redline | 2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 11:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe
Size

1.1MB
MD5

bcca568b546b63b2fbd1e9df1467edec
SHA1

5477ef78ba289ba19f883a084a055699896b96c7
SHA256

2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92
SHA512

9f046ceacccddf8750203b3b82a6e80664862118702a46356b6a25d000cd5031d7b7fd84d1cb90eea32fc754cf16cdfc24fd9668bc4da7315082a186cd60282f
SSDEEP

24576:LyTfiX0vfBpJPAD6c9Q7I0SnTWo6qccaeBTII7eaWDfF60:+TdBpJVc9Q7I0Sn0qjaexI2WDfF

Score

10^/10

redline gigant infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023220-40.dat	family_redline
behavioral1/files/0x0006000000023220-42.dat	family_redline
behavioral1/memory/1956-43-0x0000000000D70000-0x0000000000DAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1960	qa1Iy0Dm.exe
1236	Zv7sm4vN.exe
1848	Nz4Xb6eq.exe
608	TQ0KH6Uq.exe
1632	1Ah89hG6.exe
1956	2hu785Kt.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qa1Iy0Dm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zv7sm4vN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Nz4Xb6eq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	TQ0KH6Uq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1532	1632	1Ah89hG6.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
60	1532	WerFault.exe	93
2472	1632	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1960	2872	2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe	86
PID 2872 wrote to memory of 1960	2872	2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe	86
PID 2872 wrote to memory of 1960	2872	2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe	86
PID 1960 wrote to memory of 1236	1960	qa1Iy0Dm.exe	87
PID 1960 wrote to memory of 1236	1960	qa1Iy0Dm.exe	87
PID 1960 wrote to memory of 1236	1960	qa1Iy0Dm.exe	87
PID 1236 wrote to memory of 1848	1236	Zv7sm4vN.exe	88
PID 1236 wrote to memory of 1848	1236	Zv7sm4vN.exe	88
PID 1236 wrote to memory of 1848	1236	Zv7sm4vN.exe	88
PID 1848 wrote to memory of 608	1848	Nz4Xb6eq.exe	89
PID 1848 wrote to memory of 608	1848	Nz4Xb6eq.exe	89
PID 1848 wrote to memory of 608	1848	Nz4Xb6eq.exe	89
PID 608 wrote to memory of 1632	608	TQ0KH6Uq.exe	90
PID 608 wrote to memory of 1632	608	TQ0KH6Uq.exe	90
PID 608 wrote to memory of 1632	608	TQ0KH6Uq.exe	90
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 1632 wrote to memory of 1532	1632	1Ah89hG6.exe	93
PID 608 wrote to memory of 1956	608	TQ0KH6Uq.exe	99
PID 608 wrote to memory of 1956	608	TQ0KH6Uq.exe	99
PID 608 wrote to memory of 1956	608	TQ0KH6Uq.exe	99

C:\Users\Admin\AppData\Local\Temp\2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe
"C:\Users\Admin\AppData\Local\Temp\2a60f89ef513acc2a95a5fb232a73f0f975df18c483f96cd143e1b9de2257b92.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qa1Iy0Dm.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qa1Iy0Dm.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zv7sm4vN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zv7sm4vN.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz4Xb6eq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz4Xb6eq.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ0KH6Uq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ0KH6Uq.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:608
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ah89hG6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ah89hG6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 540
        8⤵
        Program crash
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 148
        7⤵
        Program crash
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu785Kt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu785Kt.exe
        6⤵
        Executes dropped EXE
        
        PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1632 -ip 1632
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qa1Iy0Dm.exe

Filesize
960KB

MD5
7b04085b35baf61800de327692345448

SHA1
3e0c4741df6b7d056dc02c4f3ed10ebe3c84d762

SHA256
5e503e96a5caee72a3a7c3dfe559111a818af7a21d4dd35224a587e1ec8900c6

SHA512
d44752abf091f2d56e0136304fe9a28fc0215ea97b9fd706e334f65540468bcb0f9f74542e148d0686bea716812915056198e283070ddf31ed49dc3034745185

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qa1Iy0Dm.exe

Filesize
960KB

MD5
7b04085b35baf61800de327692345448

SHA1
3e0c4741df6b7d056dc02c4f3ed10ebe3c84d762

SHA256
5e503e96a5caee72a3a7c3dfe559111a818af7a21d4dd35224a587e1ec8900c6

SHA512
d44752abf091f2d56e0136304fe9a28fc0215ea97b9fd706e334f65540468bcb0f9f74542e148d0686bea716812915056198e283070ddf31ed49dc3034745185

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zv7sm4vN.exe

Filesize
778KB

MD5
7d8d3cb7ba453eb9e736449c8fcc6a03

SHA1
6e4f714b719a496b2cda26eb32207adbd3b80553

SHA256
fd98f86ccd04735118363eadf1b6680a818401b069bd51e6a84a04d17aa64066

SHA512
2692a24b7bdab0cbdefd196db7728679a26a81fdeddac1a4e0364347eb9a00939074b6f93b7b5f3a0a1ac757d372132a6c07cf95953e08db4dd2b6bf0971ccd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zv7sm4vN.exe

Filesize
778KB

MD5
7d8d3cb7ba453eb9e736449c8fcc6a03

SHA1
6e4f714b719a496b2cda26eb32207adbd3b80553

SHA256
fd98f86ccd04735118363eadf1b6680a818401b069bd51e6a84a04d17aa64066

SHA512
2692a24b7bdab0cbdefd196db7728679a26a81fdeddac1a4e0364347eb9a00939074b6f93b7b5f3a0a1ac757d372132a6c07cf95953e08db4dd2b6bf0971ccd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz4Xb6eq.exe

Filesize
531KB

MD5
5df7ccf4b13fefcb9fa3d538958e5783

SHA1
8a1b493ec42c40d5b1f7debe5a6bbbbcf0e77138

SHA256
2dc2d3e1408f9fad07a6657128f83c80b76bf9f6c8f99c5542bc6fddcf699e21

SHA512
ba1e20f608267124fb181eec50657422f7247787f1b0de610eef0b13726f28159364aa1fc7b011b284a8f0a634c86fd8612c164f895346147d283ca47d16d845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nz4Xb6eq.exe

Filesize
531KB

MD5
5df7ccf4b13fefcb9fa3d538958e5783

SHA1
8a1b493ec42c40d5b1f7debe5a6bbbbcf0e77138

SHA256
2dc2d3e1408f9fad07a6657128f83c80b76bf9f6c8f99c5542bc6fddcf699e21

SHA512
ba1e20f608267124fb181eec50657422f7247787f1b0de610eef0b13726f28159364aa1fc7b011b284a8f0a634c86fd8612c164f895346147d283ca47d16d845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ0KH6Uq.exe

Filesize
366KB

MD5
e66b13ef656f31455b27744299e77e0f

SHA1
a7778b4f7a3e0fb89d08be7117dc7825c9bc449b

SHA256
58d3284af9f464cb3208ec3520dec88ee7c49d17c3306ec6fcb5c9a920702186

SHA512
159a8fefdb0f11d6575328153b2308e942f81366d4563531d0ed0badd605434a2961aa5fbb353f098d6ef5743114d9bab68828decfb8fe38638b20501a0e6d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TQ0KH6Uq.exe

Filesize
366KB

MD5
e66b13ef656f31455b27744299e77e0f

SHA1
a7778b4f7a3e0fb89d08be7117dc7825c9bc449b

SHA256
58d3284af9f464cb3208ec3520dec88ee7c49d17c3306ec6fcb5c9a920702186

SHA512
159a8fefdb0f11d6575328153b2308e942f81366d4563531d0ed0badd605434a2961aa5fbb353f098d6ef5743114d9bab68828decfb8fe38638b20501a0e6d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ah89hG6.exe

Filesize
285KB

MD5
582f6a5926a67a7df2a20295499f017b

SHA1
3bfe0f78b04d13e997b36b0cb7be721a9acfe7ad

SHA256
366e550295b0c3586210ba6145aec3de113f8cfe711c990e021fb56e60727cba

SHA512
e392a2880d8cd52dc72f397ea0c0623619dbc31861b8db4cfb8b8fd3b12acf2c16013f929859fb43e44df0b40c4bdbe4c9d1e40969b0456baca0f88ff4eb93db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ah89hG6.exe

Filesize
285KB

MD5
582f6a5926a67a7df2a20295499f017b

SHA1
3bfe0f78b04d13e997b36b0cb7be721a9acfe7ad

SHA256
366e550295b0c3586210ba6145aec3de113f8cfe711c990e021fb56e60727cba

SHA512
e392a2880d8cd52dc72f397ea0c0623619dbc31861b8db4cfb8b8fd3b12acf2c16013f929859fb43e44df0b40c4bdbe4c9d1e40969b0456baca0f88ff4eb93db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu785Kt.exe

Filesize
222KB

MD5
d63f247bd1f676e20baf9eb3e4196dec

SHA1
8d6d5914d1c31943ae70312bc4d05bdd88a8aad7

SHA256
2ec7136f2542ed108cb57af33d63aee422d3545c0e2bfff6c728504895581146

SHA512
638196ce3666c3fc4a401d9cbbe2f43197c0bcac670d8e63ba36f034fe6c4b1799ebf9bebcc9e14b406cac27fa9c2156177a92a198520e4537795ee7c9285282

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hu785Kt.exe

Filesize
222KB

MD5
d63f247bd1f676e20baf9eb3e4196dec

SHA1
8d6d5914d1c31943ae70312bc4d05bdd88a8aad7

SHA256
2ec7136f2542ed108cb57af33d63aee422d3545c0e2bfff6c728504895581146

SHA512
638196ce3666c3fc4a401d9cbbe2f43197c0bcac670d8e63ba36f034fe6c4b1799ebf9bebcc9e14b406cac27fa9c2156177a92a198520e4537795ee7c9285282

Download Submit
memory/1532-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1532-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1532-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1532-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1956-46-0x0000000007B40000-0x0000000007BD2000-memory.dmp

Filesize
584KB

Download
memory/1956-43-0x0000000000D70000-0x0000000000DAE000-memory.dmp

Filesize
248KB

Download
memory/1956-45-0x0000000008010000-0x00000000085B4000-memory.dmp

Filesize
5.6MB

Download
memory/1956-44-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1956-47-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download
memory/1956-48-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

Filesize
40KB

Download
memory/1956-49-0x0000000008BE0000-0x00000000091F8000-memory.dmp

Filesize
6.1MB

Download
memory/1956-50-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

Filesize
1.0MB

Download
memory/1956-51-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/1956-52-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/1956-53-0x0000000007E70000-0x0000000007EBC000-memory.dmp

Filesize
304KB

Download
memory/1956-54-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1956-55-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads