redline | 0b50ae0e27e98ee450eecb0335a2569decde56be720550f3a0f9d619d54f3a07

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 09:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe
Size

1.5MB
MD5

abba55efd32b6631bd77fec98c415e6d
SHA1

8cc5ca395523595b774fb5415fc5e2358238153f
SHA256

e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3
SHA512

15ab1df5d515da52e15d8528b40bb971930b37a7ed2511c9c8c1d84cf6c73378219a7d73f2757838aecad073af0b8e992dafaee6a6b27751fae019f4377d7cc6
SSDEEP

24576:AyG1UPiDh5owC8I15OXTIccknZi+7A8gbQlG2IEZEZ5aMSj0SZDF:HRP4U38Icckn9EbIIsw59KD

Score

10^/10

redline gigant infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023214-41.dat	family_redline
behavioral2/files/0x0007000000023214-42.dat	family_redline
behavioral2/memory/3480-43-0x0000000000750000-0x000000000078E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1528	JX9NZ9sY.exe
1272	If1II7ly.exe
4884	ur4mI9Wq.exe
4992	XY5Ya5MP.exe
4780	1ZB14TQ1.exe
3480	2le006wi.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	JX9NZ9sY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	If1II7ly.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ur4mI9Wq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	XY5Ya5MP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 4564	4780	1ZB14TQ1.exe	96

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3380	4564	WerFault.exe	96
644	4780	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1468	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1528	1316	e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe	87
PID 1316 wrote to memory of 1528	1316	e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe	87
PID 1316 wrote to memory of 1528	1316	e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe	87
PID 1528 wrote to memory of 1272	1528	JX9NZ9sY.exe	88
PID 1528 wrote to memory of 1272	1528	JX9NZ9sY.exe	88
PID 1528 wrote to memory of 1272	1528	JX9NZ9sY.exe	88
PID 1272 wrote to memory of 4884	1272	If1II7ly.exe	89
PID 1272 wrote to memory of 4884	1272	If1II7ly.exe	89
PID 1272 wrote to memory of 4884	1272	If1II7ly.exe	89
PID 4884 wrote to memory of 4992	4884	ur4mI9Wq.exe	91
PID 4884 wrote to memory of 4992	4884	ur4mI9Wq.exe	91
PID 4884 wrote to memory of 4992	4884	ur4mI9Wq.exe	91
PID 4992 wrote to memory of 4780	4992	XY5Ya5MP.exe	92
PID 4992 wrote to memory of 4780	4992	XY5Ya5MP.exe	92
PID 4992 wrote to memory of 4780	4992	XY5Ya5MP.exe	92
PID 4780 wrote to memory of 4908	4780	1ZB14TQ1.exe	94
PID 4780 wrote to memory of 4908	4780	1ZB14TQ1.exe	94
PID 4780 wrote to memory of 4908	4780	1ZB14TQ1.exe	94
PID 4780 wrote to memory of 224	4780	1ZB14TQ1.exe	95
PID 4780 wrote to memory of 224	4780	1ZB14TQ1.exe	95
PID 4780 wrote to memory of 224	4780	1ZB14TQ1.exe	95
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4780 wrote to memory of 4564	4780	1ZB14TQ1.exe	96
PID 4992 wrote to memory of 3480	4992	XY5Ya5MP.exe	102
PID 4992 wrote to memory of 3480	4992	XY5Ya5MP.exe	102
PID 4992 wrote to memory of 3480	4992	XY5Ya5MP.exe	102

C:\Users\Admin\AppData\Local\Temp\e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe
"C:\Users\Admin\AppData\Local\Temp\e7fc97af7c226c5c24f24ed503a451d8f993d664e2a325652e8fd371946e9fa3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX9NZ9sY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX9NZ9sY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\If1II7ly.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\If1II7ly.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ur4mI9Wq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ur4mI9Wq.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XY5Ya5MP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XY5Ya5MP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZB14TQ1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZB14TQ1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 196
        8⤵
        Program crash
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 600
        7⤵
        Program crash
        
        PID:644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2le006wi.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2le006wi.exe
        6⤵
        Executes dropped EXE
        
        PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 4564
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4780 -ip 4780
1⤵
PID:4540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX9NZ9sY.exe

Filesize
1.3MB

MD5
a07d9ad865bdac60d7f8cbcb3934ba8a

SHA1
b42301105d850fb0cade6a543fc91f49ab1518d9

SHA256
80801f151109102aa7daeedc0d41329c9ce3ffbe37f9560a5313529d924cdb33

SHA512
5e3b1dc94a0bdf61716838c1a5de69f4722f5e05be6e58a0117da1f92dd201cabc5d02053d07639cd5e65b3314554cb9511916939b03a8ea575612ee0b270056

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX9NZ9sY.exe

Filesize
1.3MB

MD5
a07d9ad865bdac60d7f8cbcb3934ba8a

SHA1
b42301105d850fb0cade6a543fc91f49ab1518d9

SHA256
80801f151109102aa7daeedc0d41329c9ce3ffbe37f9560a5313529d924cdb33

SHA512
5e3b1dc94a0bdf61716838c1a5de69f4722f5e05be6e58a0117da1f92dd201cabc5d02053d07639cd5e65b3314554cb9511916939b03a8ea575612ee0b270056

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\If1II7ly.exe

Filesize
1.1MB

MD5
4a1f322dfde4f37fc5d5f717dcd141bc

SHA1
2f78f98c4f5749120b1552a6dda9c245c9c3e2a3

SHA256
bbd96237332c723a98ce6a1942881023864b491b24a888e85b36e8c46a58b028

SHA512
ddc5ede85c226457e9e6ec638c832add16802f3d0a294f29c2264e93e0bd39882968d788391a4e37a9fb768a64b9d3a2abc25971d7306f92560f4cfe0947b2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\If1II7ly.exe

Filesize
1.1MB

MD5
4a1f322dfde4f37fc5d5f717dcd141bc

SHA1
2f78f98c4f5749120b1552a6dda9c245c9c3e2a3

SHA256
bbd96237332c723a98ce6a1942881023864b491b24a888e85b36e8c46a58b028

SHA512
ddc5ede85c226457e9e6ec638c832add16802f3d0a294f29c2264e93e0bd39882968d788391a4e37a9fb768a64b9d3a2abc25971d7306f92560f4cfe0947b2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ur4mI9Wq.exe

Filesize
736KB

MD5
e3511942850c06172da852f9ce3d0885

SHA1
4208e25cf01c6396559a2cc8176d8b74a93cb367

SHA256
ecfe189250471adee463d2420fcd5ea8230303f427c12347ced6acc3e96be318

SHA512
b132c536bba44c6ca8e84d4aee1a88ac1c06b9fb6f03e06fcb78c5d8d7cc220def1f507b75d39e04b57ac7eca9b0ac706795be67e4fd29ef7980e090b7065d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ur4mI9Wq.exe

Filesize
736KB

MD5
e3511942850c06172da852f9ce3d0885

SHA1
4208e25cf01c6396559a2cc8176d8b74a93cb367

SHA256
ecfe189250471adee463d2420fcd5ea8230303f427c12347ced6acc3e96be318

SHA512
b132c536bba44c6ca8e84d4aee1a88ac1c06b9fb6f03e06fcb78c5d8d7cc220def1f507b75d39e04b57ac7eca9b0ac706795be67e4fd29ef7980e090b7065d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XY5Ya5MP.exe

Filesize
563KB

MD5
51d1cd2f216993ca808f988d2d2a851c

SHA1
21be8d77fb2a9bdbc25a3f0bc133c9e7b3da948b

SHA256
e6aa39bd11b9c8579e726035543c9c7ccad73547866e804365410a1fff3ddf8e

SHA512
76fe99a1462baf192a6914f300a6937c566e3259042953b8d29ef2d49321099c48c9321fc0502a16c5cf9b21dddea6051b8bab7c8ccbdca8d8e647fdaa2fb8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XY5Ya5MP.exe

Filesize
563KB

MD5
51d1cd2f216993ca808f988d2d2a851c

SHA1
21be8d77fb2a9bdbc25a3f0bc133c9e7b3da948b

SHA256
e6aa39bd11b9c8579e726035543c9c7ccad73547866e804365410a1fff3ddf8e

SHA512
76fe99a1462baf192a6914f300a6937c566e3259042953b8d29ef2d49321099c48c9321fc0502a16c5cf9b21dddea6051b8bab7c8ccbdca8d8e647fdaa2fb8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZB14TQ1.exe

Filesize
1.4MB

MD5
5d1de9091cf85f1462e2395bad904e0a

SHA1
9c31d73a8418c75432e7b2a265be7a2f323c505d

SHA256
f8574f7afabe626d2b83b67d0078bcc76d40f109cc0b6502de784d9c082c9d1f

SHA512
73bfabfcaab0c4ec0ffb95d756bfebe891a17c671b4e2090fb4f36c3150cf3d815181f27a3ca2c63cc58d20f195987cf997a21ba8b866a51f5fbb32d83b990e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZB14TQ1.exe

Filesize
1.4MB

MD5
5d1de9091cf85f1462e2395bad904e0a

SHA1
9c31d73a8418c75432e7b2a265be7a2f323c505d

SHA256
f8574f7afabe626d2b83b67d0078bcc76d40f109cc0b6502de784d9c082c9d1f

SHA512
73bfabfcaab0c4ec0ffb95d756bfebe891a17c671b4e2090fb4f36c3150cf3d815181f27a3ca2c63cc58d20f195987cf997a21ba8b866a51f5fbb32d83b990e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2le006wi.exe

Filesize
230KB

MD5
36b23fed86913aaf87116288aaf8ef42

SHA1
50dc21029815087eaaac6d9ccbfd0506e49091a4

SHA256
b50cb058258c30355c27249d00c3e000caea444940971ba3dc55f1aa40b79098

SHA512
6ea9abacefcdc435bc4c4732ee1b33bb4cc30819635a9bd3fc71d943b134366b7c0d7f08acefff4da10e964eddd0c2b73e57c7cfe582e5675f3ea0acc005b971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2le006wi.exe

Filesize
230KB

MD5
36b23fed86913aaf87116288aaf8ef42

SHA1
50dc21029815087eaaac6d9ccbfd0506e49091a4

SHA256
b50cb058258c30355c27249d00c3e000caea444940971ba3dc55f1aa40b79098

SHA512
6ea9abacefcdc435bc4c4732ee1b33bb4cc30819635a9bd3fc71d943b134366b7c0d7f08acefff4da10e964eddd0c2b73e57c7cfe582e5675f3ea0acc005b971

Download Submit
memory/1468-92-0x000001582B8E0000-0x000001582B8E1000-memory.dmp

Filesize
4KB

Download
memory/1468-91-0x000001582B7D0000-0x000001582B7D1000-memory.dmp

Filesize
4KB

Download
memory/1468-90-0x000001582B7D0000-0x000001582B7D1000-memory.dmp

Filesize
4KB

Download
memory/1468-88-0x000001582B7A0000-0x000001582B7A1000-memory.dmp

Filesize
4KB

Download
memory/1468-56-0x0000015823340000-0x0000015823350000-memory.dmp

Filesize
64KB

Download
memory/1468-72-0x0000015823440000-0x0000015823450000-memory.dmp

Filesize
64KB

Download
memory/3480-43-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/3480-46-0x0000000007650000-0x00000000076E2000-memory.dmp

Filesize
584KB

Download
memory/3480-47-0x0000000007860000-0x0000000007870000-memory.dmp

Filesize
64KB

Download
memory/3480-48-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/3480-49-0x00000000086D0000-0x0000000008CE8000-memory.dmp

Filesize
6.1MB

Download
memory/3480-50-0x00000000080B0000-0x00000000081BA000-memory.dmp

Filesize
1.0MB

Download
memory/3480-51-0x00000000078E0000-0x00000000078F2000-memory.dmp

Filesize
72KB

Download
memory/3480-52-0x0000000007940000-0x000000000797C000-memory.dmp

Filesize
240KB

Download
memory/3480-53-0x0000000007980000-0x00000000079CC000-memory.dmp

Filesize
304KB

Download
memory/3480-54-0x0000000073FC0000-0x0000000074770000-memory.dmp

Filesize
7.7MB

Download
memory/3480-55-0x0000000007860000-0x0000000007870000-memory.dmp

Filesize
64KB

Download
memory/3480-45-0x0000000007B00000-0x00000000080A4000-memory.dmp

Filesize
5.6MB

Download
memory/3480-44-0x0000000073FC0000-0x0000000074770000-memory.dmp

Filesize
7.7MB

Download
memory/4564-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4564-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4564-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4564-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads