aa338c33d346848460fc

SHA512
7c2afdad28cf94d44071e5a7cf669bf8a3fd2366d5c875b0bfc2a36cb78dfda96bb47e7a0180d961e7b830b1c8382e8dd9d7e84b719845b375ba70abdf3af0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe

Filesize
276KB

MD5
10e8671ffe86e59b2fe0b2df12a5e440

SHA1
b3fa7f7dfb6200e4c85897f7bafd7332feb3ecd8

SHA256
2cfe41188ed39d1c3638a7c28234ce554d3454a2148883d5dae4f2c2cd7bf620

SHA512
689c0721e02d1e86e05222ca5cd7bf20d33b8669ffbb7bd45784f9e88f2211ed61fcff8809cfa236c5974372c6f35d436b5fb57c9cb7e37a8bc9ec7dead7a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4888851.exe

Filesize
276KB

MD5
10e8671ffe86e59b2fe0b2df12a5e440

SHA1
b3fa7f7dfb6200e4c85897f7bafd7332feb3ecd8

SHA256
2cfe41188ed39d1c3638a7c28234ce554d3454a2148883d5dae4f2c2cd7bf620

SHA512
689c0721e02d1e86e05222ca5cd7bf20d33b8669ffbb7bd45784f9e88f2211ed61fcff8809cfa236c5974372c6f35d436b5fb57c9cb7e37a8bc9ec7dead7a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe

Filesize
174KB

MD5
ee9daf06e494a000acf8c1a0af54e859

SHA1
221a848d92cdf4efd125c422dc0a3d1dbe822561

SHA256
0375d30432cf2075ed6c0fe3d7e244f3a08bcf76e6c13bf195f357db6ca41435

SHA512
1371e464da588620b8c59a2fe7d1f0f0444794d9248340d1703583d565d76eec80f2cd6d660bceec78421f494b2cf7a58692b344dcbc02adc465c2f8289b20de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1794779.exe

Filesize
174KB

MD5
ee9daf06e494a000acf8c1a0af54e859

SHA1
221a848d92cdf4efd125c422dc0a3d1dbe822561

SHA256
0375d30432cf2075ed6c0fe3d7e244f3a08bcf76e6c13bf195f357db6ca41435

SHA512
1371e464da588620b8c59a2fe7d1f0f0444794d9248340d1703583d565d76eec80f2cd6d660bceec78421f494b2cf7a58692b344dcbc02adc465c2f8289b20de

Download Submit
memory/3508-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3508-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3508-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3508-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4748-39-0x000000000AC30000-0x000000000B248000-memory.dmp

Filesize
6.1MB

Download
memory/4748-37-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/4748-38-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

Filesize
24KB

Download
memory/4748-36-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-40-0x000000000A740000-0x000000000A84A000-memory.dmp

Filesize
1.0MB

Download
memory/4748-41-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4748-42-0x000000000A680000-0x000000000A692000-memory.dmp

Filesize
72KB

Download
memory/4748-43-0x000000000A6E0000-0x000000000A71C000-memory.dmp

Filesize
240KB

Download
memory/4748-44-0x000000000A850000-0x000000000A89C000-memory.dmp

Filesize
304KB

Download
memory/4748-45-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-46-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads