redline | d988eb13552e5906b0ba025f74d7e97071faa2db8b333084af8a5a613d494f25

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 11:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe
Size

1.5MB
MD5

0ea847cec8b85577102a4ebc11930750
SHA1

24a69022d8a31c2c64328f2774e60e10569d8f16
SHA256

05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea
SHA512

d58c4e092897a89b98e78cd0d9d418f2d38ca3684a854eee29b161db6e018ea255a0532db2e1c56a01e62e522b369cd8fbe2af34e72c3cfc778d5ca0439232c0
SSDEEP

24576:Jyqg4L3o5NRR7qDwrnuqHzSuJR1nejjjGU8voqT8ZGSC3:8xYg7qDAhzSmnEWUmT8ZG

Score

10^/10

redline gigant infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000230b5-41.dat	family_redline
behavioral2/files/0x00060000000230b5-42.dat	family_redline
behavioral2/memory/1864-44-0x00000000007C0000-0x00000000007FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3184	Bt0ak3NX.exe
752	EE3io6gz.exe
1104	pU1yx5zR.exe
5024	tY4iN8LH.exe
4040	1Zi14Iu9.exe
1864	2ER501cr.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pU1yx5zR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	tY4iN8LH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bt0ak3NX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	EE3io6gz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4040 set thread context of 4640	4040	1Zi14Iu9.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1880	4040	WerFault.exe	89
3040	4640	WerFault.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 3184	3864	05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe	85
PID 3864 wrote to memory of 3184	3864	05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe	85
PID 3864 wrote to memory of 3184	3864	05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe	85
PID 3184 wrote to memory of 752	3184	Bt0ak3NX.exe	86
PID 3184 wrote to memory of 752	3184	Bt0ak3NX.exe	86
PID 3184 wrote to memory of 752	3184	Bt0ak3NX.exe	86
PID 752 wrote to memory of 1104	752	EE3io6gz.exe	87
PID 752 wrote to memory of 1104	752	EE3io6gz.exe	87
PID 752 wrote to memory of 1104	752	EE3io6gz.exe	87
PID 1104 wrote to memory of 5024	1104	pU1yx5zR.exe	88
PID 1104 wrote to memory of 5024	1104	pU1yx5zR.exe	88
PID 1104 wrote to memory of 5024	1104	pU1yx5zR.exe	88
PID 5024 wrote to memory of 4040	5024	tY4iN8LH.exe	89
PID 5024 wrote to memory of 4040	5024	tY4iN8LH.exe	89
PID 5024 wrote to memory of 4040	5024	tY4iN8LH.exe	89
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 4040 wrote to memory of 4640	4040	1Zi14Iu9.exe	91
PID 5024 wrote to memory of 1864	5024	tY4iN8LH.exe	97
PID 5024 wrote to memory of 1864	5024	tY4iN8LH.exe	97
PID 5024 wrote to memory of 1864	5024	tY4iN8LH.exe	97

C:\Users\Admin\AppData\Local\Temp\05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe
"C:\Users\Admin\AppData\Local\Temp\05b47b8ddfbc800b01b50657de1f4afa12f8403ee179ea1c880c9a6760a76fea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bt0ak3NX.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bt0ak3NX.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EE3io6gz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EE3io6gz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU1yx5zR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU1yx5zR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tY4iN8LH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tY4iN8LH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zi14Iu9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zi14Iu9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 548
        8⤵
        Program crash
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 152
        7⤵
        Program crash
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ER501cr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ER501cr.exe
        6⤵
        Executes dropped EXE
        
        PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4640 -ip 4640
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4040 -ip 4040
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bt0ak3NX.exe

Filesize
1.3MB

MD5
c51a2d8cc28e7d5d0e2346bfa4b73141

SHA1
a74abafd1a8036c5bcb49822a1e46d55d2c86760

SHA256
fbd776d5228ccc0590a3ddc7e7d0dde99b3697cdffd6609e3f1611c212c8c306

SHA512
7d18f01927b35796eb6986a4f57b237e4ae1deb0a1df07a356fddedf200a1915ae583485ef273d5ef3ada11fa113a14c4709fcf1e4e22735d9b43b750b5d6911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bt0ak3NX.exe

Filesize
1.3MB

MD5
c51a2d8cc28e7d5d0e2346bfa4b73141

SHA1
a74abafd1a8036c5bcb49822a1e46d55d2c86760

SHA256
fbd776d5228ccc0590a3ddc7e7d0dde99b3697cdffd6609e3f1611c212c8c306

SHA512
7d18f01927b35796eb6986a4f57b237e4ae1deb0a1df07a356fddedf200a1915ae583485ef273d5ef3ada11fa113a14c4709fcf1e4e22735d9b43b750b5d6911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EE3io6gz.exe

Filesize
1.1MB

MD5
86aad21881b34180fb2e012d144b1103

SHA1
a0df2b5c7d48aabab13facd9b7a2e0df5604aba1

SHA256
ba4b8c80c1e4b8179b493186a50e34b109889de6373c1ff89a69d284f1823cfd

SHA512
0f3f3fd5706393d445e0d10a73d7d2ab0adea4145b5a3bfd2eb0fe435ab003bd1fed93f3557cdb1a5a9b9fc4d3f5cfded7f3d7824dae841fd155ccce69dd583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EE3io6gz.exe

Filesize
1.1MB

MD5
86aad21881b34180fb2e012d144b1103

SHA1
a0df2b5c7d48aabab13facd9b7a2e0df5604aba1

SHA256
ba4b8c80c1e4b8179b493186a50e34b109889de6373c1ff89a69d284f1823cfd

SHA512
0f3f3fd5706393d445e0d10a73d7d2ab0adea4145b5a3bfd2eb0fe435ab003bd1fed93f3557cdb1a5a9b9fc4d3f5cfded7f3d7824dae841fd155ccce69dd583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU1yx5zR.exe

Filesize
735KB

MD5
265065ff3b258c3128ca0e11e678a84b

SHA1
cee2882ca5d8c524f647a9da4f5b85061da82d49

SHA256
f81afeca52e6252aa0f737f2a85e28950759dc9ae15a60f12c6a881060a01e31

SHA512
8ebbcd51daf54c1054a26167e65093124a2785a810e24ed6c4a962eb1945e748bdbb86cf424b3f0554d990921e6472858822004e60ee7fc504642822f4b95622

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU1yx5zR.exe

Filesize
735KB

MD5
265065ff3b258c3128ca0e11e678a84b

SHA1
cee2882ca5d8c524f647a9da4f5b85061da82d49

SHA256
f81afeca52e6252aa0f737f2a85e28950759dc9ae15a60f12c6a881060a01e31

SHA512
8ebbcd51daf54c1054a26167e65093124a2785a810e24ed6c4a962eb1945e748bdbb86cf424b3f0554d990921e6472858822004e60ee7fc504642822f4b95622

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tY4iN8LH.exe

Filesize
562KB

MD5
7d41084e9bd3ac43aec4949e8479b8e1

SHA1
52680bc9764a8d55248d097d8c13c30a77c2fe61

SHA256
5f294dda385217aced86785165cf6ddd679ed480ccc99ed014d898304ecdb470

SHA512
a1158d48099e9742cc534df0f18653e664b9c09ee165763e3b0b2802a5e1b4660f92cfdadf604a9d80eb3e35e53cc4713f0759e0588f1f94c29f477b8bed34c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tY4iN8LH.exe

Filesize
562KB

MD5
7d41084e9bd3ac43aec4949e8479b8e1

SHA1
52680bc9764a8d55248d097d8c13c30a77c2fe61

SHA256
5f294dda385217aced86785165cf6ddd679ed480ccc99ed014d898304ecdb470

SHA512
a1158d48099e9742cc534df0f18653e664b9c09ee165763e3b0b2802a5e1b4660f92cfdadf604a9d80eb3e35e53cc4713f0759e0588f1f94c29f477b8bed34c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zi14Iu9.exe

Filesize
1.4MB

MD5
7518415a722d4df208536a1c8c742b2e

SHA1
04e8e99a7efd74c7338636194b276e6906738ce7

SHA256
8723656c749074f97599acab27d9f46b4cb57a993911a11bb789ac61065f79d3

SHA512
b886c23241eedd8ab93a0e8fec45e101f61a5db7015062c15a215b2a23725aa3a0c2c76f7860b78400e600f7053aa5677e01bc77645572b0e416b035a8fa5c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zi14Iu9.exe

Filesize
1.4MB

MD5
7518415a722d4df208536a1c8c742b2e

SHA1
04e8e99a7efd74c7338636194b276e6906738ce7

SHA256
8723656c749074f97599acab27d9f46b4cb57a993911a11bb789ac61065f79d3

SHA512
b886c23241eedd8ab93a0e8fec45e101f61a5db7015062c15a215b2a23725aa3a0c2c76f7860b78400e600f7053aa5677e01bc77645572b0e416b035a8fa5c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ER501cr.exe

Filesize
230KB

MD5
3e04bcca8fd87efbb46d29db75c6d732

SHA1
1d4f4898dc8995f0ab19636336137b970e096397

SHA256
ac596aadb5d03a3af6ef37a7ec92fac04ae1bd58c28a550f37787d1ce7222ec8

SHA512
c5c6d5b7d17c7fdea7274767ed2b2aae2cfe8e4029c65bb117912f4901d399a60eca4492f54e28891ae4f02e30a0fc3dd0fcabc3b2c39f279f2bcda384107eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ER501cr.exe

Filesize
230KB

MD5
3e04bcca8fd87efbb46d29db75c6d732

SHA1
1d4f4898dc8995f0ab19636336137b970e096397

SHA256
ac596aadb5d03a3af6ef37a7ec92fac04ae1bd58c28a550f37787d1ce7222ec8

SHA512
c5c6d5b7d17c7fdea7274767ed2b2aae2cfe8e4029c65bb117912f4901d399a60eca4492f54e28891ae4f02e30a0fc3dd0fcabc3b2c39f279f2bcda384107eef

Download Submit
memory/1864-46-0x0000000007580000-0x0000000007612000-memory.dmp

Filesize
584KB

Download
memory/1864-48-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/1864-55-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/1864-54-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/1864-43-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/1864-44-0x00000000007C0000-0x00000000007FE000-memory.dmp

Filesize
248KB

Download
memory/1864-45-0x0000000007A50000-0x0000000007FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1864-53-0x0000000007900000-0x000000000794C000-memory.dmp

Filesize
304KB

Download
memory/1864-52-0x0000000007880000-0x00000000078BC000-memory.dmp

Filesize
240KB

Download
memory/1864-49-0x0000000008620000-0x0000000008C38000-memory.dmp

Filesize
6.1MB

Download
memory/1864-47-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/1864-50-0x0000000008000000-0x000000000810A000-memory.dmp

Filesize
1.0MB

Download
memory/1864-51-0x0000000007820000-0x0000000007832000-memory.dmp

Filesize
72KB

Download
memory/4640-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4640-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4640-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4640-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads