redline | 511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe
Size

1.0MB
MD5

055558f2e8bd64ecb4362d23de17a035
SHA1

43eb99ccace3cbdd2e787068de3611f086290f5c
SHA256

511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2
SHA512

76f01d6fd75ecaf3461bc1a975f8a2e5793f60b8e1c57f97c19b8549e431fbc6c323122729bb5e84c9bc0b4326d93d6f1228f5aad429aa80f7052655f238e238
SSDEEP

24576:KyClxQucArZuky84jRDOjMNR2aP+tb4kHj0LQJ:RCvQu1rZufLRDOIX/mhHj0L

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
5076	x6367914.exe
5060	x7367972.exe
4012	x2215522.exe
644	x3314695.exe
3444	g7749811.exe
1432	h3355884.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6367914.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7367972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2215522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x3314695.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 472	3444	g7749811.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1016	472	WerFault.exe	92
1292	3444	WerFault.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 5076	3924	511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe	86
PID 3924 wrote to memory of 5076	3924	511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe	86
PID 3924 wrote to memory of 5076	3924	511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe	86
PID 5076 wrote to memory of 5060	5076	x6367914.exe	87
PID 5076 wrote to memory of 5060	5076	x6367914.exe	87
PID 5076 wrote to memory of 5060	5076	x6367914.exe	87
PID 5060 wrote to memory of 4012	5060	x7367972.exe	88
PID 5060 wrote to memory of 4012	5060	x7367972.exe	88
PID 5060 wrote to memory of 4012	5060	x7367972.exe	88
PID 4012 wrote to memory of 644	4012	x2215522.exe	89
PID 4012 wrote to memory of 644	4012	x2215522.exe	89
PID 4012 wrote to memory of 644	4012	x2215522.exe	89
PID 644 wrote to memory of 3444	644	x3314695.exe	91
PID 644 wrote to memory of 3444	644	x3314695.exe	91
PID 644 wrote to memory of 3444	644	x3314695.exe	91
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 3444 wrote to memory of 472	3444	g7749811.exe	92
PID 644 wrote to memory of 1432	644	x3314695.exe	99
PID 644 wrote to memory of 1432	644	x3314695.exe	99
PID 644 wrote to memory of 1432	644	x3314695.exe	99

C:\Users\Admin\AppData\Local\Temp\511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe
"C:\Users\Admin\AppData\Local\Temp\511499b1e4570b341ce0d5a69b557acf74f04b0a0593e021c6a99c5320ea8ca2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6367914.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6367914.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7367972.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7367972.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2215522.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2215522.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3314695.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3314695.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7749811.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7749811.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 540
        8⤵
        Program crash
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 580
        7⤵
        Program crash
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h3355884.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h3355884.exe
        6⤵
        Executes dropped EXE
        
        PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 80 -p 472 -ip 472
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3444 -ip 3444
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6367914.exe

Filesize
930KB

MD5
a06c0d0492d84142b9f2c1ce23199139

SHA1
3600f0b654a34748f7a28db6bc82a5b48ff26796

SHA256
7f7474d113be2db8d552b977f8030931deb475617fc06d7ded668fba6cc459b5

SHA512
4be07937af9109a127cda20f82fde1693f3a31d62601ee8b6642cdee5a27c7c3f327dce0d6cd15401d5356d187c9235329d345cfa1cc5614a5dffb8dc7f509ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6367914.exe

Filesize
930KB

MD5
a06c0d0492d84142b9f2c1ce23199139

SHA1
3600f0b654a34748f7a28db6bc82a5b48ff26796

SHA256
7f7474d113be2db8d552b977f8030931deb475617fc06d7ded668fba6cc459b5

SHA512
4be07937af9109a127cda20f82fde1693f3a31d62601ee8b6642cdee5a27c7c3f327dce0d6cd15401d5356d187c9235329d345cfa1cc5614a5dffb8dc7f509ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7367972.exe

Filesize
747KB

MD5
f324cd8a99be84091a1cf65987ac2eb8

SHA1
e5788e4629e35a500f1f317108777dcc6b2a3b37

SHA256
b9c5054cb1b13f8f0dad9872e742d1dd5ea7c6bac277f617c654b3bb2a826f34

SHA512
e28c3e6fdef031f5f4491e90f20b50d1316145fe913b3f97b45300dff9fd5353859c8ae01ddfbe2308ceb6412a2ca69b98645e4324648d36331073d18817f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7367972.exe

Filesize
747KB

MD5
f324cd8a99be84091a1cf65987ac2eb8

SHA1
e5788e4629e35a500f1f317108777dcc6b2a3b37

SHA256
b9c5054cb1b13f8f0dad9872e742d1dd5ea7c6bac277f617c654b3bb2a826f34

SHA512
e28c3e6fdef031f5f4491e90f20b50d1316145fe913b3f97b45300dff9fd5353859c8ae01ddfbe2308ceb6412a2ca69b98645e4324648d36331073d18817f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2215522.exe

Filesize
517KB

MD5
1f5d7ef74a7cd4d44ac0cb45476654a4

SHA1
59b95ca6fd89c655b9f7feb054fb336b4c8407bf

SHA256
443b033885e89531f9f910c00d6be17ad5ee4c86dd40e82c06a4eabeb26165f9

SHA512
83d620c3acd2c87ce3bd70788a3533a303466b31d7daa60259d7c9063fe1cffaab1b24723b5763b1fb765fb89d71215ba98f35bea45d9b8a027ddd17681979f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2215522.exe

Filesize
517KB

MD5
1f5d7ef74a7cd4d44ac0cb45476654a4

SHA1
59b95ca6fd89c655b9f7feb054fb336b4c8407bf

SHA256
443b033885e89531f9f910c00d6be17ad5ee4c86dd40e82c06a4eabeb26165f9

SHA512
83d620c3acd2c87ce3bd70788a3533a303466b31d7daa60259d7c9063fe1cffaab1b24723b5763b1fb765fb89d71215ba98f35bea45d9b8a027ddd17681979f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3314695.exe

Filesize
351KB

MD5
f8ad13db3379b9887947caa7c7c869f2

SHA1
88828c18be3548e440615c5cc1181741af43003f

SHA256
b10a903d16c9c8c08e0573f9906dcda024c78038b4211b2d585275cc78a95357

SHA512
e1368cc1f825efc71d705cfce103138c21518a32d7437b99164160bf6b44a98d7c748cb4229bf3fb4f9b0b3c1ceafca3a64aedc0711c7b9fca08c96391b7c268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3314695.exe

Filesize
351KB

MD5
f8ad13db3379b9887947caa7c7c869f2

SHA1
88828c18be3548e440615c5cc1181741af43003f

SHA256
b10a903d16c9c8c08e0573f9906dcda024c78038b4211b2d585275cc78a95357

SHA512
e1368cc1f825efc71d705cfce103138c21518a32d7437b99164160bf6b44a98d7c748cb4229bf3fb4f9b0b3c1ceafca3a64aedc0711c7b9fca08c96391b7c268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7749811.exe

Filesize
276KB

MD5
7f965f8c82c4b946be2f13a1d2f2b321

SHA1
70adf9a45d3ee7f9357cff96add5da6846362231

SHA256
858c6c476b64080cc0d59fc12463b3556b17e0abdab62a3d5a4f6313bae336d9

SHA512
8d75b6a02b1b467a1b223b6255570438f767a2c6e22240d583dc0bd4a731747f9477638e3e417c86f8ae02a585b10a266a4405f44815c4fd0fa406f2f5abe3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g7749811.exe

Filesize
276KB

MD5
7f965f8c82c4b946be2f13a1d2f2b321

SHA1
70adf9a45d3ee7f9357cff96add5da6846362231

SHA256
858c6c476b64080cc0d59fc12463b3556b17e0abdab62a3d5a4f6313bae336d9

SHA512
8d75b6a02b1b467a1b223b6255570438f767a2c6e22240d583dc0bd4a731747f9477638e3e417c86f8ae02a585b10a266a4405f44815c4fd0fa406f2f5abe3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h3355884.exe

Filesize
174KB

MD5
3a580719c68b79b386631e78889fa94d

SHA1
aeed475e099027801d057e6e8530ccf9613064f9

SHA256
0898d058d7814386fb19b56de4082cf2f168cd61dd1332dfd02e0b04f2b8aa18

SHA512
9f171c4b48473b44670c8a7ec9fa5cd38ec356901d9413b1e8bdf1d6738a75da427d5d3f9cff662aeaefbd215b13c1a141db56a0207c8761d2374130ea43eb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h3355884.exe

Filesize
174KB

MD5
3a580719c68b79b386631e78889fa94d

SHA1
aeed475e099027801d057e6e8530ccf9613064f9

SHA256
0898d058d7814386fb19b56de4082cf2f168cd61dd1332dfd02e0b04f2b8aa18

SHA512
9f171c4b48473b44670c8a7ec9fa5cd38ec356901d9413b1e8bdf1d6738a75da427d5d3f9cff662aeaefbd215b13c1a141db56a0207c8761d2374130ea43eb2c

Download Submit
memory/472-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/472-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/472-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/472-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1432-46-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/1432-43-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/1432-45-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/1432-44-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-47-0x0000000004F40000-0x000000000504A000-memory.dmp

Filesize
1.0MB

Download
memory/1432-49-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/1432-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/1432-50-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/1432-51-0x0000000004E70000-0x0000000004EBC000-memory.dmp

Filesize
304KB

Download
memory/1432-52-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-53-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads