redline | 4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe
Size

928KB
MD5

3069208dc66e2ab0646514ddcb0b2fdc
SHA1

8e25137af99717b7b17237b79167a3b927118109
SHA256

4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24
SHA512

45c0fb11a4bdbc98b22a1421635d6a0d2ba382a75d7c4163f33f0936a70c3e0ee4b0ff17cb755540f5c9e992035369fbf54a7429f614ac473eb8d16362de4723
SSDEEP

24576:nytmFWFeIw3zj1+9Z3L4XrkR/AaRZrT2sCY:ygFWFeIaFolLeI/VTrT2h

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231cc-34.dat	family_redline
behavioral2/files/0x00060000000231cc-35.dat	family_redline
behavioral2/memory/3140-36-0x00000000008F0000-0x0000000000920000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3728	x5655573.exe
4936	x9423058.exe
4480	x1725661.exe
664	g0785750.exe
3140	h5849796.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5655573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9423058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1725661.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 1340	664	g0785750.exe	97

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1712	664	WerFault.exe	90
4988	1340	WerFault.exe	97

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3728	4760	4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe	86
PID 4760 wrote to memory of 3728	4760	4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe	86
PID 4760 wrote to memory of 3728	4760	4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe	86
PID 3728 wrote to memory of 4936	3728	x5655573.exe	87
PID 3728 wrote to memory of 4936	3728	x5655573.exe	87
PID 3728 wrote to memory of 4936	3728	x5655573.exe	87
PID 4936 wrote to memory of 4480	4936	x9423058.exe	89
PID 4936 wrote to memory of 4480	4936	x9423058.exe	89
PID 4936 wrote to memory of 4480	4936	x9423058.exe	89
PID 4480 wrote to memory of 664	4480	x1725661.exe	90
PID 4480 wrote to memory of 664	4480	x1725661.exe	90
PID 4480 wrote to memory of 664	4480	x1725661.exe	90
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 664 wrote to memory of 1340	664	g0785750.exe	97
PID 4480 wrote to memory of 3140	4480	x1725661.exe	102
PID 4480 wrote to memory of 3140	4480	x1725661.exe	102
PID 4480 wrote to memory of 3140	4480	x1725661.exe	102

C:\Users\Admin\AppData\Local\Temp\4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe
"C:\Users\Admin\AppData\Local\Temp\4be36b30e26772e5934e8913d87b444720f91c35bb9d8a44728b1b60d8db0a24.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5655573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5655573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9423058.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9423058.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1725661.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1725661.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0785750.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0785750.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 540
        7⤵
        Program crash
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 552
        6⤵
        Program crash
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5849796.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5849796.exe
        5⤵
        Executes dropped EXE
        
        PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 664 -ip 664
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1340 -ip 1340
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5655573.exe

Filesize
826KB

MD5
6435bf15b74272d75c8ebbc32a28176c

SHA1
f0a7299f65c6bc3109f1938641b2bb543cc28ae7

SHA256
68495b0c8b180c42af118245f69fdc719842d63cf213ea2fc8eb9b9c12cac952

SHA512
7d366f17e92510d55534c0be73ee3cece4dbf474fa75d31a3ff6b2f08a5036106560ca815a16231161c72f29478dd22ffe09ad9d5baf844dec485d80e6c2eae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5655573.exe

Filesize
826KB

MD5
6435bf15b74272d75c8ebbc32a28176c

SHA1
f0a7299f65c6bc3109f1938641b2bb543cc28ae7

SHA256
68495b0c8b180c42af118245f69fdc719842d63cf213ea2fc8eb9b9c12cac952

SHA512
7d366f17e92510d55534c0be73ee3cece4dbf474fa75d31a3ff6b2f08a5036106560ca815a16231161c72f29478dd22ffe09ad9d5baf844dec485d80e6c2eae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9423058.exe

Filesize
566KB

MD5
1ceb02b7a9d2ec2f19a4ca21b63210db

SHA1
c1f78ac5ee8925dcc178760d6a9e11d6e3866792

SHA256
35fd6c1371a8e7917555c534993d80298e44b6408ff7b295d7599eaa161bb689

SHA512
27a4ceb65652fc734b1399aae1196c9336e17435e255a18e9924d2ab01a23abdb551c7ac093ea268f58cbc941f38cdd98ca63b3da5ee36ee289d5407efa8381b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9423058.exe

Filesize
566KB

MD5
1ceb02b7a9d2ec2f19a4ca21b63210db

SHA1
c1f78ac5ee8925dcc178760d6a9e11d6e3866792

SHA256
35fd6c1371a8e7917555c534993d80298e44b6408ff7b295d7599eaa161bb689

SHA512
27a4ceb65652fc734b1399aae1196c9336e17435e255a18e9924d2ab01a23abdb551c7ac093ea268f58cbc941f38cdd98ca63b3da5ee36ee289d5407efa8381b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1725661.exe

Filesize
389KB

MD5
1d3ae247f7e33c2cff246230c666c82a

SHA1
9678884287bfc1effaa5ff40830c93f6196887d3

SHA256
17894777a6db26866f5c0fd03e17f3a95130d0ec11c486d6f559d9e624b7382d

SHA512
87182f18e34aac22ba931189d3555d6a8e6c17cbd51efe839f5434f985de2d22a6e398ead02143b56bfda6cfae92e30dad30eab0c57880bc527f19bb9356c263

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1725661.exe

Filesize
389KB

MD5
1d3ae247f7e33c2cff246230c666c82a

SHA1
9678884287bfc1effaa5ff40830c93f6196887d3

SHA256
17894777a6db26866f5c0fd03e17f3a95130d0ec11c486d6f559d9e624b7382d

SHA512
87182f18e34aac22ba931189d3555d6a8e6c17cbd51efe839f5434f985de2d22a6e398ead02143b56bfda6cfae92e30dad30eab0c57880bc527f19bb9356c263

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0785750.exe

Filesize
364KB

MD5
3079e97fb7c9b6c85bd1c25b14911bf2

SHA1
e54b9d5298eed2bcdb98d66a39cb23f75ea5a773

SHA256
1d44c831df9c3f33b72c2748a0d699d82ffd4e0fed774aee9f27e309c63e57af

SHA512
a55e18e9f0d2d0420e05fbb0b2c3f84f4d76fd6837d7055fdfdd3baa464435eb8cf49bd22af6d087818fbd9b3633a186dc22124d0ffcd02fd1ac7f8eb9b91aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0785750.exe

Filesize
364KB

MD5
3079e97fb7c9b6c85bd1c25b14911bf2

SHA1
e54b9d5298eed2bcdb98d66a39cb23f75ea5a773

SHA256
1d44c831df9c3f33b72c2748a0d699d82ffd4e0fed774aee9f27e309c63e57af

SHA512
a55e18e9f0d2d0420e05fbb0b2c3f84f4d76fd6837d7055fdfdd3baa464435eb8cf49bd22af6d087818fbd9b3633a186dc22124d0ffcd02fd1ac7f8eb9b91aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5849796.exe

Filesize
174KB

MD5
9ffd7a70690e6942e6058cae2428f2cb

SHA1
7c8817f179efedc81e75c4ff6aa5e5a3a990df70

SHA256
663c5a3d513aa7cb6ba18912b2335b2f00cd4392eb2559e68a394ecd04e4534d

SHA512
3c705f30fd0542f13624464715a74671f4923da353de0bdf59e26ec55d9d403e98e52039939cbb57fe4fbdb9d03f1bb99a41818ea8ad76ab2a487ddfd07b33b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5849796.exe

Filesize
174KB

MD5
9ffd7a70690e6942e6058cae2428f2cb

SHA1
7c8817f179efedc81e75c4ff6aa5e5a3a990df70

SHA256
663c5a3d513aa7cb6ba18912b2335b2f00cd4392eb2559e68a394ecd04e4534d

SHA512
3c705f30fd0542f13624464715a74671f4923da353de0bdf59e26ec55d9d403e98e52039939cbb57fe4fbdb9d03f1bb99a41818ea8ad76ab2a487ddfd07b33b2

Download Submit
memory/1340-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3140-39-0x0000000005940000-0x0000000005F58000-memory.dmp

Filesize
6.1MB

Download
memory/3140-37-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/3140-38-0x00000000075A0000-0x00000000075A6000-memory.dmp

Filesize
24KB

Download
memory/3140-36-0x00000000008F0000-0x0000000000920000-memory.dmp

Filesize
192KB

Download
memory/3140-40-0x0000000005470000-0x000000000557A000-memory.dmp

Filesize
1.0MB

Download
memory/3140-41-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/3140-42-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3140-43-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/3140-44-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/3140-45-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/3140-46-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads