redline | 310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742

Analysis

max time kernel
171s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe
Size

957KB
MD5

3b39f2c6abd924165252890ac7e2fc51
SHA1

d584aebbc558921ee2ca00517fa0ad3bb4351d43
SHA256

310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742
SHA512

0a88bda1dfdaa5ee43650e409e7e6018cdbd67b8a090a2efb61f036c84a330904f1fdca675e39a88f1f8040ba13c023bd4f5169783dbb94a07bb14514b70bf60
SSDEEP

12288:VMrZy90k04Ni7zT39FS+7eljWXfxJPhliYOO6uihQ8ZZWvdGLb59ij1zkWskGhEc:8yndNozT3i+7m4jht64msvk5Mj1gK+

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023259-33.dat	family_redline
behavioral2/files/0x0006000000023259-35.dat	family_redline
behavioral2/memory/4504-36-0x00000000009B0000-0x00000000009E0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
2084	x0640703.exe
4736	x9953633.exe
2608	x5438303.exe
3220	g4867102.exe
4504	h3695331.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0640703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9953633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5438303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3220 set thread context of 4936	3220	g4867102.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3508	3220	WerFault.exe	89
3008	4936	WerFault.exe	93

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 2084	4452	310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe	86
PID 4452 wrote to memory of 2084	4452	310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe	86
PID 4452 wrote to memory of 2084	4452	310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe	86
PID 2084 wrote to memory of 4736	2084	x0640703.exe	87
PID 2084 wrote to memory of 4736	2084	x0640703.exe	87
PID 2084 wrote to memory of 4736	2084	x0640703.exe	87
PID 4736 wrote to memory of 2608	4736	x9953633.exe	88
PID 4736 wrote to memory of 2608	4736	x9953633.exe	88
PID 4736 wrote to memory of 2608	4736	x9953633.exe	88
PID 2608 wrote to memory of 3220	2608	x5438303.exe	89
PID 2608 wrote to memory of 3220	2608	x5438303.exe	89
PID 2608 wrote to memory of 3220	2608	x5438303.exe	89
PID 3220 wrote to memory of 2808	3220	g4867102.exe	90
PID 3220 wrote to memory of 2808	3220	g4867102.exe	90
PID 3220 wrote to memory of 2808	3220	g4867102.exe	90
PID 3220 wrote to memory of 4128	3220	g4867102.exe	92
PID 3220 wrote to memory of 4128	3220	g4867102.exe	92
PID 3220 wrote to memory of 4128	3220	g4867102.exe	92
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 3220 wrote to memory of 4936	3220	g4867102.exe	93
PID 2608 wrote to memory of 4504	2608	x5438303.exe	102
PID 2608 wrote to memory of 4504	2608	x5438303.exe	102
PID 2608 wrote to memory of 4504	2608	x5438303.exe	102

C:\Users\Admin\AppData\Local\Temp\310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe
"C:\Users\Admin\AppData\Local\Temp\310fd74e16f6fed06c9824763a2a70884e36ccc86c061df76bd01d2a0480d742.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0640703.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0640703.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9953633.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9953633.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5438303.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5438303.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4867102.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4867102.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 540
        7⤵
        Program crash
        
        PID:3008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 596
        6⤵
        Program crash
        
        PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3695331.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3695331.exe
        5⤵
        Executes dropped EXE
        
        PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4936 -ip 4936
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3220 -ip 3220
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0640703.exe

Filesize
855KB

MD5
1a32b12421e39e10a60a79d727942144

SHA1
14e18aeacb3dbf305a93589e8752f5d7af984fcf

SHA256
ded68a6b02db81b37c72472a9c7c2a0f134c68b43d95f379db3833cd65b3254b

SHA512
c387c4401781ba6e8f8db519060bf295938d7bb05b00dde0e81fc6a3f21338d4cf18b5858e6df42fe229ada66e40ace68fdf49dbfdb97104be38f65ed41b99c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0640703.exe

Filesize
855KB

MD5
1a32b12421e39e10a60a79d727942144

SHA1
14e18aeacb3dbf305a93589e8752f5d7af984fcf

SHA256
ded68a6b02db81b37c72472a9c7c2a0f134c68b43d95f379db3833cd65b3254b

SHA512
c387c4401781ba6e8f8db519060bf295938d7bb05b00dde0e81fc6a3f21338d4cf18b5858e6df42fe229ada66e40ace68fdf49dbfdb97104be38f65ed41b99c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9953633.exe

Filesize
581KB

MD5
4701b26bd3e2f75b0f42375523275de0

SHA1
05e6b02c2db87e8cedaa4a49fda539517279f45f

SHA256
66515c21bb168877c0a5b979ddcf7a3839c3b8c56ad27113820cf29278524dd5

SHA512
103df3aca7e198ad3ea0adc9ac339a8a722eb99cf536887bd4ba43e11329d26597577eefb12a17b73e00bfddea2ce9e98d827a326a0e73ac1d3dcf52cd4c4d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9953633.exe

Filesize
581KB

MD5
4701b26bd3e2f75b0f42375523275de0

SHA1
05e6b02c2db87e8cedaa4a49fda539517279f45f

SHA256
66515c21bb168877c0a5b979ddcf7a3839c3b8c56ad27113820cf29278524dd5

SHA512
103df3aca7e198ad3ea0adc9ac339a8a722eb99cf536887bd4ba43e11329d26597577eefb12a17b73e00bfddea2ce9e98d827a326a0e73ac1d3dcf52cd4c4d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5438303.exe

Filesize
404KB

MD5
20b5571c01ff6380ca6abb9dec6b7f82

SHA1
d520671cb23928aff2940ea441c29d5885d76234

SHA256
4142747123a2bda352e40892ca2b3d7eba4b0ef14f843265756bbcb4aa665129

SHA512
184b4ed5bf9dd87b2bfaee33f1f82cc014e841e9a2a9cf2fd3159680f3f13459c538623bad24da00ab4706736c677b9a4b82f4c9bcbb0ceaa17f13ef59b19cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5438303.exe

Filesize
404KB

MD5
20b5571c01ff6380ca6abb9dec6b7f82

SHA1
d520671cb23928aff2940ea441c29d5885d76234

SHA256
4142747123a2bda352e40892ca2b3d7eba4b0ef14f843265756bbcb4aa665129

SHA512
184b4ed5bf9dd87b2bfaee33f1f82cc014e841e9a2a9cf2fd3159680f3f13459c538623bad24da00ab4706736c677b9a4b82f4c9bcbb0ceaa17f13ef59b19cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4867102.exe

Filesize
396KB

MD5
e4310b4f423d984f28a44c5893b81a47

SHA1
2914520ea0e0ebc8aefd7b40f0aabf9b3fcaaaa9

SHA256
15b4d9ccc8ab4d7a9cf546bfe73925cc3bcc0248db515b8c70d908ad575d5763

SHA512
30916bcfde7f548b7aae7fdb202bec1a8ba0340251c3d7463fb4c94253f44faedd8bf8d7c9df416d5c993f38e783edd07b1696cf51b1cdcccdb41572e8dc181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4867102.exe

Filesize
396KB

MD5
e4310b4f423d984f28a44c5893b81a47

SHA1
2914520ea0e0ebc8aefd7b40f0aabf9b3fcaaaa9

SHA256
15b4d9ccc8ab4d7a9cf546bfe73925cc3bcc0248db515b8c70d908ad575d5763

SHA512
30916bcfde7f548b7aae7fdb202bec1a8ba0340251c3d7463fb4c94253f44faedd8bf8d7c9df416d5c993f38e783edd07b1696cf51b1cdcccdb41572e8dc181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3695331.exe

Filesize
175KB

MD5
179fb8c85de05e9c93ec12e688bd4c6c

SHA1
936ce16367d130d1a5cf1ffe035fd802aed6e204

SHA256
2e86171db7e3ee49cacd53754befd5d3754c8a59cff3cab7744ae285fa4389e6

SHA512
1b929179a078c330b6485646773b1bae9fb49b11c8af8f0f13594262997d17a8e46652581f9a73321fd9483682a942f768cdd115a8f9c67551df78ec6740c402

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3695331.exe

Filesize
175KB

MD5
179fb8c85de05e9c93ec12e688bd4c6c

SHA1
936ce16367d130d1a5cf1ffe035fd802aed6e204

SHA256
2e86171db7e3ee49cacd53754befd5d3754c8a59cff3cab7744ae285fa4389e6

SHA512
1b929179a078c330b6485646773b1bae9fb49b11c8af8f0f13594262997d17a8e46652581f9a73321fd9483682a942f768cdd115a8f9c67551df78ec6740c402

Download Submit
memory/4504-39-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/4504-42-0x0000000005340000-0x0000000005352000-memory.dmp

Filesize
72KB

Download
memory/4504-46-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4504-45-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4504-36-0x00000000009B0000-0x00000000009E0000-memory.dmp

Filesize
192KB

Download
memory/4504-37-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4504-44-0x0000000005510000-0x000000000555C000-memory.dmp

Filesize
304KB

Download
memory/4504-40-0x0000000005400000-0x000000000550A000-memory.dmp

Filesize
1.0MB

Download
memory/4504-38-0x0000000002C60000-0x0000000002C66000-memory.dmp

Filesize
24KB

Download
memory/4504-41-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4504-43-0x00000000053A0000-0x00000000053DC000-memory.dmp

Filesize
240KB

Download
memory/4936-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads