redline | 4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe
Size

956KB
MD5

ad9a050a806ed357ebdaf7645f7d956a
SHA1

60559c8131a5ab066d8681316c0eabd5c292a3d1
SHA256

4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52
SHA512

a1e96a27e43da3ec87d660293b20cfffc428783c1435729b5c6e923c9ccd8e0af38431d8bcbba0cb2072bda18116caa9c3e406133552981a3a31cd3d11c46a50
SSDEEP

24576:py7fbHnAbhSHhHJhlADjiaKvtcpu/3JDksmw6d/b1Jrf+yKo/hV:c/HAl8hJhlSjMj/XG/LtKo/h

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f0-34.dat	family_redline
behavioral2/files/0x00060000000231f0-35.dat	family_redline
behavioral2/memory/3084-36-0x0000000000A60000-0x0000000000A90000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1032	x1326444.exe
3028	x8711755.exe
4968	x9264755.exe
5108	g9078854.exe
3084	h7328949.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1326444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8711755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9264755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 1140	5108	g9078854.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3244	5108	WerFault.exe	89
2940	1140	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1032	2272	4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe	86
PID 2272 wrote to memory of 1032	2272	4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe	86
PID 2272 wrote to memory of 1032	2272	4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe	86
PID 1032 wrote to memory of 3028	1032	x1326444.exe	87
PID 1032 wrote to memory of 3028	1032	x1326444.exe	87
PID 1032 wrote to memory of 3028	1032	x1326444.exe	87
PID 3028 wrote to memory of 4968	3028	x8711755.exe	88
PID 3028 wrote to memory of 4968	3028	x8711755.exe	88
PID 3028 wrote to memory of 4968	3028	x8711755.exe	88
PID 4968 wrote to memory of 5108	4968	x9264755.exe	89
PID 4968 wrote to memory of 5108	4968	x9264755.exe	89
PID 4968 wrote to memory of 5108	4968	x9264755.exe	89
PID 5108 wrote to memory of 3548	5108	g9078854.exe	90
PID 5108 wrote to memory of 3548	5108	g9078854.exe	90
PID 5108 wrote to memory of 3548	5108	g9078854.exe	90
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 5108 wrote to memory of 1140	5108	g9078854.exe	92
PID 4968 wrote to memory of 3084	4968	x9264755.exe	100
PID 4968 wrote to memory of 3084	4968	x9264755.exe	100
PID 4968 wrote to memory of 3084	4968	x9264755.exe	100

C:\Users\Admin\AppData\Local\Temp\4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe
"C:\Users\Admin\AppData\Local\Temp\4eb83e5f4039efe9296d95f59b3a2cd5678c22007cf270b8a65b6b58ac2e0e52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1326444.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1326444.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8711755.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8711755.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9264755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9264755.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9078854.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9078854.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3548
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 544
        7⤵
        Program crash
        
        PID:2940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 588
        6⤵
        Program crash
        
        PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7328949.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7328949.exe
        5⤵
        Executes dropped EXE
        
        PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5108 -ip 5108
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1140 -ip 1140
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1326444.exe

Filesize
854KB

MD5
f2eb343ba96f22fe55ecd8c14fc44878

SHA1
f44a1b41dfe9b3428e5bc55ae8e357715c0a5042

SHA256
7087b8192ef8cdca1415f47deb80073b824be58520f0dc3ce588c8c30c329434

SHA512
0aa4b496c3330b701dbbea65b5e198ba89190dbde56e7794115aee45218a589bb9f28e3a30fd17b37407ce0a46b1936f01cb7729ca00e955c2f8d58ff32c30a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1326444.exe

Filesize
854KB

MD5
f2eb343ba96f22fe55ecd8c14fc44878

SHA1
f44a1b41dfe9b3428e5bc55ae8e357715c0a5042

SHA256
7087b8192ef8cdca1415f47deb80073b824be58520f0dc3ce588c8c30c329434

SHA512
0aa4b496c3330b701dbbea65b5e198ba89190dbde56e7794115aee45218a589bb9f28e3a30fd17b37407ce0a46b1936f01cb7729ca00e955c2f8d58ff32c30a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8711755.exe

Filesize
580KB

MD5
e83b22f424f559a05cab5b2d3170e299

SHA1
587ed5dd45619ec512dfbf280d2d13b948a21572

SHA256
c68f03e0e7c3777f7053d3280718522112a03529b85656d8eca5d57530068884

SHA512
bebbd782b8f031501c51ea18cfb6fe0dcd53b7d8c454be9caf998ce5eb985af7bf98a0819054c6ca2bac00bd4b6773b91e9b00a264e2f23f50910f70e02f0c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8711755.exe

Filesize
580KB

MD5
e83b22f424f559a05cab5b2d3170e299

SHA1
587ed5dd45619ec512dfbf280d2d13b948a21572

SHA256
c68f03e0e7c3777f7053d3280718522112a03529b85656d8eca5d57530068884

SHA512
bebbd782b8f031501c51ea18cfb6fe0dcd53b7d8c454be9caf998ce5eb985af7bf98a0819054c6ca2bac00bd4b6773b91e9b00a264e2f23f50910f70e02f0c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9264755.exe

Filesize
403KB

MD5
1b579e825aa12552e8aff1b6bf79fa3c

SHA1
20486a475a53144a6113cb79ce925687168d1b86

SHA256
cf4d6904d8adf42d9104eb1ae55631c1dd2ae1ec5a7e18885ef189deebe5b800

SHA512
58695e64f1f9b1e9aa405c3b148033e182c1566cccfe22808ded3a8ad47dddec5ab3bb2513822cc0feafe9b1c4510b33a03d44db9ea81e888564119d65fc69ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9264755.exe

Filesize
403KB

MD5
1b579e825aa12552e8aff1b6bf79fa3c

SHA1
20486a475a53144a6113cb79ce925687168d1b86

SHA256
cf4d6904d8adf42d9104eb1ae55631c1dd2ae1ec5a7e18885ef189deebe5b800

SHA512
58695e64f1f9b1e9aa405c3b148033e182c1566cccfe22808ded3a8ad47dddec5ab3bb2513822cc0feafe9b1c4510b33a03d44db9ea81e888564119d65fc69ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9078854.exe

Filesize
396KB

MD5
31c50c2c10366e87cb1f23f6b4c706f5

SHA1
0f08dea0757afee0329e50cf073d68346d8ae83e

SHA256
04ae794435371a57fe2ed545c50093bf05058a0bb1bc7180bb8a3331f4f9ba83

SHA512
c19b02e5d01a48b66f366823985a66625ae004445f37609b785ad24766d68e0dd25987db1ed89974436e4e5c0a759c0df4b806b9355d399d58bb911789b4d4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9078854.exe

Filesize
396KB

MD5
31c50c2c10366e87cb1f23f6b4c706f5

SHA1
0f08dea0757afee0329e50cf073d68346d8ae83e

SHA256
04ae794435371a57fe2ed545c50093bf05058a0bb1bc7180bb8a3331f4f9ba83

SHA512
c19b02e5d01a48b66f366823985a66625ae004445f37609b785ad24766d68e0dd25987db1ed89974436e4e5c0a759c0df4b806b9355d399d58bb911789b4d4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7328949.exe

Filesize
175KB

MD5
c52a0727bd4885e5d0c70c428b54c32a

SHA1
f929e7cab23821e6502a274c431ca2d14eb95609

SHA256
b31fdfca080394a280df39fe025d53ad59309723072b6d1fc7e76fc7fb51a2a7

SHA512
1e023c39a94bdb402a5550f5340c97ab3b8c66fceb64438b8f5c250a01d617c43e9d2a5512d97d0e0e67bf5bbee2f76a45ff75847c451e459f4c0b50a335764a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7328949.exe

Filesize
175KB

MD5
c52a0727bd4885e5d0c70c428b54c32a

SHA1
f929e7cab23821e6502a274c431ca2d14eb95609

SHA256
b31fdfca080394a280df39fe025d53ad59309723072b6d1fc7e76fc7fb51a2a7

SHA512
1e023c39a94bdb402a5550f5340c97ab3b8c66fceb64438b8f5c250a01d617c43e9d2a5512d97d0e0e67bf5bbee2f76a45ff75847c451e459f4c0b50a335764a

Download Submit
memory/1140-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1140-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1140-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1140-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3084-39-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/3084-37-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-38-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

Filesize
24KB

Download
memory/3084-36-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/3084-40-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/3084-41-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/3084-42-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3084-43-0x0000000005470000-0x00000000054AC000-memory.dmp

Filesize
240KB

Download
memory/3084-44-0x00000000054B0000-0x00000000054FC000-memory.dmp

Filesize
304KB

Download
memory/3084-45-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-46-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads