redline | dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe
Size

847KB
MD5

503da9d1629d30c10c5efc25d4328193
SHA1

b94d04f6e6c96d12e7c7695be7ebfb9a1f46f701
SHA256

dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198
SHA512

a28d03ba2911b1b1654b6f06f90b151aa1929286f0c1f6afcfde813b4a178b28be8845080d717870601c85d0730e66adb9b336a12ce67e98e959779489a65b41
SSDEEP

12288:pMr8y90/fEu/uE0IZj5UBup4rHSso2v2R4Dsg0Zra//ZiPWPMi0LsIOIxkYcB8Bf:xyqTuXuRgPwryZ3PTOxkDeQhcP

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4436	x2621072.exe
2888	x4044038.exe
4896	x2677167.exe
3872	g0180867.exe
4336	h2497844.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2621072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4044038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2677167.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3872 set thread context of 1980	3872	g0180867.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1624	3872	WerFault.exe	89
3672	1980	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 4436	1556	dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe	86
PID 1556 wrote to memory of 4436	1556	dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe	86
PID 1556 wrote to memory of 4436	1556	dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe	86
PID 4436 wrote to memory of 2888	4436	x2621072.exe	87
PID 4436 wrote to memory of 2888	4436	x2621072.exe	87
PID 4436 wrote to memory of 2888	4436	x2621072.exe	87
PID 2888 wrote to memory of 4896	2888	x4044038.exe	88
PID 2888 wrote to memory of 4896	2888	x4044038.exe	88
PID 2888 wrote to memory of 4896	2888	x4044038.exe	88
PID 4896 wrote to memory of 3872	4896	x2677167.exe	89
PID 4896 wrote to memory of 3872	4896	x2677167.exe	89
PID 4896 wrote to memory of 3872	4896	x2677167.exe	89
PID 3872 wrote to memory of 656	3872	g0180867.exe	91
PID 3872 wrote to memory of 656	3872	g0180867.exe	91
PID 3872 wrote to memory of 656	3872	g0180867.exe	91
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 3872 wrote to memory of 1980	3872	g0180867.exe	92
PID 4896 wrote to memory of 4336	4896	x2677167.exe	99
PID 4896 wrote to memory of 4336	4896	x2677167.exe	99
PID 4896 wrote to memory of 4336	4896	x2677167.exe	99

C:\Users\Admin\AppData\Local\Temp\dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe
"C:\Users\Admin\AppData\Local\Temp\dfe828d6dfab1d5e86b633e4abcda02c6d4e9c87b8cf1ab43c239308a4409198.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2621072.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2621072.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4044038.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4044038.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2677167.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2677167.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0180867.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0180867.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:656
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 540
        7⤵
        Program crash
        
        PID:3672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 152
        6⤵
        Program crash
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2497844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2497844.exe
        5⤵
        Executes dropped EXE
        
        PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1980 -ip 1980
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3872 -ip 3872
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2621072.exe

Filesize
746KB

MD5
e6aa844cf09c3bf56d86c306e40e823b

SHA1
826af94b58ec64701f204b3b1cdb97a8959e0d7c

SHA256
97a9877a0127b0180247622600435a7a4ae70d791c96c69b7cf4ad5b5060a7a4

SHA512
d7fa6903710cddc8c98ac53f96a7860df68d46ee1d7cb9371213f3c278485c763389e7de3e728b47ec9fb0495b4702c432738422f7617836c18316eabc8f7809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2621072.exe

Filesize
746KB

MD5
e6aa844cf09c3bf56d86c306e40e823b

SHA1
826af94b58ec64701f204b3b1cdb97a8959e0d7c

SHA256
97a9877a0127b0180247622600435a7a4ae70d791c96c69b7cf4ad5b5060a7a4

SHA512
d7fa6903710cddc8c98ac53f96a7860df68d46ee1d7cb9371213f3c278485c763389e7de3e728b47ec9fb0495b4702c432738422f7617836c18316eabc8f7809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4044038.exe

Filesize
515KB

MD5
0df8fda4448c00fb24ce2955c8aec876

SHA1
2665e9df5835c7a16fa827587f10ca034843aba3

SHA256
839a7b15fe955a2cfdaf5b87d1d5f4e190f543385efbb9085f34b440f95be4eb

SHA512
4e22e04ae53c160374c81e29f895b3f385c60f83b444b446c09ae4a1099e074f114639e1be18a0f04c873daa5cb8754f7cc5792ef0c424f3dc0b9ae807254e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4044038.exe

Filesize
515KB

MD5
0df8fda4448c00fb24ce2955c8aec876

SHA1
2665e9df5835c7a16fa827587f10ca034843aba3

SHA256
839a7b15fe955a2cfdaf5b87d1d5f4e190f543385efbb9085f34b440f95be4eb

SHA512
4e22e04ae53c160374c81e29f895b3f385c60f83b444b446c09ae4a1099e074f114639e1be18a0f04c873daa5cb8754f7cc5792ef0c424f3dc0b9ae807254e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2677167.exe

Filesize
350KB

MD5
fbf8bb7321b2f55917e23d6f877ac37b

SHA1
aac6bcac8e7e2b463bb2d4572c9a73555c1ac352

SHA256
dcc5d4564359cbaf811f138d88441b2119afbc769b29205cf3a0105381472d1a

SHA512
ffb404bbd185bed42beee493d1930de50ce7f092e088f7e3839986df7665a96c498fffb93c729f9196a3bfb0626e3c38748ab46e67c129c6fc8a831111938e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2677167.exe

Filesize
350KB

MD5
fbf8bb7321b2f55917e23d6f877ac37b

SHA1
aac6bcac8e7e2b463bb2d4572c9a73555c1ac352

SHA256
dcc5d4564359cbaf811f138d88441b2119afbc769b29205cf3a0105381472d1a

SHA512
ffb404bbd185bed42beee493d1930de50ce7f092e088f7e3839986df7665a96c498fffb93c729f9196a3bfb0626e3c38748ab46e67c129c6fc8a831111938e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0180867.exe

Filesize
276KB

MD5
38bb3a1acba1def231c3cc73aba206c7

SHA1
cec65375e00013034d3be98a17539d52a4df61ef

SHA256
4f6f70f7f4f89a4d606c1407ad3067998114f0b3f93a0b8e1434ee3dac243876

SHA512
737b6ddfcef88abc552ab1e1851ff90f4a737ace1a76594fef80d115342229fe2068f9319f4e092909cd30be5d1f09d863df0f04c91aa4f1e5e1b9c85c1cd8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0180867.exe

Filesize
276KB

MD5
38bb3a1acba1def231c3cc73aba206c7

SHA1
cec65375e00013034d3be98a17539d52a4df61ef

SHA256
4f6f70f7f4f89a4d606c1407ad3067998114f0b3f93a0b8e1434ee3dac243876

SHA512
737b6ddfcef88abc552ab1e1851ff90f4a737ace1a76594fef80d115342229fe2068f9319f4e092909cd30be5d1f09d863df0f04c91aa4f1e5e1b9c85c1cd8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2497844.exe

Filesize
174KB

MD5
e7b9f83fa2fea6471e6bc5f62be60ab9

SHA1
a802cc6ec0477762e2bb108071268ed3be7c841c

SHA256
a1f0acd1161a2ae1b8a35339245fdfdebb2ee1b75b0a4d7c7dbd5028bc8ea0e5

SHA512
f0a71daca233608f0677c152146203ca82f87a25f696de9cd2b49f6a0ec6dc684a5c32c28f39ae1e002f85a8fdc4e84bbc7edb4c8b4f03017e7f3ee4e88f7c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2497844.exe

Filesize
174KB

MD5
e7b9f83fa2fea6471e6bc5f62be60ab9

SHA1
a802cc6ec0477762e2bb108071268ed3be7c841c

SHA256
a1f0acd1161a2ae1b8a35339245fdfdebb2ee1b75b0a4d7c7dbd5028bc8ea0e5

SHA512
f0a71daca233608f0677c152146203ca82f87a25f696de9cd2b49f6a0ec6dc684a5c32c28f39ae1e002f85a8fdc4e84bbc7edb4c8b4f03017e7f3ee4e88f7c2b

Download Submit
memory/1980-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4336-39-0x0000000005650000-0x0000000005C68000-memory.dmp

Filesize
6.1MB

Download
memory/4336-36-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-38-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/4336-37-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/4336-40-0x0000000005140000-0x000000000524A000-memory.dmp

Filesize
1.0MB

Download
memory/4336-42-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/4336-41-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/4336-43-0x0000000005070000-0x00000000050AC000-memory.dmp

Filesize
240KB

Download
memory/4336-44-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download
memory/4336-45-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-46-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads