redline | 525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe
Size

786KB
MD5

e1a1a356b31e7ef5ab91c2a8269e35fd
SHA1

a5b8a521c5cfed82ec12a5d050c753fb7eb1daa0
SHA256

525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5
SHA512

3009ad1f0f9db168cc752c3396c0dba655dc97f908319882f548f15059d1e41a84d98963c8ce7e57640b4ca33afcd0d0e84ce560d55eedd449b7249aa5ab7727
SSDEEP

12288:pMrcy90B9ZCmXOx0KRE0m/njIyg/u9OBKxThgKGSmE2WdIw2jhwf:RyMOa0m8yg/uMBNg2WdIP1wf

Score

10^/10

redline gruha luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

x7918905.exex6868208.exex5059616.exeg9823996.exeh6099075.exe

pid process

4192 x7918905.exe
5080 x6868208.exe
4500 x5059616.exe
812 g9823996.exe
1388 h6099075.exe

pid	process
4192	x7918905.exe
5080	x6868208.exe
4500	x5059616.exe
812	g9823996.exe
1388	h6099075.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x7918905.exex6868208.exex5059616.exe525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7918905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6868208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5059616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g9823996.exe

description pid process target process

PID 812 set thread context of 1152 812 g9823996.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4592 812 WerFault.exe g9823996.exe

description	pid	process	target process
PID 812 set thread context of 1152	812	g9823996.exe	AppLaunch.exe

pid	pid_target	process	target process
4592	812	WerFault.exe	g9823996.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exex7918905.exex6868208.exex5059616.exeg9823996.exe

description	pid	process	target process
PID 3628 wrote to memory of 4192	3628	525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe	x7918905.exe
PID 3628 wrote to memory of 4192	3628	525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe	x7918905.exe
PID 3628 wrote to memory of 4192	3628	525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe	x7918905.exe
PID 4192 wrote to memory of 5080	4192	x7918905.exe	x6868208.exe
PID 4192 wrote to memory of 5080	4192	x7918905.exe	x6868208.exe
PID 4192 wrote to memory of 5080	4192	x7918905.exe	x6868208.exe
PID 5080 wrote to memory of 4500	5080	x6868208.exe	x5059616.exe
PID 5080 wrote to memory of 4500	5080	x6868208.exe	x5059616.exe
PID 5080 wrote to memory of 4500	5080	x6868208.exe	x5059616.exe
PID 4500 wrote to memory of 812	4500	x5059616.exe	g9823996.exe
PID 4500 wrote to memory of 812	4500	x5059616.exe	g9823996.exe
PID 4500 wrote to memory of 812	4500	x5059616.exe	g9823996.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 812 wrote to memory of 1152	812	g9823996.exe	AppLaunch.exe
PID 4500 wrote to memory of 1388	4500	x5059616.exe	h6099075.exe
PID 4500 wrote to memory of 1388	4500	x5059616.exe	h6099075.exe
PID 4500 wrote to memory of 1388	4500	x5059616.exe	h6099075.exe

C:\Users\Admin\AppData\Local\Temp\525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe
"C:\Users\Admin\AppData\Local\Temp\525a6876f08934e8ec0a09c7a3ea608c13ded25820af2e8849e0e6ee5623e2f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7918905.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7918905.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6868208.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6868208.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5059616.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5059616.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9823996.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9823996.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 152
6⤵
- Program crash
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6099075.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6099075.exe
5⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 812 -ip 812
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7918905.exe
Filesize
684KB

MD5
4c93e81aa272366e57e32543697b7de2

SHA1
13d680fdef0680950f97e3d1a55ca57f14b4c45d

SHA256
fd2f0cbca258bf3ce55add26c92b96ba1e46d371d820ae463a6af80c15352ee1

SHA512
6b67693a5e34661001a32451248d73eec70cbf410d3ec3583c2c96ce51c4d1b32a9fc6dfbfa17f28c798ad0f9a81fe92c5497232466d5eed66c02e8e62c78fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7918905.exe
Filesize
684KB

MD5
4c93e81aa272366e57e32543697b7de2

SHA1
13d680fdef0680950f97e3d1a55ca57f14b4c45d

SHA256
fd2f0cbca258bf3ce55add26c92b96ba1e46d371d820ae463a6af80c15352ee1

SHA512
6b67693a5e34661001a32451248d73eec70cbf410d3ec3583c2c96ce51c4d1b32a9fc6dfbfa17f28c798ad0f9a81fe92c5497232466d5eed66c02e8e62c78fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6868208.exe
Filesize
502KB

MD5
1f3cfbfc9fa61cb52ce81bdfb45dc094

SHA1
83b1370a967eecafaf45708b1f86bdb0e226376b

SHA256
73aa96e2d709624df27d2e5e93947e66d84063eba64eb8af1d196844b76eba12

SHA512
9a6abdc84fb1ac1454eecf30d43e6260cb5126257ba569ffd28459ab496a77dcccf34576d57cb7f29253210c089190a5ab9258a881feb6353288d59d199b1e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6868208.exe
Filesize
502KB

MD5
1f3cfbfc9fa61cb52ce81bdfb45dc094

SHA1
83b1370a967eecafaf45708b1f86bdb0e226376b

SHA256
73aa96e2d709624df27d2e5e93947e66d84063eba64eb8af1d196844b76eba12

SHA512
9a6abdc84fb1ac1454eecf30d43e6260cb5126257ba569ffd28459ab496a77dcccf34576d57cb7f29253210c089190a5ab9258a881feb6353288d59d199b1e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5059616.exe
Filesize
337KB

MD5
c224fdc6f20634d4b46c8166e8128dcc

SHA1
bcd9ff6e93674bcb3fd5b2ba9c8ca0cc39f341b7

SHA256
b4c98cc1596d0053d310b3f9394b8f035fbf44141cfaea31588dab95997e5b85

SHA512
b55a9fadf537618e2edefd2d5ea374d3ea961ad517b6345d3898e53c56b58275208800309579057aed18ecdb91a2a4d9b64863ec160134a4e7f52944724edbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5059616.exe
Filesize
337KB

MD5
c224fdc6f20634d4b46c8166e8128dcc

SHA1
bcd9ff6e93674bcb3fd5b2ba9c8ca0cc39f341b7

SHA256
b4c98cc1596d0053d310b3f9394b8f035fbf44141cfaea31588dab95997e5b85

SHA512
b55a9fadf537618e2edefd2d5ea374d3ea961ad517b6345d3898e53c56b58275208800309579057aed18ecdb91a2a4d9b64863ec160134a4e7f52944724edbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9823996.exe
Filesize
310KB

MD5
828227633c779572a6ed27d07440aa1b

SHA1
d03eddffc08fa26ecbfa08c3785131f1e46e22ca

SHA256
a02e134a7c93e5490b5b014149013563a1a3519d7c02430ff106c3d7324ee079

SHA512
3f4a0f192b796a9cc9183ca2327028a4c0cd107ed58763e0a3254a569b546c7b8242fcc266eb84a77e97834d5574c7cedf1d48885a0afb99a5992a1531c88f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9823996.exe
Filesize
310KB

MD5
828227633c779572a6ed27d07440aa1b

SHA1
d03eddffc08fa26ecbfa08c3785131f1e46e22ca

SHA256
a02e134a7c93e5490b5b014149013563a1a3519d7c02430ff106c3d7324ee079

SHA512
3f4a0f192b796a9cc9183ca2327028a4c0cd107ed58763e0a3254a569b546c7b8242fcc266eb84a77e97834d5574c7cedf1d48885a0afb99a5992a1531c88f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6099075.exe
Filesize
174KB

MD5
ea8da2d9585d5f4d5d578d06b84f8358

SHA1
9749bbd9fd7ad08fdfae8cbcf28362f6a1c8fd56

SHA256
eda63e38389cad4a6bbf59852763dcf3525cbe2693fc301522a8bb6d219e639f

SHA512
dbcf7c701af603d33b6d1c776e911aa663e947b89cdcdb90716b932b7e04c9da71ca9f8631955d6f073de594302a99a418dcb6db780a31778db9bd8de320327d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6099075.exe
Filesize
174KB

MD5
ea8da2d9585d5f4d5d578d06b84f8358

SHA1
9749bbd9fd7ad08fdfae8cbcf28362f6a1c8fd56

SHA256
eda63e38389cad4a6bbf59852763dcf3525cbe2693fc301522a8bb6d219e639f

SHA512
dbcf7c701af603d33b6d1c776e911aa663e947b89cdcdb90716b932b7e04c9da71ca9f8631955d6f073de594302a99a418dcb6db780a31778db9bd8de320327d

Download Submit
memory/1152-32-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/1152-44-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1152-30-0x0000000002890000-0x0000000002896000-memory.dmp

Filesize
24KB

Download
memory/1152-34-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/1152-33-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1152-29-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1152-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1152-45-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1152-31-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/1152-43-0x00000000052A0000-0x00000000052EC000-memory.dmp

Filesize
304KB

Download
memory/1152-39-0x0000000005120000-0x000000000515C000-memory.dmp

Filesize
240KB

Download
memory/1388-42-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1388-41-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1388-40-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/1388-38-0x00000000008A0000-0x00000000008D0000-memory.dmp

Filesize
192KB

Download
memory/1388-46-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1388-47-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download