redline | c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32

Analysis

max time kernel
162s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe
Size

928KB
MD5

519596ab5b0b18755fbfc8ad73919d22
SHA1

142e5fdc9756125133a02b72ec0258f54caf8188
SHA256

c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32
SHA512

1c5c19a8834f530a7a5328606c2bc4053ae212b0be957774e36f2c32ba451ea48535ad7efb3425232d86483485973f51b90b1f67f6af66091f9904eb9807698d
SSDEEP

12288:xMrmy90sAF/ev7zEVpmHyZDKZ+kgCZ8XudHeW0txAf8ErCyfKUno2gdR7VV2gho0:nyAF/2zEVpNkgC+uMN08Eha3/haE

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fa-34.dat	family_redline
behavioral2/files/0x00060000000231fa-35.dat	family_redline
behavioral2/memory/3532-36-0x0000000000D00000-0x0000000000D30000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4584	x2331666.exe
3556	x8951912.exe
3336	x0201647.exe
4580	g1764452.exe
3532	h4998559.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8951912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0201647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2331666.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4580 set thread context of 2272	4580	g1764452.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3872	2272	WerFault.exe	90
1336	4580	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4584	4520	c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe	86
PID 4520 wrote to memory of 4584	4520	c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe	86
PID 4520 wrote to memory of 4584	4520	c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe	86
PID 4584 wrote to memory of 3556	4584	x2331666.exe	87
PID 4584 wrote to memory of 3556	4584	x2331666.exe	87
PID 4584 wrote to memory of 3556	4584	x2331666.exe	87
PID 3556 wrote to memory of 3336	3556	x8951912.exe	88
PID 3556 wrote to memory of 3336	3556	x8951912.exe	88
PID 3556 wrote to memory of 3336	3556	x8951912.exe	88
PID 3336 wrote to memory of 4580	3336	x0201647.exe	89
PID 3336 wrote to memory of 4580	3336	x0201647.exe	89
PID 3336 wrote to memory of 4580	3336	x0201647.exe	89
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 4580 wrote to memory of 2272	4580	g1764452.exe	90
PID 3336 wrote to memory of 3532	3336	x0201647.exe	97
PID 3336 wrote to memory of 3532	3336	x0201647.exe	97
PID 3336 wrote to memory of 3532	3336	x0201647.exe	97

C:\Users\Admin\AppData\Local\Temp\c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe
"C:\Users\Admin\AppData\Local\Temp\c81d64eb6a2db5bc0218d4ddbd88b042422ddae397061a767722a5310b4ebb32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2331666.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2331666.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8951912.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8951912.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0201647.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0201647.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1764452.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1764452.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 540
        7⤵
        Program crash
        
        PID:3872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 580
        6⤵
        Program crash
        
        PID:1336
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4998559.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4998559.exe
        5⤵
        Executes dropped EXE
        
        PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4580 -ip 4580
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2272 -ip 2272
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2331666.exe

Filesize
826KB

MD5
59bd3434155c08ab083cf46e2361fe9e

SHA1
1977cb881c7cb547e853bb76a033cfe4fd2f53a7

SHA256
6ac1b975c1f7ba9a3105f1e4b401bc51d892ac9db8484311c1ba33ee7c0d42d1

SHA512
3fe3bd03b92f30884f712ba75ca493b763f187b6f3fd20d1285a80707120d2861c4154140784e19a24767a9c594c0f7d106dddc476d1f089ce1fd53c31c7c6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2331666.exe

Filesize
826KB

MD5
59bd3434155c08ab083cf46e2361fe9e

SHA1
1977cb881c7cb547e853bb76a033cfe4fd2f53a7

SHA256
6ac1b975c1f7ba9a3105f1e4b401bc51d892ac9db8484311c1ba33ee7c0d42d1

SHA512
3fe3bd03b92f30884f712ba75ca493b763f187b6f3fd20d1285a80707120d2861c4154140784e19a24767a9c594c0f7d106dddc476d1f089ce1fd53c31c7c6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8951912.exe

Filesize
567KB

MD5
181641b662437fd99b9e6a7cb57f6dc6

SHA1
89eac573b5fc74ad52649184e05d3621b789171c

SHA256
f10bb6b31be6a4fd8bd917f6ca964e9a893308d6459e0f82786b41518c05aa4a

SHA512
b9502793c9b87e8c859436d0ea9b6ba4f67d3e0de94bc8907800eee8abb2433e1a6f6ab6e762893aee2b750d215eb4f7ec66804a80810e5af608505ec23209ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8951912.exe

Filesize
567KB

MD5
181641b662437fd99b9e6a7cb57f6dc6

SHA1
89eac573b5fc74ad52649184e05d3621b789171c

SHA256
f10bb6b31be6a4fd8bd917f6ca964e9a893308d6459e0f82786b41518c05aa4a

SHA512
b9502793c9b87e8c859436d0ea9b6ba4f67d3e0de94bc8907800eee8abb2433e1a6f6ab6e762893aee2b750d215eb4f7ec66804a80810e5af608505ec23209ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0201647.exe

Filesize
390KB

MD5
d21abaab99e865e5c8e309a84382a268

SHA1
ab794e2cf17b9469374587ad8d0087973f114e97

SHA256
eea8f7467592f1ead9ec19e814ee54b493038989455f94dbf8924f6239aad904

SHA512
e344b9956e7163398085a450fce72a0e07eab7605e3b4921614626071c56ba2b78009eec66211ab5d5e5e5bab2ed31422f06ee09fd3b34c998c5e1c1d47438a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0201647.exe

Filesize
390KB

MD5
d21abaab99e865e5c8e309a84382a268

SHA1
ab794e2cf17b9469374587ad8d0087973f114e97

SHA256
eea8f7467592f1ead9ec19e814ee54b493038989455f94dbf8924f6239aad904

SHA512
e344b9956e7163398085a450fce72a0e07eab7605e3b4921614626071c56ba2b78009eec66211ab5d5e5e5bab2ed31422f06ee09fd3b34c998c5e1c1d47438a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1764452.exe

Filesize
364KB

MD5
30c004d6065691a03a20f9bafaf54d4f

SHA1
d9386769bc8b1158f2a041a2868064200e5ce72e

SHA256
68def0c756c56866bc1e8493c17e7255cc2b3208bdb15d3a578b2eddbd4603b1

SHA512
f5f08aac2cc2be90c76fecfa535e099002c509451bc9ddbd773029254ac74f9a672236a7f8ff50283549f194bf30a0ba554ffa1f31ba788344e681352c1d911c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1764452.exe

Filesize
364KB

MD5
30c004d6065691a03a20f9bafaf54d4f

SHA1
d9386769bc8b1158f2a041a2868064200e5ce72e

SHA256
68def0c756c56866bc1e8493c17e7255cc2b3208bdb15d3a578b2eddbd4603b1

SHA512
f5f08aac2cc2be90c76fecfa535e099002c509451bc9ddbd773029254ac74f9a672236a7f8ff50283549f194bf30a0ba554ffa1f31ba788344e681352c1d911c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4998559.exe

Filesize
174KB

MD5
5de887bdd300e7ac6174fd6f8ff0e23d

SHA1
f752c273171c3df722dbee219fb16d8d62177811

SHA256
5b1d5fccbd72a6f79b09a18944793ee17b51d07c502de1fdd40557b7c274f248

SHA512
0e24d304feba8527be74cad5f4dbb812898b339f4f43e3312d7c72deb2ce562a2af2f23aec37eff6d316f76d73763a5e8c194417a922b9ecbd4571f029a98527

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4998559.exe

Filesize
174KB

MD5
5de887bdd300e7ac6174fd6f8ff0e23d

SHA1
f752c273171c3df722dbee219fb16d8d62177811

SHA256
5b1d5fccbd72a6f79b09a18944793ee17b51d07c502de1fdd40557b7c274f248

SHA512
0e24d304feba8527be74cad5f4dbb812898b339f4f43e3312d7c72deb2ce562a2af2f23aec37eff6d316f76d73763a5e8c194417a922b9ecbd4571f029a98527

Download Submit
memory/2272-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2272-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2272-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2272-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3532-39-0x0000000005E60000-0x0000000006478000-memory.dmp

Filesize
6.1MB

Download
memory/3532-36-0x0000000000D00000-0x0000000000D30000-memory.dmp

Filesize
192KB

Download
memory/3532-38-0x0000000001530000-0x0000000001536000-memory.dmp

Filesize
24KB

Download
memory/3532-37-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-40-0x0000000005950000-0x0000000005A5A000-memory.dmp

Filesize
1.0MB

Download
memory/3532-41-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/3532-42-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/3532-43-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/3532-44-0x0000000005880000-0x00000000058CC000-memory.dmp

Filesize
304KB

Download
memory/3532-45-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-46-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads