redline | e5d89d247eaf052187a418439a1f1a6b1bc713b5e1937bcd9f730a9b0e7b99e9

Analysis

max time kernel
156s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe
Size

957KB
MD5

da23352a594c97e931832f1ece7e3b1e
SHA1

8eeb6854088d07502578b467ad716c39d985f7b6
SHA256

664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4
SHA512

77de8c75004aae778baf63f83b6d54ae1772d80139653ae79ed67d828319589c8b73a7ade7e255356635701ffbaaf9f17df4900864df17ac94b945400ac9e901
SSDEEP

24576:ey1Fu2uC2q1c8V5tHIGvLk/y2FI/IjC9RS4lvbG9bi2:t1BfX1v5tHfv462uFqLi

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000230d5-34.dat	family_redline
behavioral2/files/0x00060000000230d5-35.dat	family_redline
behavioral2/memory/4860-37-0x0000000000CA0000-0x0000000000CD0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3476	x1357206.exe
3720	x6653951.exe
3608	x8082293.exe
1236	g2267800.exe
4860	h0187404.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6653951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8082293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1357206.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1236 set thread context of 4608	1236	g2267800.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4812	1236	WerFault.exe	91
4780	4608	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3476	1748	664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe	88
PID 1748 wrote to memory of 3476	1748	664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe	88
PID 1748 wrote to memory of 3476	1748	664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe	88
PID 3476 wrote to memory of 3720	3476	x1357206.exe	89
PID 3476 wrote to memory of 3720	3476	x1357206.exe	89
PID 3476 wrote to memory of 3720	3476	x1357206.exe	89
PID 3720 wrote to memory of 3608	3720	x6653951.exe	90
PID 3720 wrote to memory of 3608	3720	x6653951.exe	90
PID 3720 wrote to memory of 3608	3720	x6653951.exe	90
PID 3608 wrote to memory of 1236	3608	x8082293.exe	91
PID 3608 wrote to memory of 1236	3608	x8082293.exe	91
PID 3608 wrote to memory of 1236	3608	x8082293.exe	91
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 1236 wrote to memory of 4608	1236	g2267800.exe	92
PID 3608 wrote to memory of 4860	3608	x8082293.exe	99
PID 3608 wrote to memory of 4860	3608	x8082293.exe	99
PID 3608 wrote to memory of 4860	3608	x8082293.exe	99

C:\Users\Admin\AppData\Local\Temp\664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe
"C:\Users\Admin\AppData\Local\Temp\664d34a421900283c0f9c9a099ce80cd4774df50979888fe711be51b878c84f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1357206.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1357206.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6653951.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6653951.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8082293.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8082293.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2267800.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2267800.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 200
        7⤵
        Program crash
        
        PID:4780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 556
        6⤵
        Program crash
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0187404.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0187404.exe
        5⤵
        Executes dropped EXE
        
        PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1236 -ip 1236
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4608 -ip 4608
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1357206.exe

Filesize
855KB

MD5
b2ae320a7af8a505b20d79308d8dcf7a

SHA1
10f3deb279abd75e13a072c9a4f044344fc78828

SHA256
845b627d6647f896f4cc4e6b7dd1b9c1bb6fa795692f6a35dfd9c191b2e5491e

SHA512
48be35a1c3048a9cb766496bd7872ed1b2317376bf3d7ced4e88955f2a95ef189d7ec793e4060afed6075f9c0edae27a076c46418125724d2f1e77f9d2845236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1357206.exe

Filesize
855KB

MD5
b2ae320a7af8a505b20d79308d8dcf7a

SHA1
10f3deb279abd75e13a072c9a4f044344fc78828

SHA256
845b627d6647f896f4cc4e6b7dd1b9c1bb6fa795692f6a35dfd9c191b2e5491e

SHA512
48be35a1c3048a9cb766496bd7872ed1b2317376bf3d7ced4e88955f2a95ef189d7ec793e4060afed6075f9c0edae27a076c46418125724d2f1e77f9d2845236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6653951.exe

Filesize
581KB

MD5
86739bb8edd55281ab0f027d59b60035

SHA1
facb1a5e17a1a29a56e0a828ca3b57af5bfa9476

SHA256
00d91f79dd4685a0936b59082d467c742cb647004aff1b7e71fad59aaa47a406

SHA512
0bdb49ce02514707a9da47adb33b4252a8f44641e08ced15d813e6ea606abdeeedd34e4e23927685eca5b98b6d9b90ca894c39be502f7dbfec8208cd10311f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6653951.exe

Filesize
581KB

MD5
86739bb8edd55281ab0f027d59b60035

SHA1
facb1a5e17a1a29a56e0a828ca3b57af5bfa9476

SHA256
00d91f79dd4685a0936b59082d467c742cb647004aff1b7e71fad59aaa47a406

SHA512
0bdb49ce02514707a9da47adb33b4252a8f44641e08ced15d813e6ea606abdeeedd34e4e23927685eca5b98b6d9b90ca894c39be502f7dbfec8208cd10311f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8082293.exe

Filesize
404KB

MD5
836cb0c5835876a80cb5de835e85538c

SHA1
2e7c3d8c421ffaf74b9b02b372f60da44e742790

SHA256
edd0b30dec5361c2407e1b038afd51330bb4e2080fde30a42b0ce115710f47cc

SHA512
9eafdd0d718a1dfc89cb686a83c2ca09624b832d9a1c5fef039955eaf6f692eaac432c2b8fe367c8253e6599b13e95490010e055ba760076f4577a1ee836ecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8082293.exe

Filesize
404KB

MD5
836cb0c5835876a80cb5de835e85538c

SHA1
2e7c3d8c421ffaf74b9b02b372f60da44e742790

SHA256
edd0b30dec5361c2407e1b038afd51330bb4e2080fde30a42b0ce115710f47cc

SHA512
9eafdd0d718a1dfc89cb686a83c2ca09624b832d9a1c5fef039955eaf6f692eaac432c2b8fe367c8253e6599b13e95490010e055ba760076f4577a1ee836ecc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2267800.exe

Filesize
396KB

MD5
9258e8dc2792027ac93e44fb5514ddb5

SHA1
b8d174874ef836316919c60873036c8573220295

SHA256
23a488b12bc35647b6a06427a01d7587215060173be329dd3196044f343fe081

SHA512
574d0ba014a68e11b29a1c2f60c7ef4a5b3597c12adcef26f901e275791422d0a948997a05d62ae61e80f0969eb76908442e13e19755882fc3d428c23519d6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2267800.exe

Filesize
396KB

MD5
9258e8dc2792027ac93e44fb5514ddb5

SHA1
b8d174874ef836316919c60873036c8573220295

SHA256
23a488b12bc35647b6a06427a01d7587215060173be329dd3196044f343fe081

SHA512
574d0ba014a68e11b29a1c2f60c7ef4a5b3597c12adcef26f901e275791422d0a948997a05d62ae61e80f0969eb76908442e13e19755882fc3d428c23519d6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0187404.exe

Filesize
175KB

MD5
68d08f44510b81c15c1d6218df68f3e9

SHA1
1c05078a836c9d8666a61e87c3d2c149a35143f1

SHA256
3fd0d4939fa5cf64e3a242ff434091260c32695f3e3478cb94b7f54749ce8428

SHA512
c5bd417a5ac8c1999c82fb93943b3335761b3e9f2785b04829183da8c881171c86647052535ecb765fb9e1845cb2c1a61ddc30cae3075c06934b2b5dfb1a0b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0187404.exe

Filesize
175KB

MD5
68d08f44510b81c15c1d6218df68f3e9

SHA1
1c05078a836c9d8666a61e87c3d2c149a35143f1

SHA256
3fd0d4939fa5cf64e3a242ff434091260c32695f3e3478cb94b7f54749ce8428

SHA512
c5bd417a5ac8c1999c82fb93943b3335761b3e9f2785b04829183da8c881171c86647052535ecb765fb9e1845cb2c1a61ddc30cae3075c06934b2b5dfb1a0b76

Download Submit
memory/4608-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4608-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4608-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4608-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4860-39-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/4860-37-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

Filesize
192KB

Download
memory/4860-38-0x0000000007950000-0x0000000007956000-memory.dmp

Filesize
24KB

Download
memory/4860-36-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/4860-40-0x000000000B0D0000-0x000000000B6E8000-memory.dmp

Filesize
6.1MB

Download
memory/4860-41-0x000000000AC50000-0x000000000AD5A000-memory.dmp

Filesize
1.0MB

Download
memory/4860-42-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/4860-43-0x000000000AB90000-0x000000000ABA2000-memory.dmp

Filesize
72KB

Download
memory/4860-44-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

Filesize
240KB

Download
memory/4860-45-0x000000000AD60000-0x000000000ADAC000-memory.dmp

Filesize
304KB

Download
memory/4860-46-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads