redline | 7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a

Analysis

max time kernel
195s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe
Size

949KB
MD5

b3059f4b1ddf16a09c5da31ea0484e78
SHA1

7fcf28cfbdc6d04eaf24c1df158a624239edc33b
SHA256

7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a
SHA512

8d7238c813b7ff0455e696807c89a435a279f6161b95b1e721da11299d6dccef64a3892bdac32b26be885925376f6228770191fd7f55118febaa3ae0d06df747
SSDEEP

24576:6y1ZXdqL88x5NSGGVeDmHlCb4ljfFQX3gX:B1+jNTDmHgbgQX

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231dd-34.dat	family_redline
behavioral2/files/0x00060000000231dd-35.dat	family_redline
behavioral2/memory/2908-36-0x00000000004B0000-0x00000000004E0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
2784	x5927813.exe
3084	x1431807.exe
1312	x0840961.exe
952	g5832761.exe
2908	h0491623.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1431807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0840961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5927813.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 3584	952	g5832761.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4460	952	WerFault.exe	93
5096	3584	WerFault.exe	94

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2784	5016	7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe	90
PID 5016 wrote to memory of 2784	5016	7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe	90
PID 5016 wrote to memory of 2784	5016	7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe	90
PID 2784 wrote to memory of 3084	2784	x5927813.exe	91
PID 2784 wrote to memory of 3084	2784	x5927813.exe	91
PID 2784 wrote to memory of 3084	2784	x5927813.exe	91
PID 3084 wrote to memory of 1312	3084	x1431807.exe	92
PID 3084 wrote to memory of 1312	3084	x1431807.exe	92
PID 3084 wrote to memory of 1312	3084	x1431807.exe	92
PID 1312 wrote to memory of 952	1312	x0840961.exe	93
PID 1312 wrote to memory of 952	1312	x0840961.exe	93
PID 1312 wrote to memory of 952	1312	x0840961.exe	93
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 952 wrote to memory of 3584	952	g5832761.exe	94
PID 1312 wrote to memory of 2908	1312	x0840961.exe	102
PID 1312 wrote to memory of 2908	1312	x0840961.exe	102
PID 1312 wrote to memory of 2908	1312	x0840961.exe	102

C:\Users\Admin\AppData\Local\Temp\7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe
"C:\Users\Admin\AppData\Local\Temp\7f167b0c6bc901b0c1b227685fc6a4c75abfc899a5d0927598121d3dfee9793a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5927813.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5927813.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1431807.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1431807.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0840961.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0840961.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5832761.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5832761.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 540
        7⤵
        Program crash
        
        PID:5096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 552
        6⤵
        Program crash
        
        PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0491623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0491623.exe
        5⤵
        Executes dropped EXE
        
        PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 3584
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 952 -ip 952
1⤵
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5927813.exe

Filesize
854KB

MD5
5545f7bcf7b1c28573e34251b0647a24

SHA1
cd4e8743de01d6887db510068df8b823b4abfdd4

SHA256
859a644f0ac6bae7ab278254a3f265109b8dd9f3d5547737ba23270cc82daa20

SHA512
96175fcdd21ed006f51479464b72a6a35e36d4c241c00528b3f066070356d33987c0b8560a43c96fda5703df898b27e11be5f39df66c0dad4637e28cf2d07151

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5927813.exe

Filesize
854KB

MD5
5545f7bcf7b1c28573e34251b0647a24

SHA1
cd4e8743de01d6887db510068df8b823b4abfdd4

SHA256
859a644f0ac6bae7ab278254a3f265109b8dd9f3d5547737ba23270cc82daa20

SHA512
96175fcdd21ed006f51479464b72a6a35e36d4c241c00528b3f066070356d33987c0b8560a43c96fda5703df898b27e11be5f39df66c0dad4637e28cf2d07151

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1431807.exe

Filesize
580KB

MD5
376eb623ba20f4cd8f18f29be0ac6e3e

SHA1
8c5a6003d7abc15cd5becefd63bfc3a4e108385f

SHA256
f0993ea4546a2c859b1efe4896f56877352224e345bdb699460f2a346a3d4112

SHA512
ec703d99e73e4b3171024005934d3756b5e2b451767434467711481a363ad3661ef9782a54adba2a4168a76794e3735aa61e12e50d909f4451e68ddace3dfee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1431807.exe

Filesize
580KB

MD5
376eb623ba20f4cd8f18f29be0ac6e3e

SHA1
8c5a6003d7abc15cd5becefd63bfc3a4e108385f

SHA256
f0993ea4546a2c859b1efe4896f56877352224e345bdb699460f2a346a3d4112

SHA512
ec703d99e73e4b3171024005934d3756b5e2b451767434467711481a363ad3661ef9782a54adba2a4168a76794e3735aa61e12e50d909f4451e68ddace3dfee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0840961.exe

Filesize
404KB

MD5
ad2becb5d67f423a730760ab558322ce

SHA1
4ae04b3013f692d32dd4ec3f767a0a7a6c274527

SHA256
15222d9a77ef32951d54a5d878f9716fe246f32c44af7982e93524c44349331d

SHA512
8c9fbb36f2023556c4ab5cb9bda3c16ccf72ba099356ec137f7a6004ff5e21c1fc895f267ce6422fa2ca3ba7728c3e902c35565794307dbd0376c042ea984a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0840961.exe

Filesize
404KB

MD5
ad2becb5d67f423a730760ab558322ce

SHA1
4ae04b3013f692d32dd4ec3f767a0a7a6c274527

SHA256
15222d9a77ef32951d54a5d878f9716fe246f32c44af7982e93524c44349331d

SHA512
8c9fbb36f2023556c4ab5cb9bda3c16ccf72ba099356ec137f7a6004ff5e21c1fc895f267ce6422fa2ca3ba7728c3e902c35565794307dbd0376c042ea984a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5832761.exe

Filesize
396KB

MD5
a5a1dd4d742b1bf72098cfbcca7ca0b5

SHA1
662b9adb8079cb995fc170a639d028214eb78a0e

SHA256
437262ac47396684e200f1a5cfdb9d3e8176b8aab1834b8dd639c60323d8b71d

SHA512
87c7f903dd1dfc93ed3007f00a99c5d7edd29fd7f76da3ac03bfd528d549b385dd3945fd767f1e38a0b981aeeb83e7b7091ba1ac3ce3cd1fb154ae695b39e2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5832761.exe

Filesize
396KB

MD5
a5a1dd4d742b1bf72098cfbcca7ca0b5

SHA1
662b9adb8079cb995fc170a639d028214eb78a0e

SHA256
437262ac47396684e200f1a5cfdb9d3e8176b8aab1834b8dd639c60323d8b71d

SHA512
87c7f903dd1dfc93ed3007f00a99c5d7edd29fd7f76da3ac03bfd528d549b385dd3945fd767f1e38a0b981aeeb83e7b7091ba1ac3ce3cd1fb154ae695b39e2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0491623.exe

Filesize
175KB

MD5
60c4478c9f611a717e3fd4b183d83cf0

SHA1
8495f40874cb03c330ca596d8c11ee1491dc9a40

SHA256
c66c67b27c470b4eb74f5b1db06a4d414798cea30d47370ae6fb08df03b824f6

SHA512
17e332f05abda0e58551b22b09be212918cf0172c4e6f7469cca4a11fc1c8a229f9028805200ad07915cde103644ef473a096fef2c7e5bde1745d8454afe6e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0491623.exe

Filesize
175KB

MD5
60c4478c9f611a717e3fd4b183d83cf0

SHA1
8495f40874cb03c330ca596d8c11ee1491dc9a40

SHA256
c66c67b27c470b4eb74f5b1db06a4d414798cea30d47370ae6fb08df03b824f6

SHA512
17e332f05abda0e58551b22b09be212918cf0172c4e6f7469cca4a11fc1c8a229f9028805200ad07915cde103644ef473a096fef2c7e5bde1745d8454afe6e0a

Download Submit
memory/2908-39-0x0000000005570000-0x0000000005B88000-memory.dmp

Filesize
6.1MB

Download
memory/2908-40-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/2908-46-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2908-45-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/2908-37-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/2908-36-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/2908-44-0x0000000005170000-0x00000000051BC000-memory.dmp

Filesize
304KB

Download
memory/2908-43-0x0000000004FE0000-0x000000000501C000-memory.dmp

Filesize
240KB

Download
memory/2908-38-0x0000000002790000-0x0000000002796000-memory.dmp

Filesize
24KB

Download
memory/2908-41-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2908-42-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/3584-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3584-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3584-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3584-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads