redline | 5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2023, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe
Size

1.0MB
MD5

b31516afca0f89ba784fd65e9805fdf5
SHA1

5eb5b1160a709bba594571989e8242f9739b15d8
SHA256

5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3
SHA512

07e329b3aabe1173ee3d4ad84df07688670fce1ae5fc01bdcd437c38ce75bc2963ba54590b0f7fb17ba81e34d0e725dea06fb74329a0282128174084f0b1b1ad
SSDEEP

24576:jyugDeNZB1qu5uXEeB9Zc+0EH0l0dqYz:2ugibB950Ew9ZcHmq

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3844	x2226894.exe
400	x7787344.exe
4348	x0969051.exe
4236	x5488794.exe
3236	g7693018.exe
4992	h9891264.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x5488794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2226894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7787344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0969051.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3236 set thread context of 4744	3236	g7693018.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4660	3236	WerFault.exe	91
4784	4744	WerFault.exe	94

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3844	5036	5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe	85
PID 5036 wrote to memory of 3844	5036	5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe	85
PID 5036 wrote to memory of 3844	5036	5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe	85
PID 3844 wrote to memory of 400	3844	x2226894.exe	87
PID 3844 wrote to memory of 400	3844	x2226894.exe	87
PID 3844 wrote to memory of 400	3844	x2226894.exe	87
PID 400 wrote to memory of 4348	400	x7787344.exe	89
PID 400 wrote to memory of 4348	400	x7787344.exe	89
PID 400 wrote to memory of 4348	400	x7787344.exe	89
PID 4348 wrote to memory of 4236	4348	x0969051.exe	90
PID 4348 wrote to memory of 4236	4348	x0969051.exe	90
PID 4348 wrote to memory of 4236	4348	x0969051.exe	90
PID 4236 wrote to memory of 3236	4236	x5488794.exe	91
PID 4236 wrote to memory of 3236	4236	x5488794.exe	91
PID 4236 wrote to memory of 3236	4236	x5488794.exe	91
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 3236 wrote to memory of 4744	3236	g7693018.exe	94
PID 4236 wrote to memory of 4992	4236	x5488794.exe	99
PID 4236 wrote to memory of 4992	4236	x5488794.exe	99
PID 4236 wrote to memory of 4992	4236	x5488794.exe	99

C:\Users\Admin\AppData\Local\Temp\5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe
"C:\Users\Admin\AppData\Local\Temp\5bafd7d7720a0e948a75557cdd60abd616147ffbaea4b443030042591a7e38f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2226894.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2226894.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7787344.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7787344.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0969051.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0969051.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5488794.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5488794.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7693018.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7693018.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 556
        8⤵
        Program crash
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 604
        7⤵
        Program crash
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h9891264.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h9891264.exe
        6⤵
        Executes dropped EXE
        
        PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3236 -ip 3236
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4744 -ip 4744
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2226894.exe

Filesize
929KB

MD5
5638402c092a7fb8e1efab2f43f7fc6c

SHA1
050902f725d2df40395f91da0a50b36fba4d8a22

SHA256
51483869742409d2ef54afb1b1ef91a849d90f76db187191664c5bf1e374f98c

SHA512
c422d0ccd76251efcf7d14e3083f9417faa2539a956ecb275dd3a582d9176d440981b540ad03c409de81428e60372586dc035bf3f39a9b9ecc5b93754a5b5b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2226894.exe

Filesize
929KB

MD5
5638402c092a7fb8e1efab2f43f7fc6c

SHA1
050902f725d2df40395f91da0a50b36fba4d8a22

SHA256
51483869742409d2ef54afb1b1ef91a849d90f76db187191664c5bf1e374f98c

SHA512
c422d0ccd76251efcf7d14e3083f9417faa2539a956ecb275dd3a582d9176d440981b540ad03c409de81428e60372586dc035bf3f39a9b9ecc5b93754a5b5b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7787344.exe

Filesize
746KB

MD5
b6b5b97df732df53d4123c0f469170bc

SHA1
5eff3edf4ee7b3c20d80064829409bae1d8c6412

SHA256
85656d664cb42284a9e23d0a35e57f4b3673fa470aa1bfe49f6c6a54b219d5e2

SHA512
217b8414bb9ceaa0bd0b8aabf54a57b8f6e11e4ba8573729771cb0fbe8c10e940a7720bb2dc10c5e18572056564a681ada808d202680959ad0ef36ed0107b124

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7787344.exe

Filesize
746KB

MD5
b6b5b97df732df53d4123c0f469170bc

SHA1
5eff3edf4ee7b3c20d80064829409bae1d8c6412

SHA256
85656d664cb42284a9e23d0a35e57f4b3673fa470aa1bfe49f6c6a54b219d5e2

SHA512
217b8414bb9ceaa0bd0b8aabf54a57b8f6e11e4ba8573729771cb0fbe8c10e940a7720bb2dc10c5e18572056564a681ada808d202680959ad0ef36ed0107b124

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0969051.exe

Filesize
515KB

MD5
12d3ddbd01539889aca198ca953f4417

SHA1
4fc67daf9994f518fcb220e1035bbd1b25ca56cd

SHA256
613640725452a6f932c0cce9f9e247d65a34d89827627ad28b148df0b9e4d218

SHA512
e45f8ed5ea26cbd6cf81b53ea97f9116b17bbff1d6c0d6abed3581e056690a860ae9f112f9bb9f4268dff49dd2f944f8660e7b020d1ae2e56f2693cf1b2d8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0969051.exe

Filesize
515KB

MD5
12d3ddbd01539889aca198ca953f4417

SHA1
4fc67daf9994f518fcb220e1035bbd1b25ca56cd

SHA256
613640725452a6f932c0cce9f9e247d65a34d89827627ad28b148df0b9e4d218

SHA512
e45f8ed5ea26cbd6cf81b53ea97f9116b17bbff1d6c0d6abed3581e056690a860ae9f112f9bb9f4268dff49dd2f944f8660e7b020d1ae2e56f2693cf1b2d8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5488794.exe

Filesize
349KB

MD5
036d15dd45b5602af0e7d291fdc7391b

SHA1
fb64822bea8d341ff0ebfb603cc3d88559b68d55

SHA256
66fb3094ef479d98cc873e02f4228f99ba5badded7d67fc666b2e240427325ae

SHA512
70eaf5f33beb492aacff84f1a1a1141900e120f728149f535def1cee4cfc5570020f64a0cd6fc76bc31f79e425070869a09a74bc59299bc4b83b8da4ec63ba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5488794.exe

Filesize
349KB

MD5
036d15dd45b5602af0e7d291fdc7391b

SHA1
fb64822bea8d341ff0ebfb603cc3d88559b68d55

SHA256
66fb3094ef479d98cc873e02f4228f99ba5badded7d67fc666b2e240427325ae

SHA512
70eaf5f33beb492aacff84f1a1a1141900e120f728149f535def1cee4cfc5570020f64a0cd6fc76bc31f79e425070869a09a74bc59299bc4b83b8da4ec63ba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7693018.exe

Filesize
276KB

MD5
c5e01583bf6dc87101d56c96969c2aed

SHA1
2d4322e870d2d8e460f52e739e3db653fe01d99f

SHA256
d57a08992e53bdcd3f96005ee6287e18ffb1e244e0036802fa166230a3cc4b5c

SHA512
d6cc170713d0f9b2eb840744ef620bca87fd5f6df9314c758a0a37abd2504e2addf7e5cf135bc50e3ab2f0b5edf72b23825882c8aa07ee5727472b2a3d16816b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7693018.exe

Filesize
276KB

MD5
c5e01583bf6dc87101d56c96969c2aed

SHA1
2d4322e870d2d8e460f52e739e3db653fe01d99f

SHA256
d57a08992e53bdcd3f96005ee6287e18ffb1e244e0036802fa166230a3cc4b5c

SHA512
d6cc170713d0f9b2eb840744ef620bca87fd5f6df9314c758a0a37abd2504e2addf7e5cf135bc50e3ab2f0b5edf72b23825882c8aa07ee5727472b2a3d16816b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h9891264.exe

Filesize
174KB

MD5
00b66d8443faddb98749dff227b838a1

SHA1
7b288d1fd47085e058cec556b32002529f2e375a

SHA256
a1f795c5a7340cc8617da557943f6904db1ed99393ba962961a6d86368d6ea59

SHA512
9505f76989967b3a0166ab56e98803088b2f1a0f77fff1d94a458773b54c06071a7d823d3fb7bf17898e1e38dcd3ed0e25948a9cab670decc0bcad0ff69394ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h9891264.exe

Filesize
174KB

MD5
00b66d8443faddb98749dff227b838a1

SHA1
7b288d1fd47085e058cec556b32002529f2e375a

SHA256
a1f795c5a7340cc8617da557943f6904db1ed99393ba962961a6d86368d6ea59

SHA512
9505f76989967b3a0166ab56e98803088b2f1a0f77fff1d94a458773b54c06071a7d823d3fb7bf17898e1e38dcd3ed0e25948a9cab670decc0bcad0ff69394ae

Download Submit
memory/4744-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4744-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4744-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4744-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4992-46-0x0000000006090000-0x00000000066A8000-memory.dmp

Filesize
6.1MB

Download
memory/4992-44-0x0000000000F90000-0x0000000000FC0000-memory.dmp

Filesize
192KB

Download
memory/4992-45-0x0000000001770000-0x0000000001776000-memory.dmp

Filesize
24KB

Download
memory/4992-43-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-47-0x0000000005B80000-0x0000000005C8A000-memory.dmp

Filesize
1.0MB

Download
memory/4992-48-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/4992-49-0x00000000034C0000-0x00000000034D2000-memory.dmp

Filesize
72KB

Download
memory/4992-50-0x0000000005970000-0x00000000059AC000-memory.dmp

Filesize
240KB

Download
memory/4992-51-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/4992-52-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-53-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads