redline | 61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe
Size

1.2MB
MD5

b98446b0f18286a42da76de220776baa
SHA1

a71b450e1661dcde86def137230b3caa1b55e6a3
SHA256

61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c
SHA512

a3880d6f69705178d6847e326d54f30a2bd9f739946426af2125502ee32a494691cf0df1a1e55e34c17a9bd3db4291e98e67f7db8accdf50166e201299532e08
SSDEEP

24576:iyEr/lyO4yJtpTven2JuR98YZ1uIEUs74Vlpu4yNkXPGLJpqYm:JELfVJtpnJuh1uJ374VXu4sEPGLJpqY

Score

10^/10

redline lutyr infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023240-41.dat	family_redline
behavioral1/files/0x0007000000023240-42.dat	family_redline
behavioral1/memory/4384-43-0x0000000000130000-0x000000000016E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3064	OA7HZ0Ce.exe
948	bb0hH6jn.exe
4576	RQ9Yn7jE.exe
2788	QK5dq7Hg.exe
4888	1ow05AM1.exe
4384	2Ht041VO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	OA7HZ0Ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bb0hH6jn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RQ9Yn7jE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QK5dq7Hg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 712	4888	1ow05AM1.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3684	4888	WerFault.exe	90
3852	712	WerFault.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 3064	1544	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe	85
PID 1544 wrote to memory of 3064	1544	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe	85
PID 1544 wrote to memory of 3064	1544	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe	85
PID 3064 wrote to memory of 948	3064	OA7HZ0Ce.exe	86
PID 3064 wrote to memory of 948	3064	OA7HZ0Ce.exe	86
PID 3064 wrote to memory of 948	3064	OA7HZ0Ce.exe	86
PID 948 wrote to memory of 4576	948	bb0hH6jn.exe	87
PID 948 wrote to memory of 4576	948	bb0hH6jn.exe	87
PID 948 wrote to memory of 4576	948	bb0hH6jn.exe	87
PID 4576 wrote to memory of 2788	4576	RQ9Yn7jE.exe	89
PID 4576 wrote to memory of 2788	4576	RQ9Yn7jE.exe	89
PID 4576 wrote to memory of 2788	4576	RQ9Yn7jE.exe	89
PID 2788 wrote to memory of 4888	2788	QK5dq7Hg.exe	90
PID 2788 wrote to memory of 4888	2788	QK5dq7Hg.exe	90
PID 2788 wrote to memory of 4888	2788	QK5dq7Hg.exe	90
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 4888 wrote to memory of 712	4888	1ow05AM1.exe	91
PID 2788 wrote to memory of 4384	2788	QK5dq7Hg.exe	97
PID 2788 wrote to memory of 4384	2788	QK5dq7Hg.exe	97
PID 2788 wrote to memory of 4384	2788	QK5dq7Hg.exe	97

C:\Users\Admin\AppData\Local\Temp\61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe
"C:\Users\Admin\AppData\Local\Temp\61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 204
        8⤵
        Program crash
        
        PID:3852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 248
        7⤵
        Program crash
        
        PID:3684
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe
        6⤵
        Executes dropped EXE
        
        PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4888 -ip 4888
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 712 -ip 712
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe

Filesize
1.1MB

MD5
cbcfc7a8078e6008d13cbd3ed62e5149

SHA1
7281fd40a65e85da6cdf0ea31c80a8e90a87abd7

SHA256
18d9453558560c4eb4b2cff1462bb60c98921784ef8c1c28910c7b788338114f

SHA512
1535c9b53e25241774ab6b955fd151abdb239f75fc214a6f8b2a96f34d9ed12b7c1db4dacdae71523695847925b5680e3b8faa8c2a08d444c7c66824eef028b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe

Filesize
1.1MB

MD5
cbcfc7a8078e6008d13cbd3ed62e5149

SHA1
7281fd40a65e85da6cdf0ea31c80a8e90a87abd7

SHA256
18d9453558560c4eb4b2cff1462bb60c98921784ef8c1c28910c7b788338114f

SHA512
1535c9b53e25241774ab6b955fd151abdb239f75fc214a6f8b2a96f34d9ed12b7c1db4dacdae71523695847925b5680e3b8faa8c2a08d444c7c66824eef028b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe

Filesize
934KB

MD5
cab5e975eb9dd942c301f1f7968694a9

SHA1
b867ae819094b137fa4d6c2c84be466218e0121e

SHA256
180f9f583d79a0222c60b71f1e80b7dcf9e43967b51c79f823d31e78aa0da3ea

SHA512
d00dd58e28cfaae7ef23d8147aa89c9103317147e824c928c60a4a053c762de0935177a42fb55c0909f6dfa402fc4125bb7771e39e8af9eaecf9034adfef1924

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe

Filesize
934KB

MD5
cab5e975eb9dd942c301f1f7968694a9

SHA1
b867ae819094b137fa4d6c2c84be466218e0121e

SHA256
180f9f583d79a0222c60b71f1e80b7dcf9e43967b51c79f823d31e78aa0da3ea

SHA512
d00dd58e28cfaae7ef23d8147aa89c9103317147e824c928c60a4a053c762de0935177a42fb55c0909f6dfa402fc4125bb7771e39e8af9eaecf9034adfef1924

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe

Filesize
639KB

MD5
a9b0e1de237c6b2d8823e6b97e951d48

SHA1
09d901dfaa64656145abe69839418ea55ca50db3

SHA256
84967242c0d34785b778282b54b131abbf60cd183c61f1f3628e0a1168658889

SHA512
7e1eed17dc834cfad6db0172334d83a4216b92466355b0e41124f37497db8e7a205d6862135194c5c799a5b9f5ad500741bcdfcac08d19f5772ea852e0bc83cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe

Filesize
639KB

MD5
a9b0e1de237c6b2d8823e6b97e951d48

SHA1
09d901dfaa64656145abe69839418ea55ca50db3

SHA256
84967242c0d34785b778282b54b131abbf60cd183c61f1f3628e0a1168658889

SHA512
7e1eed17dc834cfad6db0172334d83a4216b92466355b0e41124f37497db8e7a205d6862135194c5c799a5b9f5ad500741bcdfcac08d19f5772ea852e0bc83cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe

Filesize
443KB

MD5
2f9ef32f70e4bdfcb59084c179e1c2b4

SHA1
270e89f35f3969cb08c46efffbfb491fdb81758f

SHA256
d9a3fd5af5abd5a5fdba99b0b08c11c1c53bf614729a81caf704e53209a00bc2

SHA512
8c290a715abd128a893aef16bd1ea584453a08fe22d431df3cdbad7f3c8140f69991f830e734962f758604ea5669b978e2f729878b32aafd7196182e4bb7dad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe

Filesize
443KB

MD5
2f9ef32f70e4bdfcb59084c179e1c2b4

SHA1
270e89f35f3969cb08c46efffbfb491fdb81758f

SHA256
d9a3fd5af5abd5a5fdba99b0b08c11c1c53bf614729a81caf704e53209a00bc2

SHA512
8c290a715abd128a893aef16bd1ea584453a08fe22d431df3cdbad7f3c8140f69991f830e734962f758604ea5669b978e2f729878b32aafd7196182e4bb7dad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe

Filesize
422KB

MD5
4c143d833fb3ab835a2cedba32693e3c

SHA1
1eaa42218cf2fa6e29a7897834bdbef3dfd8c485

SHA256
b5487f674b7895a572bdbf80bfb688c69cca8ec8ea6a5461bac1b8c51cf959f3

SHA512
e5748c4b30f48d6e998d1c9f7edd791be0c196055841d166e6a271180a812557b5f4b32fafc549ef0f6cc496f8a0b125f8a4ba230720f1567b78b644b8d4d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe

Filesize
422KB

MD5
4c143d833fb3ab835a2cedba32693e3c

SHA1
1eaa42218cf2fa6e29a7897834bdbef3dfd8c485

SHA256
b5487f674b7895a572bdbf80bfb688c69cca8ec8ea6a5461bac1b8c51cf959f3

SHA512
e5748c4b30f48d6e998d1c9f7edd791be0c196055841d166e6a271180a812557b5f4b32fafc549ef0f6cc496f8a0b125f8a4ba230720f1567b78b644b8d4d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe

Filesize
221KB

MD5
0f42c03b65c28ec29a5dea5eb79abbdb

SHA1
b37e052cab05b605cca9aa940466387cb7c58299

SHA256
a7d6c01096fc9729075adb5c5dca17f20062b32c7cbbf68c3e1d4675856bacbe

SHA512
25f68b2a39310aa52077f302dbdff3aba1bf4d5ae5c243c90d5444272cfc75e3fa25ec5afed85f37739688e0c2422c1f32041732c1e738ed07a3f98fcc1d7f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe

Filesize
221KB

MD5
0f42c03b65c28ec29a5dea5eb79abbdb

SHA1
b37e052cab05b605cca9aa940466387cb7c58299

SHA256
a7d6c01096fc9729075adb5c5dca17f20062b32c7cbbf68c3e1d4675856bacbe

SHA512
25f68b2a39310aa52077f302dbdff3aba1bf4d5ae5c243c90d5444272cfc75e3fa25ec5afed85f37739688e0c2422c1f32041732c1e738ed07a3f98fcc1d7f7a

Download Submit
memory/712-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-46-0x0000000007030000-0x00000000070C2000-memory.dmp

Filesize
584KB

Download
memory/4384-44-0x00000000741E0000-0x0000000074990000-memory.dmp

Filesize
7.7MB

Download
memory/4384-45-0x0000000007540000-0x0000000007AE4000-memory.dmp

Filesize
5.6MB

Download
memory/4384-43-0x0000000000130000-0x000000000016E000-memory.dmp

Filesize
248KB

Download
memory/4384-47-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4384-48-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/4384-49-0x0000000008110000-0x0000000008728000-memory.dmp

Filesize
6.1MB

Download
memory/4384-50-0x0000000007430000-0x000000000753A000-memory.dmp

Filesize
1.0MB

Download
memory/4384-51-0x00000000071D0000-0x00000000071E2000-memory.dmp

Filesize
72KB

Download
memory/4384-52-0x0000000007360000-0x000000000739C000-memory.dmp

Filesize
240KB

Download
memory/4384-53-0x00000000073A0000-0x00000000073EC000-memory.dmp

Filesize
304KB

Download
memory/4384-54-0x00000000741E0000-0x0000000074990000-memory.dmp

Filesize
7.7MB

Download
memory/4384-55-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads