redline | f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe
Size

1.0MB
MD5

38245a63ed4c5c803fc8bde8967a88ff
SHA1

38b412cde27ec02e05f7eb2d61983b74f50ae289
SHA256

f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab
SHA512

e92f5e1a07afbcad8ae829b914ce60edcca7d65128ae1261f1e2715dcd5c30f07aee8263bd2f516205737b52c9178b8d3555a96e7b105fe427a716235b42dcb3
SSDEEP

24576:Oyd4tOcwQiIMa6BdpBFTkIfyJiDWbMzY6LzaP:detOcw0MXB0If6eWSVLO

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4032	x9435037.exe
4716	x7886351.exe
1136	x4902647.exe
1932	x4718039.exe
928	g8315913.exe
4932	h8940647.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9435037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7886351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4902647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x4718039.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 3768	928	g8315913.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3892	928	WerFault.exe	89
1204	3768	WerFault.exe	93

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4032	3792	f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe	85
PID 3792 wrote to memory of 4032	3792	f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe	85
PID 3792 wrote to memory of 4032	3792	f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe	85
PID 4032 wrote to memory of 4716	4032	x9435037.exe	86
PID 4032 wrote to memory of 4716	4032	x9435037.exe	86
PID 4032 wrote to memory of 4716	4032	x9435037.exe	86
PID 4716 wrote to memory of 1136	4716	x7886351.exe	87
PID 4716 wrote to memory of 1136	4716	x7886351.exe	87
PID 4716 wrote to memory of 1136	4716	x7886351.exe	87
PID 1136 wrote to memory of 1932	1136	x4902647.exe	88
PID 1136 wrote to memory of 1932	1136	x4902647.exe	88
PID 1136 wrote to memory of 1932	1136	x4902647.exe	88
PID 1932 wrote to memory of 928	1932	x4718039.exe	89
PID 1932 wrote to memory of 928	1932	x4718039.exe	89
PID 1932 wrote to memory of 928	1932	x4718039.exe	89
PID 928 wrote to memory of 5112	928	g8315913.exe	91
PID 928 wrote to memory of 5112	928	g8315913.exe	91
PID 928 wrote to memory of 5112	928	g8315913.exe	91
PID 928 wrote to memory of 1420	928	g8315913.exe	92
PID 928 wrote to memory of 1420	928	g8315913.exe	92
PID 928 wrote to memory of 1420	928	g8315913.exe	92
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 928 wrote to memory of 3768	928	g8315913.exe	93
PID 1932 wrote to memory of 4932	1932	x4718039.exe	100
PID 1932 wrote to memory of 4932	1932	x4718039.exe	100
PID 1932 wrote to memory of 4932	1932	x4718039.exe	100

C:\Users\Admin\AppData\Local\Temp\f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe
"C:\Users\Admin\AppData\Local\Temp\f09056b42deee674a96cf34a57a8247a1485b559ce5afbffae4942057f5135ab.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 540
        8⤵
        Program crash
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 560
        7⤵
        Program crash
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe
        6⤵
        Executes dropped EXE
        
        PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3768 -ip 3768
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 928 -ip 928
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe

Filesize
974KB

MD5
8b8e02e778b926266ef60ea128fd4246

SHA1
c2fba20814c9a6b00e10ebd7e6617dfad269de85

SHA256
740d0a84b01bd96dd973514f061f71fddcdbbf0da221fd9cdc0738872b5893fa

SHA512
c7b0ebeb8cd51cea6f9c098d9c06ccc178f881a2e77e865fd848a57a85c6271c8038ebe4107ef92f3b1bba719a23b350a4c2b25f7236f3a9b118919e8df17758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9435037.exe

Filesize
974KB

MD5
8b8e02e778b926266ef60ea128fd4246

SHA1
c2fba20814c9a6b00e10ebd7e6617dfad269de85

SHA256
740d0a84b01bd96dd973514f061f71fddcdbbf0da221fd9cdc0738872b5893fa

SHA512
c7b0ebeb8cd51cea6f9c098d9c06ccc178f881a2e77e865fd848a57a85c6271c8038ebe4107ef92f3b1bba719a23b350a4c2b25f7236f3a9b118919e8df17758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe

Filesize
792KB

MD5
918aa4d929aa61a54588a18f72b49c8c

SHA1
7a8ac5c2944b9b4a250b475bd010a15b5cf5ad3a

SHA256
d03d28985143381cd0a1ffe527e7c7a7f6c0d761e4947c6ae60a7d612a3f1a0b

SHA512
5dbf3f616d90d3d2cc0a5702787141413cd6ac04647aa2adff1fba2c22571f6db869369b9773392e644e975cfd652093bc0fcc54cd4b716731323adfbb72188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886351.exe

Filesize
792KB

MD5
918aa4d929aa61a54588a18f72b49c8c

SHA1
7a8ac5c2944b9b4a250b475bd010a15b5cf5ad3a

SHA256
d03d28985143381cd0a1ffe527e7c7a7f6c0d761e4947c6ae60a7d612a3f1a0b

SHA512
5dbf3f616d90d3d2cc0a5702787141413cd6ac04647aa2adff1fba2c22571f6db869369b9773392e644e975cfd652093bc0fcc54cd4b716731323adfbb72188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe

Filesize
529KB

MD5
297dd12ccc8eac76a2a9a92dde3807c5

SHA1
022a71fa1156e98be31066f99059335b9d99416c

SHA256
b4168d6ca0886cbd37d7a4415db937f0cd07b569aa812d3166d4d324b9de2a7f

SHA512
1e5629758619fd1ce7628c3175c097ab5ecf88b81d83513d3c7c8e4b7574b951ec0dce04d12975209988bd912417280acdc1d1c9e1b22e2772aedea538d80de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4902647.exe

Filesize
529KB

MD5
297dd12ccc8eac76a2a9a92dde3807c5

SHA1
022a71fa1156e98be31066f99059335b9d99416c

SHA256
b4168d6ca0886cbd37d7a4415db937f0cd07b569aa812d3166d4d324b9de2a7f

SHA512
1e5629758619fd1ce7628c3175c097ab5ecf88b81d83513d3c7c8e4b7574b951ec0dce04d12975209988bd912417280acdc1d1c9e1b22e2772aedea538d80de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe

Filesize
364KB

MD5
fc08cbb6100631b04e4bc11cd851d71a

SHA1
7c011b471bbfd2a5fab5f7ccf133c69db1261b09

SHA256
c34fb765bd3fb1c98079f29352354a90f43bcf9ea27a31bde6fb45bbee4024d3

SHA512
f758e0598cb1b071a86a2b53cf928038719a7147a4c7abd08818b4548c5fda69c8673559f4910f192037b7f47bc26eb4adbf9d646b9db59641e19856dfa81992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x4718039.exe

Filesize
364KB

MD5
fc08cbb6100631b04e4bc11cd851d71a

SHA1
7c011b471bbfd2a5fab5f7ccf133c69db1261b09

SHA256
c34fb765bd3fb1c98079f29352354a90f43bcf9ea27a31bde6fb45bbee4024d3

SHA512
f758e0598cb1b071a86a2b53cf928038719a7147a4c7abd08818b4548c5fda69c8673559f4910f192037b7f47bc26eb4adbf9d646b9db59641e19856dfa81992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe

Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g8315913.exe

Filesize
304KB

MD5
fcc9fd8995cf85e5dcd90b6181b34dc7

SHA1
359fb769a5f8f4569d1e045e87e3cbc8b92f3f78

SHA256
bae667ab9c4c87e83a2822d1b809ba141f13ea62746c7aa35ca439d77cf66b39

SHA512
5124a405ff3fb97b3715bd75db85c6178a32bcdcd03e4261d98ac05e8caa92434da978bf703282658db61cdd9f5b2d6aded82520faff47cf344e307cb199dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe

Filesize
174KB

MD5
3deaf33ce806e8572a34310cb933424c

SHA1
db3a2ec27ede5301bb4f0d65d49eb07653c88df2

SHA256
baccc7e8f5788d82e6356f1765bace9718546d50d811cfa865a76edf690f5242

SHA512
7f60d210522951e9b942aefe3438c1490ff88edc1563376682dd11a13cb197f81769ab5c3835139959d1d2620329a3c84d149d264d0643b000369c5301e48a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h8940647.exe

Filesize
174KB

MD5
3deaf33ce806e8572a34310cb933424c

SHA1
db3a2ec27ede5301bb4f0d65d49eb07653c88df2

SHA256
baccc7e8f5788d82e6356f1765bace9718546d50d811cfa865a76edf690f5242

SHA512
7f60d210522951e9b942aefe3438c1490ff88edc1563376682dd11a13cb197f81769ab5c3835139959d1d2620329a3c84d149d264d0643b000369c5301e48a1e

Download Submit
memory/3768-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3768-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3768-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3768-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4932-46-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/4932-44-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4932-45-0x0000000003140000-0x0000000003146000-memory.dmp

Filesize
24KB

Download
memory/4932-43-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/4932-47-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/4932-49-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/4932-48-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4932-50-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/4932-51-0x0000000005880000-0x00000000058CC000-memory.dmp

Filesize
304KB

Download
memory/4932-52-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4932-53-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads