redline | 41ac177e6b0ec162b944fbd9a4791d4f4c0fc8a0ae99da40ee9bfdce9a93a833

General

Target

x5542963.exe
Size

854KB
MD5

8d31b2b7838b476ab3b0daba486ff72d
SHA1

ab04b9b6646844e7ab747f8a767a1d33b4841e75
SHA256

41ac177e6b0ec162b944fbd9a4791d4f4c0fc8a0ae99da40ee9bfdce9a93a833
SHA512

6cc4160e62c1c63a6b327c98b69987e393e1c36ab1cec356a0ea47e845dca6c9c155947c2e878c65ef0b78d1d36dee20a77e665429c44d95a2ff055156d4722c
SSDEEP

24576:IyEYpyfIt9Y4lxir2chkQceJQYphkSzM:PEYpdp+2ch0ehphkS

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

C2

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231da-27.dat	family_redline
behavioral2/files/0x00060000000231da-28.dat	family_redline
behavioral2/memory/3064-29-0x0000000000690000-0x00000000006C0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
464	x4397530.exe
4464	x0824314.exe
2768	g3960673.exe
3064	h1463265.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x5542963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4397530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0824314.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 4032	2768	g3960673.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3096	4032	WerFault.exe	91
1916	2768	WerFault.exe	90

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 464	4616	x5542963.exe	88
PID 4616 wrote to memory of 464	4616	x5542963.exe	88
PID 4616 wrote to memory of 464	4616	x5542963.exe	88
PID 464 wrote to memory of 4464	464	x4397530.exe	89
PID 464 wrote to memory of 4464	464	x4397530.exe	89
PID 464 wrote to memory of 4464	464	x4397530.exe	89
PID 4464 wrote to memory of 2768	4464	x0824314.exe	90
PID 4464 wrote to memory of 2768	4464	x0824314.exe	90
PID 4464 wrote to memory of 2768	4464	x0824314.exe	90
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 2768 wrote to memory of 4032	2768	g3960673.exe	91
PID 4464 wrote to memory of 3064	4464	x0824314.exe	105
PID 4464 wrote to memory of 3064	4464	x0824314.exe	105
PID 4464 wrote to memory of 3064	4464	x0824314.exe	105

C:\Users\Admin\AppData\Local\Temp\x5542963.exe
"C:\Users\Admin\AppData\Local\Temp\x5542963.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4397530.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4397530.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0824314.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0824314.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3960673.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3960673.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 540
        6⤵
        Program crash
        
        PID:3096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 552
        5⤵
        Program crash
        
        PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1463265.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1463265.exe
      4⤵
      Executes dropped EXE
      PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2768 -ip 2768
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4032 -ip 4032
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4397530.exe

Filesize
580KB

MD5
8128ce02c85a07470c8a908ecf80913f

SHA1
93c85c6af04f00f52b43064e49dbcf31028535c8

SHA256
fa630c4cc2f782e164fc894daadd9d540c9e712856b5991f61bf933787b05af1

SHA512
fa7f0f0cbd7df1074a66c2cd0e2b882a7b0d1fdb9611fd6a965234582cf809dec8c9d493d073c9dc6a7aa689a5fa79256eb0ff6e4320b10c329d0619dd8ad599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4397530.exe

Filesize
580KB

MD5
8128ce02c85a07470c8a908ecf80913f

SHA1
93c85c6af04f00f52b43064e49dbcf31028535c8

SHA256
fa630c4cc2f782e164fc894daadd9d540c9e712856b5991f61bf933787b05af1

SHA512
fa7f0f0cbd7df1074a66c2cd0e2b882a7b0d1fdb9611fd6a965234582cf809dec8c9d493d073c9dc6a7aa689a5fa79256eb0ff6e4320b10c329d0619dd8ad599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0824314.exe

Filesize
404KB

MD5
ff9e3614bf0d1a63990f7a7abdea5c18

SHA1
a0591661d9d4d51621d97ebf225e8547e6aecf0c

SHA256
b59cb54e4aa80a96570ad22f51be2e218af37c3095c16478bc843cc67a02456e

SHA512
3b4c48a1043541352625b65e32009759c2b6c50eb4bf18f8a7d3881e8e563cc59076104f0af9403bf390aeba83f6c356f824e5834f459b6d53b60db1bf7bed9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0824314.exe

Filesize
404KB

MD5
ff9e3614bf0d1a63990f7a7abdea5c18

SHA1
a0591661d9d4d51621d97ebf225e8547e6aecf0c

SHA256
b59cb54e4aa80a96570ad22f51be2e218af37c3095c16478bc843cc67a02456e

SHA512
3b4c48a1043541352625b65e32009759c2b6c50eb4bf18f8a7d3881e8e563cc59076104f0af9403bf390aeba83f6c356f824e5834f459b6d53b60db1bf7bed9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3960673.exe

Filesize
396KB

MD5
41fdc82056f788018f4f654c05239b3f

SHA1
b65c9bd8b8a6d735f23c5f9113ee67512122afad

SHA256
fba9334c93bca942b5ff98c2cfbc392f3b32340a3413688dbdfcdf0ad780691d

SHA512
0549ee279e37a84383f78781e6c3ad8daf191551703d20922c68d62dbbc5c92a15913ab048081646ad7abb374869a746cda627179432bb26b5c59c51a7db3f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3960673.exe

Filesize
396KB

MD5
41fdc82056f788018f4f654c05239b3f

SHA1
b65c9bd8b8a6d735f23c5f9113ee67512122afad

SHA256
fba9334c93bca942b5ff98c2cfbc392f3b32340a3413688dbdfcdf0ad780691d

SHA512
0549ee279e37a84383f78781e6c3ad8daf191551703d20922c68d62dbbc5c92a15913ab048081646ad7abb374869a746cda627179432bb26b5c59c51a7db3f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1463265.exe

Filesize
175KB

MD5
0c16ca427a12d39a695a5db90ef809a0

SHA1
0c44d63d8244cfc74a4f62eeef5209aadc1c9f99

SHA256
1f1cadfb4980c394b5a750c8d88878ea5cbc5f52dd21d72183f5c097f03b3a74

SHA512
224858dca3b0c628e6c7eff651081f1211414e9cf4547a3357044d129905aa3bd67bbf070dbf97e4e366c370a5408aff7e8d0f237d710d0592ba3c6fd14eb46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1463265.exe

Filesize
175KB

MD5
0c16ca427a12d39a695a5db90ef809a0

SHA1
0c44d63d8244cfc74a4f62eeef5209aadc1c9f99

SHA256
1f1cadfb4980c394b5a750c8d88878ea5cbc5f52dd21d72183f5c097f03b3a74

SHA512
224858dca3b0c628e6c7eff651081f1211414e9cf4547a3357044d129905aa3bd67bbf070dbf97e4e366c370a5408aff7e8d0f237d710d0592ba3c6fd14eb46e

Download Submit
memory/3064-32-0x00000000029E0000-0x00000000029E6000-memory.dmp

Filesize
24KB

Download
memory/3064-35-0x000000000A580000-0x000000000A592000-memory.dmp

Filesize
72KB

Download
memory/3064-39-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/3064-38-0x000000000A750000-0x000000000A79C000-memory.dmp

Filesize
304KB

Download
memory/3064-29-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/3064-30-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3064-37-0x000000000A5E0000-0x000000000A61C000-memory.dmp

Filesize
240KB

Download
memory/3064-33-0x000000000AAD0000-0x000000000B0E8000-memory.dmp

Filesize
6.1MB

Download
memory/3064-31-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/3064-34-0x000000000A640000-0x000000000A74A000-memory.dmp

Filesize
1.0MB

Download
memory/3064-36-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4032-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4032-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4032-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4032-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads