redline | 9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe
Size

957KB
MD5

ea079475cc4cab5c2f17a5633b3504c9
SHA1

ab68d47dd38ba53d9dcd8639077172f2aa20da02
SHA256

9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575
SHA512

244b8241a475682acd10c8bfa65ff2d50334e1e924f6a669b60fcc95bc9ae01729dc3d828d7b8f82d11bf4a113235d684efccaaea3445f3104e2bb64c72f2702
SSDEEP

24576:3ylwFPJal0gvtsuZFzvgVocgxpRsQhs+GM8FfHAqmuz:ClwJJal0gvtsIFzY2/u+4fgv

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320b-34.dat	family_redline
behavioral2/files/0x000600000002320b-35.dat	family_redline
behavioral2/memory/756-36-0x0000000000300000-0x0000000000330000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4780	x8087171.exe
368	x7026376.exe
3948	x4289800.exe
4344	g9636074.exe
756	h3652266.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8087171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7026376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4289800.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 4328	4344	g9636074.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3720	4328	WerFault.exe	93
2352	4344	WerFault.exe	90

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4780	4884	9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe	86
PID 4884 wrote to memory of 4780	4884	9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe	86
PID 4884 wrote to memory of 4780	4884	9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe	86
PID 4780 wrote to memory of 368	4780	x8087171.exe	87
PID 4780 wrote to memory of 368	4780	x8087171.exe	87
PID 4780 wrote to memory of 368	4780	x8087171.exe	87
PID 368 wrote to memory of 3948	368	x7026376.exe	88
PID 368 wrote to memory of 3948	368	x7026376.exe	88
PID 368 wrote to memory of 3948	368	x7026376.exe	88
PID 3948 wrote to memory of 4344	3948	x4289800.exe	90
PID 3948 wrote to memory of 4344	3948	x4289800.exe	90
PID 3948 wrote to memory of 4344	3948	x4289800.exe	90
PID 4344 wrote to memory of 4832	4344	g9636074.exe	91
PID 4344 wrote to memory of 4832	4344	g9636074.exe	91
PID 4344 wrote to memory of 4832	4344	g9636074.exe	91
PID 4344 wrote to memory of 1028	4344	g9636074.exe	92
PID 4344 wrote to memory of 1028	4344	g9636074.exe	92
PID 4344 wrote to memory of 1028	4344	g9636074.exe	92
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 4344 wrote to memory of 4328	4344	g9636074.exe	93
PID 3948 wrote to memory of 756	3948	x4289800.exe	103
PID 3948 wrote to memory of 756	3948	x4289800.exe	103
PID 3948 wrote to memory of 756	3948	x4289800.exe	103

C:\Users\Admin\AppData\Local\Temp\9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe
"C:\Users\Admin\AppData\Local\Temp\9b126ba245b99b66148a3b92a72a6d97accc96d30c4d066e20d70d7091140575.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8087171.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8087171.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7026376.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7026376.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4289800.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4289800.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9636074.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9636074.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4832
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1028
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 540
        7⤵
        Program crash
        
        PID:3720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 596
        6⤵
        Program crash
        
        PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3652266.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3652266.exe
        5⤵
        Executes dropped EXE
        
        PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4328 -ip 4328
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4344 -ip 4344
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8087171.exe

Filesize
855KB

MD5
d8653a2a7c8a9c87875547f091341b9a

SHA1
2d7a604d78efcebe394ffe9999b95c8ed1d87889

SHA256
049ba158f6ec944f9daa61949c17cf42e25b9537519bb64bc416d709d78cedc8

SHA512
e20c000d12a0c99ae00b01320f3865d82cb17b8ad03fa69e6a003007c86f354d6e5310d32424bd6fb7192081c7dcb4c42b57bbaaf2ae18f8e4e67ae8003ec1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8087171.exe

Filesize
855KB

MD5
d8653a2a7c8a9c87875547f091341b9a

SHA1
2d7a604d78efcebe394ffe9999b95c8ed1d87889

SHA256
049ba158f6ec944f9daa61949c17cf42e25b9537519bb64bc416d709d78cedc8

SHA512
e20c000d12a0c99ae00b01320f3865d82cb17b8ad03fa69e6a003007c86f354d6e5310d32424bd6fb7192081c7dcb4c42b57bbaaf2ae18f8e4e67ae8003ec1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7026376.exe

Filesize
580KB

MD5
266244ef8757316735112ccf88822402

SHA1
ea5015ca90e517f15bc725a8704b3d3ce9871c15

SHA256
ac9fe7bc5e3f1ac51e925808358058f8b7b93be1f7d44bf8181081882163ac5a

SHA512
3f0cf1088c4f583f63a1c0852075c64922ad46c4bc405451eeba64e8e103df93c8214ea0b9d38f81567aff810f6dd5180344000ae5bb8a381f72638bf85604c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7026376.exe

Filesize
580KB

MD5
266244ef8757316735112ccf88822402

SHA1
ea5015ca90e517f15bc725a8704b3d3ce9871c15

SHA256
ac9fe7bc5e3f1ac51e925808358058f8b7b93be1f7d44bf8181081882163ac5a

SHA512
3f0cf1088c4f583f63a1c0852075c64922ad46c4bc405451eeba64e8e103df93c8214ea0b9d38f81567aff810f6dd5180344000ae5bb8a381f72638bf85604c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4289800.exe

Filesize
404KB

MD5
c75d33757dabc500a146661f1dabc169

SHA1
de7bd3f6338afa46a4195b48d472f6fdc1250af4

SHA256
3b81006334ec9fbebd595bf12dfa91b366e4a29524da01163ae0b147d969b72a

SHA512
313fd2d6bb1477b4cf94f53033062722b7218c653faeecf4d543217d6c5f08ef0c0c6715b8e8f4235f3d0254b0cae08da4cf8bc69f97a3754dc0f3c0b335f0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4289800.exe

Filesize
404KB

MD5
c75d33757dabc500a146661f1dabc169

SHA1
de7bd3f6338afa46a4195b48d472f6fdc1250af4

SHA256
3b81006334ec9fbebd595bf12dfa91b366e4a29524da01163ae0b147d969b72a

SHA512
313fd2d6bb1477b4cf94f53033062722b7218c653faeecf4d543217d6c5f08ef0c0c6715b8e8f4235f3d0254b0cae08da4cf8bc69f97a3754dc0f3c0b335f0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9636074.exe

Filesize
396KB

MD5
aaee60480a4b32dc296419d9b6ceed68

SHA1
61d18d2b07fe9d98644d35a91266fbd86968849b

SHA256
b58eeb1f5c32c63a600aff5f7871de46ccc38d01bb5feca6ae186aad4a5486e0

SHA512
99294ef0254802641a950d6b0ba803ae57d4aebd382258dc19d69f2d9600237c8d9334e64097dbbded405bd4c2ca7cd6d2c2d33db07e070395d038d7d91825dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9636074.exe

Filesize
396KB

MD5
aaee60480a4b32dc296419d9b6ceed68

SHA1
61d18d2b07fe9d98644d35a91266fbd86968849b

SHA256
b58eeb1f5c32c63a600aff5f7871de46ccc38d01bb5feca6ae186aad4a5486e0

SHA512
99294ef0254802641a950d6b0ba803ae57d4aebd382258dc19d69f2d9600237c8d9334e64097dbbded405bd4c2ca7cd6d2c2d33db07e070395d038d7d91825dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3652266.exe

Filesize
175KB

MD5
b74c2119952884350efd0ee6c6f3d75f

SHA1
c5035bc8b12e89d19ddd74edb470b21ab75fd841

SHA256
105d5445851221b04c223dc269a7c12d1caec8dc87ac3a16ce8ce83932be2910

SHA512
15fc33cf85b2e0d8e8a31df059ba1ee3afb56438ceb90d2d73accfc65b5f7350809471f660ebd648629f34d26979586d965b77c48a06fc37d57a66d14f23ca38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3652266.exe

Filesize
175KB

MD5
b74c2119952884350efd0ee6c6f3d75f

SHA1
c5035bc8b12e89d19ddd74edb470b21ab75fd841

SHA256
105d5445851221b04c223dc269a7c12d1caec8dc87ac3a16ce8ce83932be2910

SHA512
15fc33cf85b2e0d8e8a31df059ba1ee3afb56438ceb90d2d73accfc65b5f7350809471f660ebd648629f34d26979586d965b77c48a06fc37d57a66d14f23ca38

Download Submit
memory/756-39-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/756-42-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

Filesize
72KB

Download
memory/756-46-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/756-45-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/756-36-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/756-37-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/756-44-0x0000000004E80000-0x0000000004ECC000-memory.dmp

Filesize
304KB

Download
memory/756-40-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

Filesize
1.0MB

Download
memory/756-38-0x0000000004C20000-0x0000000004C26000-memory.dmp

Filesize
24KB

Download
memory/756-41-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/756-43-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/4328-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4328-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4328-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4328-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads