redline | 56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe
Size

1.2MB
MD5

ee19f3134a2d6e8776bd327f2cfe9242
SHA1

c7e6ebd040192d411f883bf7b5695d95785c38e0
SHA256

56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099
SHA512

9e516a27f64e5ff2853103139a9b2f7b70a15f8f9e5cd73bd134496d9e248a4b85d4812686c58933e79b39f17cee2ae01cf8c97fef7204b4c066edc00ac82989
SSDEEP

24576:vyDHxmo7v4YCq1M+8xo2zX2yuPX5xkn79p+5ZPMAIE3aYDP:6Dn7pz12T2PRxO7LqaY

Score

10^/10

redline lutyr infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000002309e-41.dat	family_redline
behavioral1/files/0x000600000002309e-42.dat	family_redline
behavioral1/memory/404-44-0x0000000000630000-0x000000000066E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2808	mn6PT0dV.exe
4132	IF4ev9sG.exe
3148	fJ4Ct3oF.exe
4228	cK1Sd6XA.exe
1288	1fc19JZ8.exe
404	2NS352xt.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fJ4Ct3oF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cK1Sd6XA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mn6PT0dV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	IF4ev9sG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 496	1288	1fc19JZ8.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2732	496	WerFault.exe	94
3684	1288	WerFault.exe	92

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2808	1816	56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe	88
PID 1816 wrote to memory of 2808	1816	56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe	88
PID 1816 wrote to memory of 2808	1816	56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe	88
PID 2808 wrote to memory of 4132	2808	mn6PT0dV.exe	89
PID 2808 wrote to memory of 4132	2808	mn6PT0dV.exe	89
PID 2808 wrote to memory of 4132	2808	mn6PT0dV.exe	89
PID 4132 wrote to memory of 3148	4132	IF4ev9sG.exe	90
PID 4132 wrote to memory of 3148	4132	IF4ev9sG.exe	90
PID 4132 wrote to memory of 3148	4132	IF4ev9sG.exe	90
PID 3148 wrote to memory of 4228	3148	fJ4Ct3oF.exe	91
PID 3148 wrote to memory of 4228	3148	fJ4Ct3oF.exe	91
PID 3148 wrote to memory of 4228	3148	fJ4Ct3oF.exe	91
PID 4228 wrote to memory of 1288	4228	cK1Sd6XA.exe	92
PID 4228 wrote to memory of 1288	4228	cK1Sd6XA.exe	92
PID 4228 wrote to memory of 1288	4228	cK1Sd6XA.exe	92
PID 1288 wrote to memory of 2696	1288	1fc19JZ8.exe	93
PID 1288 wrote to memory of 2696	1288	1fc19JZ8.exe	93
PID 1288 wrote to memory of 2696	1288	1fc19JZ8.exe	93
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 1288 wrote to memory of 496	1288	1fc19JZ8.exe	94
PID 4228 wrote to memory of 404	4228	cK1Sd6XA.exe	103
PID 4228 wrote to memory of 404	4228	cK1Sd6XA.exe	103
PID 4228 wrote to memory of 404	4228	cK1Sd6XA.exe	103

C:\Users\Admin\AppData\Local\Temp\56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe
"C:\Users\Admin\AppData\Local\Temp\56e3cedd66a710e7249c4601f89bcf4a14539fb5ff74b823e2f671f975716099.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn6PT0dV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn6PT0dV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IF4ev9sG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IF4ev9sG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fJ4Ct3oF.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fJ4Ct3oF.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cK1Sd6XA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cK1Sd6XA.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fc19JZ8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fc19JZ8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 540
        8⤵
        Program crash
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 596
        7⤵
        Program crash
        
        PID:3684
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NS352xt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NS352xt.exe
        6⤵
        Executes dropped EXE
        
        PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1288 -ip 1288
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 496 -ip 496
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn6PT0dV.exe

Filesize
1.1MB

MD5
4a0cc2dc4ee16ffa5df5d29839d048bf

SHA1
06834286b89b3433a655a1378cfe2df70be511f7

SHA256
24d4cb87138abca63f6d1f19a5229c16e069d29be90a118a5450ed4a022ff5f4

SHA512
8025e748bb5bdf480b3a83d8edbfc3ffdd0eba999f9b540bcf45bbf4e0dde427c9634f589e3399dd8183ddabc4fd6b976f641cdcfd9a099a96844bfdf0aecade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mn6PT0dV.exe

Filesize
1.1MB

MD5
4a0cc2dc4ee16ffa5df5d29839d048bf

SHA1
06834286b89b3433a655a1378cfe2df70be511f7

SHA256
24d4cb87138abca63f6d1f19a5229c16e069d29be90a118a5450ed4a022ff5f4

SHA512
8025e748bb5bdf480b3a83d8edbfc3ffdd0eba999f9b540bcf45bbf4e0dde427c9634f589e3399dd8183ddabc4fd6b976f641cdcfd9a099a96844bfdf0aecade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IF4ev9sG.exe

Filesize
935KB

MD5
2aa284fdcb773cb5a4e903b767da2684

SHA1
c71007bda800734d2d54d7820eb38acfe4a1db49

SHA256
cf6d8d21017f1cbd81ec7ae41fde5948ca4180e32665322a98109ffff83e4c78

SHA512
45557abf1e1a7ef3237774efce4de50151061c064dee78a86314ecac361d01300cc8c8956d7d504020050dbf566afd7dc426a030ebd74c9a7d929fecdf436290

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IF4ev9sG.exe

Filesize
935KB

MD5
2aa284fdcb773cb5a4e903b767da2684

SHA1
c71007bda800734d2d54d7820eb38acfe4a1db49

SHA256
cf6d8d21017f1cbd81ec7ae41fde5948ca4180e32665322a98109ffff83e4c78

SHA512
45557abf1e1a7ef3237774efce4de50151061c064dee78a86314ecac361d01300cc8c8956d7d504020050dbf566afd7dc426a030ebd74c9a7d929fecdf436290

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fJ4Ct3oF.exe

Filesize
639KB

MD5
16e90b7106ae8d3d5a07d839bc1cfa93

SHA1
f3ad207e1d7a24aad5d2706c53e510becccf79a7

SHA256
b1e2af3e0bac8f2b43d49fcbeee0c1d061321b59e3721ac4376d0aa82b367f7c

SHA512
5bce61be2915b6b6c04d1afb6399738b11b1891ad0f67b9cc1616ee85aea421c897fd200ed5d999ef664fd21a2bbff05421607a9e32b38e67f778b93f262297d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fJ4Ct3oF.exe

Filesize
639KB

MD5
16e90b7106ae8d3d5a07d839bc1cfa93

SHA1
f3ad207e1d7a24aad5d2706c53e510becccf79a7

SHA256
b1e2af3e0bac8f2b43d49fcbeee0c1d061321b59e3721ac4376d0aa82b367f7c

SHA512
5bce61be2915b6b6c04d1afb6399738b11b1891ad0f67b9cc1616ee85aea421c897fd200ed5d999ef664fd21a2bbff05421607a9e32b38e67f778b93f262297d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cK1Sd6XA.exe

Filesize
443KB

MD5
3bb4910a24d8b126c44bc7bd4b969830

SHA1
b154696d2aa9b89fd6a4e887dceeb971232f7a39

SHA256
3f4d36c5b1fe920d6e537abc7cbf06b5e2a9b8725df02e5e7315dc6a8b6041fa

SHA512
9ce0603fa60985d62fb854684228e2fbaf8b5191b302029f4e3dd007e28c01d3e44350b122c48d3b51b945e6665dd294aa4464c611505c3ddc8e7764dc2a8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cK1Sd6XA.exe

Filesize
443KB

MD5
3bb4910a24d8b126c44bc7bd4b969830

SHA1
b154696d2aa9b89fd6a4e887dceeb971232f7a39

SHA256
3f4d36c5b1fe920d6e537abc7cbf06b5e2a9b8725df02e5e7315dc6a8b6041fa

SHA512
9ce0603fa60985d62fb854684228e2fbaf8b5191b302029f4e3dd007e28c01d3e44350b122c48d3b51b945e6665dd294aa4464c611505c3ddc8e7764dc2a8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fc19JZ8.exe

Filesize
422KB

MD5
50c106b5d9f3f5cb5883492d92020ac1

SHA1
fbb80ca23679a2e36caba818d9be83441249ba85

SHA256
5f8e1238abd19385631d1e868e2da9b7056b848101ffd2e1b789419f822d6dd5

SHA512
9848fa3659d46d4c52493bedb4fa4653ffdd4ca8bbae515260152dc0bb7387fb37464fd3a90097a0113c3c11997b13dd4bcbbc5242683ca86b3fbd3c62fd23b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fc19JZ8.exe

Filesize
422KB

MD5
50c106b5d9f3f5cb5883492d92020ac1

SHA1
fbb80ca23679a2e36caba818d9be83441249ba85

SHA256
5f8e1238abd19385631d1e868e2da9b7056b848101ffd2e1b789419f822d6dd5

SHA512
9848fa3659d46d4c52493bedb4fa4653ffdd4ca8bbae515260152dc0bb7387fb37464fd3a90097a0113c3c11997b13dd4bcbbc5242683ca86b3fbd3c62fd23b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NS352xt.exe

Filesize
222KB

MD5
42180c6c677d537d6f9186e14565b565

SHA1
3fb8b92cff694581528ba3ca7fe8c57938047d16

SHA256
b96ebb54d28638100fc639d05aebe0a5ac50b889a85ac48b8271acc5a99513c6

SHA512
001a7d0033bdc96a8a6dabcdf07011a2d6dee525e480f5bce8d22f87245b6c3b7d3139d69938192ef431402ddcb8518e0c379162b736939cb2fc311e1e299214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NS352xt.exe

Filesize
222KB

MD5
42180c6c677d537d6f9186e14565b565

SHA1
3fb8b92cff694581528ba3ca7fe8c57938047d16

SHA256
b96ebb54d28638100fc639d05aebe0a5ac50b889a85ac48b8271acc5a99513c6

SHA512
001a7d0033bdc96a8a6dabcdf07011a2d6dee525e480f5bce8d22f87245b6c3b7d3139d69938192ef431402ddcb8518e0c379162b736939cb2fc311e1e299214

Download Submit
memory/404-46-0x0000000007430000-0x00000000074C2000-memory.dmp

Filesize
584KB

Download
memory/404-48-0x0000000007420000-0x000000000742A000-memory.dmp

Filesize
40KB

Download
memory/404-55-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/404-54-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/404-43-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/404-44-0x0000000000630000-0x000000000066E000-memory.dmp

Filesize
248KB

Download
memory/404-45-0x0000000007940000-0x0000000007EE4000-memory.dmp

Filesize
5.6MB

Download
memory/404-53-0x0000000007740000-0x000000000778C000-memory.dmp

Filesize
304KB

Download
memory/404-52-0x0000000007700000-0x000000000773C000-memory.dmp

Filesize
240KB

Download
memory/404-49-0x0000000008510000-0x0000000008B28000-memory.dmp

Filesize
6.1MB

Download
memory/404-47-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/404-50-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/404-51-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/496-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads