redline | cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe
Size

1.5MB
MD5

83a944e4466559fe02adc1fce5ba69c7
SHA1

4b52b8b1ab4c525a9d5fd9ad8127f5ac12d6bb62
SHA256

cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a
SHA512

325cb8aa7b527288ce9b8a27d79a1dd1e98cfab0ef56233a722d62f733b1f37ddb287e1940dc89716ea7f40bd8920b6399956e6e969cbce3042b63984fcef510
SSDEEP

24576:eyGUpcIUOcCC20KQI5UNH40kiBZpDKxEr0tptyusfVn5r2:tGU6OERKDIY4+e4rgV

Score

10^/10

redline gigant infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231fe-41.dat	family_redline
behavioral1/files/0x00070000000231fe-42.dat	family_redline
behavioral1/memory/1780-43-0x00000000001E0000-0x000000000021E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2804	pM4ts2sy.exe
1328	rK8VL1TD.exe
4048	bA1ug2Uw.exe
1968	Ff2qA2ow.exe
1872	1dq85Fi9.exe
1780	2Dr315SU.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pM4ts2sy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rK8VL1TD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	bA1ug2Uw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ff2qA2ow.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 2684	1872	1dq85Fi9.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1616	1872	WerFault.exe	91
724	2684	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 2804	3892	cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe	86
PID 3892 wrote to memory of 2804	3892	cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe	86
PID 3892 wrote to memory of 2804	3892	cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe	86
PID 2804 wrote to memory of 1328	2804	pM4ts2sy.exe	87
PID 2804 wrote to memory of 1328	2804	pM4ts2sy.exe	87
PID 2804 wrote to memory of 1328	2804	pM4ts2sy.exe	87
PID 1328 wrote to memory of 4048	1328	rK8VL1TD.exe	89
PID 1328 wrote to memory of 4048	1328	rK8VL1TD.exe	89
PID 1328 wrote to memory of 4048	1328	rK8VL1TD.exe	89
PID 4048 wrote to memory of 1968	4048	bA1ug2Uw.exe	90
PID 4048 wrote to memory of 1968	4048	bA1ug2Uw.exe	90
PID 4048 wrote to memory of 1968	4048	bA1ug2Uw.exe	90
PID 1968 wrote to memory of 1872	1968	Ff2qA2ow.exe	91
PID 1968 wrote to memory of 1872	1968	Ff2qA2ow.exe	91
PID 1968 wrote to memory of 1872	1968	Ff2qA2ow.exe	91
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1872 wrote to memory of 2684	1872	1dq85Fi9.exe	93
PID 1968 wrote to memory of 1780	1968	Ff2qA2ow.exe	99
PID 1968 wrote to memory of 1780	1968	Ff2qA2ow.exe	99
PID 1968 wrote to memory of 1780	1968	Ff2qA2ow.exe	99

C:\Users\Admin\AppData\Local\Temp\cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe
"C:\Users\Admin\AppData\Local\Temp\cd7d898a13d74fb5d08840c2c49e6ad2b9a0af5e86d8fc96c480dce5797d704a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM4ts2sy.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM4ts2sy.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK8VL1TD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK8VL1TD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bA1ug2Uw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bA1ug2Uw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff2qA2ow.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff2qA2ow.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq85Fi9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq85Fi9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 540
        8⤵
        Program crash
        
        PID:724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 560
        7⤵
        Program crash
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Dr315SU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Dr315SU.exe
        6⤵
        Executes dropped EXE
        
        PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1872 -ip 1872
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2684 -ip 2684
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM4ts2sy.exe

Filesize
1.3MB

MD5
f1ebc75ddc860ce8b144ca93153d689d

SHA1
1d5d19a654317a448d643eb97acf5062d262228e

SHA256
291626bbba8d88a3c19e201068ddc3f5b65052eccd2d744a089408832d0e3472

SHA512
d5a7c2cad607d31057024da5d1a8f0b0678c29f2d6eb8cf31c44620f7de4c6044ccf9d0a4437f34f0feb89906165277ecb97cc78ba6ff37535d4a005250f1c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pM4ts2sy.exe

Filesize
1.3MB

MD5
f1ebc75ddc860ce8b144ca93153d689d

SHA1
1d5d19a654317a448d643eb97acf5062d262228e

SHA256
291626bbba8d88a3c19e201068ddc3f5b65052eccd2d744a089408832d0e3472

SHA512
d5a7c2cad607d31057024da5d1a8f0b0678c29f2d6eb8cf31c44620f7de4c6044ccf9d0a4437f34f0feb89906165277ecb97cc78ba6ff37535d4a005250f1c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK8VL1TD.exe

Filesize
1.1MB

MD5
f70904f1708008b6c021c9c7b1d15a10

SHA1
84dfb907b792d4adc31215a54f63478033166778

SHA256
339ab7eb74bd61646a50d581e141f81da491f24fa1817d3e85442ce9811a0d7d

SHA512
3752f661b0d960095d4b89eaa4033808ade8eea63adfedb0b2bab01c305a231a9228d0f87be7228ebde07707eaebf5ea523a7fa66d3b082e6e2c5900f24e26d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK8VL1TD.exe

Filesize
1.1MB

MD5
f70904f1708008b6c021c9c7b1d15a10

SHA1
84dfb907b792d4adc31215a54f63478033166778

SHA256
339ab7eb74bd61646a50d581e141f81da491f24fa1817d3e85442ce9811a0d7d

SHA512
3752f661b0d960095d4b89eaa4033808ade8eea63adfedb0b2bab01c305a231a9228d0f87be7228ebde07707eaebf5ea523a7fa66d3b082e6e2c5900f24e26d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bA1ug2Uw.exe

Filesize
735KB

MD5
e60baec494f78fc3225e56d9c4e0631e

SHA1
f7ff31d68b114d572eca1ae45218bf8d85350abb

SHA256
811de0aeff1d092397c69992d4aec256c7cf1084cffd1ce8b3362ed021eb2f4e

SHA512
e1962d22fc9a2029273644494653161a558eefc22a8ae45392b3fc51e530ab263b8d55822f7c4972b7e7d97ed455cee3550baf0f7c86d8460ee0abb0fed45143

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bA1ug2Uw.exe

Filesize
735KB

MD5
e60baec494f78fc3225e56d9c4e0631e

SHA1
f7ff31d68b114d572eca1ae45218bf8d85350abb

SHA256
811de0aeff1d092397c69992d4aec256c7cf1084cffd1ce8b3362ed021eb2f4e

SHA512
e1962d22fc9a2029273644494653161a558eefc22a8ae45392b3fc51e530ab263b8d55822f7c4972b7e7d97ed455cee3550baf0f7c86d8460ee0abb0fed45143

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff2qA2ow.exe

Filesize
562KB

MD5
e23f1c858fcbdac377926d277f39f23b

SHA1
7ad40c9cb6febb9248aea89b20ea817233cf1b8b

SHA256
24f532a77c46f9c4eca741987c6ae9ff178022235472c170bfad4940db74f68d

SHA512
8d6564dfeca2816af9b6a54cf9f01534a1b904b8928d7fcfb077707d2969d4a262c8efc8c39977b13178ddc3a8cbfab902f8f1d6dfa0874fb0ed08b09fbe60d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff2qA2ow.exe

Filesize
562KB

MD5
e23f1c858fcbdac377926d277f39f23b

SHA1
7ad40c9cb6febb9248aea89b20ea817233cf1b8b

SHA256
24f532a77c46f9c4eca741987c6ae9ff178022235472c170bfad4940db74f68d

SHA512
8d6564dfeca2816af9b6a54cf9f01534a1b904b8928d7fcfb077707d2969d4a262c8efc8c39977b13178ddc3a8cbfab902f8f1d6dfa0874fb0ed08b09fbe60d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq85Fi9.exe

Filesize
1.4MB

MD5
e1aa8b83a25ed928604938ac437f57fa

SHA1
19ac00a655094976a1f1516aaaa8a4bbd185dea8

SHA256
672190181547c7112701c1365018bfdec75b01466c54603443ba66768e0c32ed

SHA512
69b719ce61dcd95a09c87cf18c046fb53c9e5b35ad7893fd5f868005cac4509fb6bcf3ba759868279b94e5bef4eb39a4fc1ef315d4544661904d49255c957655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq85Fi9.exe

Filesize
1.4MB

MD5
e1aa8b83a25ed928604938ac437f57fa

SHA1
19ac00a655094976a1f1516aaaa8a4bbd185dea8

SHA256
672190181547c7112701c1365018bfdec75b01466c54603443ba66768e0c32ed

SHA512
69b719ce61dcd95a09c87cf18c046fb53c9e5b35ad7893fd5f868005cac4509fb6bcf3ba759868279b94e5bef4eb39a4fc1ef315d4544661904d49255c957655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Dr315SU.exe

Filesize
230KB

MD5
db22b7e0de2b9168dc2c57c4bb885912

SHA1
ee8dccfeaa3a15bceb39ac8d314658df6b975b87

SHA256
17a71a8333c097c8869bbbc9ce1854670253abe7ee45023eca28da9d11c75b65

SHA512
61003c7c219b1c7d15e35325ed4d9d5be14c7153cf4ec80eef02002ffb85f2306a54aa79f20a8b807966b241380464a5cd4314709de7900e1d4fcd3bc01f99e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Dr315SU.exe

Filesize
230KB

MD5
db22b7e0de2b9168dc2c57c4bb885912

SHA1
ee8dccfeaa3a15bceb39ac8d314658df6b975b87

SHA256
17a71a8333c097c8869bbbc9ce1854670253abe7ee45023eca28da9d11c75b65

SHA512
61003c7c219b1c7d15e35325ed4d9d5be14c7153cf4ec80eef02002ffb85f2306a54aa79f20a8b807966b241380464a5cd4314709de7900e1d4fcd3bc01f99e5

Download Submit
memory/1780-46-0x0000000006FD0000-0x0000000007062000-memory.dmp

Filesize
584KB

Download
memory/1780-48-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download
memory/1780-55-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/1780-54-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1780-44-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1780-43-0x00000000001E0000-0x000000000021E000-memory.dmp

Filesize
248KB

Download
memory/1780-45-0x00000000074E0000-0x0000000007A84000-memory.dmp

Filesize
5.6MB

Download
memory/1780-53-0x0000000007420000-0x000000000746C000-memory.dmp

Filesize
304KB

Download
memory/1780-52-0x00000000073E0000-0x000000000741C000-memory.dmp

Filesize
240KB

Download
memory/1780-49-0x00000000080B0000-0x00000000086C8000-memory.dmp

Filesize
6.1MB

Download
memory/1780-47-0x0000000007240000-0x0000000007250000-memory.dmp

Filesize
64KB

Download
memory/1780-50-0x0000000007A90000-0x0000000007B9A000-memory.dmp

Filesize
1.0MB

Download
memory/1780-51-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/2684-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2684-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2684-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2684-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads