redline | bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 20:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe
Size

1.2MB
MD5

b9b045ed22ff21d906ab6f2c21220980
SHA1

12a8d69da35b8830cf8724ff2f963397f765d404
SHA256

bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48
SHA512

969f830773242bb6798cab393925251475d8f557be3ddb34ebd9f57087774bc9d79fcf3a4730857cbd0ad6417eefd9b32978579cdd8c123d923295b4a5894c9f
SSDEEP

24576:OyX6nyC+IgCvYArGPDMCXtpYVg315d7/mYxMicCMW7WD:dKypjHBPgCXDYVg3E7icY7

Score

10^/10

redline lutyr infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000230b1-41.dat	family_redline
behavioral1/files/0x00060000000230b1-42.dat	family_redline
behavioral1/memory/1916-44-0x0000000000B00000-0x0000000000B3E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
456	eO2jF2gn.exe
4292	NQ9Ka0xu.exe
4632	aH2zd3CY.exe
2568	ak7tg5eJ.exe
4296	1HG27RF3.exe
1916	2Tq640PK.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	aH2zd3CY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ak7tg5eJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eO2jF2gn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NQ9Ka0xu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 3760	4296	1HG27RF3.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4768	3760	WerFault.exe	94
4784	4296	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 456	552	bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe	87
PID 552 wrote to memory of 456	552	bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe	87
PID 552 wrote to memory of 456	552	bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe	87
PID 456 wrote to memory of 4292	456	eO2jF2gn.exe	88
PID 456 wrote to memory of 4292	456	eO2jF2gn.exe	88
PID 456 wrote to memory of 4292	456	eO2jF2gn.exe	88
PID 4292 wrote to memory of 4632	4292	NQ9Ka0xu.exe	90
PID 4292 wrote to memory of 4632	4292	NQ9Ka0xu.exe	90
PID 4292 wrote to memory of 4632	4292	NQ9Ka0xu.exe	90
PID 4632 wrote to memory of 2568	4632	aH2zd3CY.exe	91
PID 4632 wrote to memory of 2568	4632	aH2zd3CY.exe	91
PID 4632 wrote to memory of 2568	4632	aH2zd3CY.exe	91
PID 2568 wrote to memory of 4296	2568	ak7tg5eJ.exe	93
PID 2568 wrote to memory of 4296	2568	ak7tg5eJ.exe	93
PID 2568 wrote to memory of 4296	2568	ak7tg5eJ.exe	93
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 4296 wrote to memory of 3760	4296	1HG27RF3.exe	94
PID 2568 wrote to memory of 1916	2568	ak7tg5eJ.exe	99
PID 2568 wrote to memory of 1916	2568	ak7tg5eJ.exe	99
PID 2568 wrote to memory of 1916	2568	ak7tg5eJ.exe	99

C:\Users\Admin\AppData\Local\Temp\bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe
"C:\Users\Admin\AppData\Local\Temp\bbeeb2024b7fb745a13e1ff05b087ac85150cee3382ac05aece41918451d5d48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO2jF2gn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO2jF2gn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NQ9Ka0xu.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NQ9Ka0xu.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aH2zd3CY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aH2zd3CY.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ak7tg5eJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ak7tg5eJ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HG27RF3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HG27RF3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 540
        8⤵
        Program crash
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 592
        7⤵
        Program crash
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq640PK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq640PK.exe
        6⤵
        Executes dropped EXE
        
        PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4296 -ip 4296
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3760 -ip 3760
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO2jF2gn.exe

Filesize
1.1MB

MD5
081195992d20f96fd60f6a52fbad1c4f

SHA1
eaa6155aceda0c7ab2458c0587497da014ee3b1d

SHA256
0ea9aa593bb54b557e3f064df8065374d2197b35eabd8110d92fb240a1377d36

SHA512
d4e14ae67160d7eac9c3d62c5dcd5fb090eb1f968792d5e54c5be67b3bb7fc8998a9b8bb2d02b529f5147e955c996d76a206d36c595eb1306025cae9f60cf1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eO2jF2gn.exe

Filesize
1.1MB

MD5
081195992d20f96fd60f6a52fbad1c4f

SHA1
eaa6155aceda0c7ab2458c0587497da014ee3b1d

SHA256
0ea9aa593bb54b557e3f064df8065374d2197b35eabd8110d92fb240a1377d36

SHA512
d4e14ae67160d7eac9c3d62c5dcd5fb090eb1f968792d5e54c5be67b3bb7fc8998a9b8bb2d02b529f5147e955c996d76a206d36c595eb1306025cae9f60cf1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NQ9Ka0xu.exe

Filesize
935KB

MD5
fdecb38adbcfe34054d0b5fc16b1fe71

SHA1
37af0369a3d56b6b41b69592056c4810e969f935

SHA256
78b3f02614cb0cac7e068885d7f5f8130e78f63854d3d4374f39abd535e5cd0a

SHA512
2c0618f0b56cd22478b61615322084e51b81b5f0c0609fe2edf37c1b36d94492011fcf8666eb01c1fad26efd083fd8dd243e79889f72b0b438af1121dcbf7cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NQ9Ka0xu.exe

Filesize
935KB

MD5
fdecb38adbcfe34054d0b5fc16b1fe71

SHA1
37af0369a3d56b6b41b69592056c4810e969f935

SHA256
78b3f02614cb0cac7e068885d7f5f8130e78f63854d3d4374f39abd535e5cd0a

SHA512
2c0618f0b56cd22478b61615322084e51b81b5f0c0609fe2edf37c1b36d94492011fcf8666eb01c1fad26efd083fd8dd243e79889f72b0b438af1121dcbf7cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aH2zd3CY.exe

Filesize
639KB

MD5
53ebbd456148cb32640456aacf00c2ed

SHA1
f695999d38a4d3e3e193e26adea05ae64e08fa0e

SHA256
06fa47885690093b5b68ce1b0c2ec5bb9e6466255f83a1e125f2dc015e16b63a

SHA512
ae409141ded9366d5801c0ff9c4a20690951b8ebb3990aa656fb0296e13a8e73aeec7800e7eeff6a7d4f57d15bd17a01f40c65532a634557157597ae1ddfd66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aH2zd3CY.exe

Filesize
639KB

MD5
53ebbd456148cb32640456aacf00c2ed

SHA1
f695999d38a4d3e3e193e26adea05ae64e08fa0e

SHA256
06fa47885690093b5b68ce1b0c2ec5bb9e6466255f83a1e125f2dc015e16b63a

SHA512
ae409141ded9366d5801c0ff9c4a20690951b8ebb3990aa656fb0296e13a8e73aeec7800e7eeff6a7d4f57d15bd17a01f40c65532a634557157597ae1ddfd66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ak7tg5eJ.exe

Filesize
443KB

MD5
ab274a0be600ccea4efcc5022d078b0b

SHA1
1f056db47e5ccc82f39edc66b34eb827651a7327

SHA256
370fbbaaf6d63979e2c1cb901cbda049795ec696954f38331eedc112d11cb59f

SHA512
dbaeb1e8128f90bdf628475267e6bde9235915d81827b9b27516213a66f23a899fd0407b5a2c298da752076ff8b8324ac2189e0c38d934b05de159301390ed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ak7tg5eJ.exe

Filesize
443KB

MD5
ab274a0be600ccea4efcc5022d078b0b

SHA1
1f056db47e5ccc82f39edc66b34eb827651a7327

SHA256
370fbbaaf6d63979e2c1cb901cbda049795ec696954f38331eedc112d11cb59f

SHA512
dbaeb1e8128f90bdf628475267e6bde9235915d81827b9b27516213a66f23a899fd0407b5a2c298da752076ff8b8324ac2189e0c38d934b05de159301390ed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HG27RF3.exe

Filesize
422KB

MD5
63b112b5a5ee8e663228c217ff85a28b

SHA1
d3b1ca0699470ca031f7a0d77bb1f1f08aaf75fc

SHA256
8b307de78aada36062c3620d62903428a2ae59d6de900f0c2a3d9e9db92f60c2

SHA512
1132bec66ce0cf2dd0a293df13c11339b19542e2f65da7a0bf1cda5bb9c1f1dec77dd40d8515ff818b9b02579ba01925071fb4cbf3fd196b2cc064327ea41dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HG27RF3.exe

Filesize
422KB

MD5
63b112b5a5ee8e663228c217ff85a28b

SHA1
d3b1ca0699470ca031f7a0d77bb1f1f08aaf75fc

SHA256
8b307de78aada36062c3620d62903428a2ae59d6de900f0c2a3d9e9db92f60c2

SHA512
1132bec66ce0cf2dd0a293df13c11339b19542e2f65da7a0bf1cda5bb9c1f1dec77dd40d8515ff818b9b02579ba01925071fb4cbf3fd196b2cc064327ea41dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq640PK.exe

Filesize
222KB

MD5
7a4a133a69c38f307f495f859cfdfc84

SHA1
b449bd5dcfc3708fe428af8d2e1e4bc8e6ff78f3

SHA256
66603a4f928d8a9bc1f075ac1a64c45b64a42bf4e4c09e8d4fb9e62eaec11030

SHA512
8ad0e6e56d343a98fb58d8e858060e0c98c43e612d1c88b9eb85f40acb85c66a714254e2c24de756dfac7e5763dcd8a6a1eb7f0b25b67bb4518359f106546338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Tq640PK.exe

Filesize
222KB

MD5
7a4a133a69c38f307f495f859cfdfc84

SHA1
b449bd5dcfc3708fe428af8d2e1e4bc8e6ff78f3

SHA256
66603a4f928d8a9bc1f075ac1a64c45b64a42bf4e4c09e8d4fb9e62eaec11030

SHA512
8ad0e6e56d343a98fb58d8e858060e0c98c43e612d1c88b9eb85f40acb85c66a714254e2c24de756dfac7e5763dcd8a6a1eb7f0b25b67bb4518359f106546338

Download Submit
memory/1916-46-0x00000000079E0000-0x0000000007A72000-memory.dmp

Filesize
584KB

Download
memory/1916-48-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

Filesize
40KB

Download
memory/1916-55-0x0000000007B80000-0x0000000007B90000-memory.dmp

Filesize
64KB

Download
memory/1916-54-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1916-43-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1916-44-0x0000000000B00000-0x0000000000B3E000-memory.dmp

Filesize
248KB

Download
memory/1916-45-0x0000000007EF0000-0x0000000008494000-memory.dmp

Filesize
5.6MB

Download
memory/1916-53-0x0000000007D40000-0x0000000007D8C000-memory.dmp

Filesize
304KB

Download
memory/1916-52-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/1916-49-0x0000000008AC0000-0x00000000090D8000-memory.dmp

Filesize
6.1MB

Download
memory/1916-47-0x0000000007B80000-0x0000000007B90000-memory.dmp

Filesize
64KB

Download
memory/1916-50-0x00000000084A0000-0x00000000085AA000-memory.dmp

Filesize
1.0MB

Download
memory/1916-51-0x0000000007C90000-0x0000000007CA2000-memory.dmp

Filesize
72KB

Download
memory/3760-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads