redline | 4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c

Analysis

max time kernel
163s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe
Size

929KB
MD5

2aa38d670ede428c2c4c6f48cb589a72
SHA1

9faf897a3af6f8a416b8354be51080efedb9a04d
SHA256

4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c
SHA512

22c5bd4602aa52746b19a863dfc90765ce2052719b63a1ac827506f27efacb94c76d6e2e213f36b7d256eeec507ba25b72221b77325391c5c044f104e28235f3
SSDEEP

12288:pMrPy90wewGpj1zCca6FEDMYGuf/+AuqhPCabnrXvGUEBCCt4UhhuvQJLIB+rLPJ:qyPeBwcMTvpzhPCaf7jCtRhZRI8LwDI

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320b-34.dat	family_redline
behavioral2/files/0x000700000002320b-35.dat	family_redline
behavioral2/memory/1080-37-0x0000000000C70000-0x0000000000CA0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1988	x1244578.exe
4960	x4925281.exe
2276	x2429086.exe
4060	g5626810.exe
1080	h1023363.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1244578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4925281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2429086.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 1144	4060	g5626810.exe	97

Program crash 2 IoCs

pid	pid_target	Process	procid_target
992	4060	WerFault.exe	89
704	1144	WerFault.exe	97

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1988	624	4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe	86
PID 624 wrote to memory of 1988	624	4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe	86
PID 624 wrote to memory of 1988	624	4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe	86
PID 1988 wrote to memory of 4960	1988	x1244578.exe	87
PID 1988 wrote to memory of 4960	1988	x1244578.exe	87
PID 1988 wrote to memory of 4960	1988	x1244578.exe	87
PID 4960 wrote to memory of 2276	4960	x4925281.exe	88
PID 4960 wrote to memory of 2276	4960	x4925281.exe	88
PID 4960 wrote to memory of 2276	4960	x4925281.exe	88
PID 2276 wrote to memory of 4060	2276	x2429086.exe	89
PID 2276 wrote to memory of 4060	2276	x2429086.exe	89
PID 2276 wrote to memory of 4060	2276	x2429086.exe	89
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 4060 wrote to memory of 1144	4060	g5626810.exe	97
PID 2276 wrote to memory of 1080	2276	x2429086.exe	106
PID 2276 wrote to memory of 1080	2276	x2429086.exe	106
PID 2276 wrote to memory of 1080	2276	x2429086.exe	106

C:\Users\Admin\AppData\Local\Temp\4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe
"C:\Users\Admin\AppData\Local\Temp\4cc1a5bcb9079ea4db1d0b60849f0fb0e00e26276c21b521dca65b5280fe8f9c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1244578.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1244578.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4925281.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4925281.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2429086.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2429086.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5626810.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5626810.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 540
        7⤵
        Program crash
        
        PID:704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 572
        6⤵
        Program crash
        
        PID:992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1023363.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1023363.exe
        5⤵
        Executes dropped EXE
        
        PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4060 -ip 4060
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1144 -ip 1144
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1244578.exe

Filesize
827KB

MD5
6a3a555acf47b067720d4c0110ac4529

SHA1
73a0cb84936114f38ad2e651be27c17944f133e9

SHA256
f9423ebd86e480327a8ed3c95a9163a93aee54d92f28656d4f87c5b4c4434e29

SHA512
195afed36f53d008dcce6bca183e1937cb9d1226b59488deb81d1684ef095d687670b0263d5efb527cd61684147ffbd79bbdd33d52b0ceb1769a0e48d4569357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1244578.exe

Filesize
827KB

MD5
6a3a555acf47b067720d4c0110ac4529

SHA1
73a0cb84936114f38ad2e651be27c17944f133e9

SHA256
f9423ebd86e480327a8ed3c95a9163a93aee54d92f28656d4f87c5b4c4434e29

SHA512
195afed36f53d008dcce6bca183e1937cb9d1226b59488deb81d1684ef095d687670b0263d5efb527cd61684147ffbd79bbdd33d52b0ceb1769a0e48d4569357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4925281.exe

Filesize
567KB

MD5
13bc0af49532a94c3f55fc1ad7cedff5

SHA1
7198bf64df2493a17f3cf246a85ef2b4ac232e73

SHA256
3ec2a5f3365044b148e16133d416475ba16142aabd25cfa215ee3b8bdf1fdd54

SHA512
3bb64e18ab78b75143c53068d61595528ac47e2f13828130ed415f2affd0a13152feb1d43647a520dc4e63659b23f79b81433a2ddcf9f62edde9b107b23aea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4925281.exe

Filesize
567KB

MD5
13bc0af49532a94c3f55fc1ad7cedff5

SHA1
7198bf64df2493a17f3cf246a85ef2b4ac232e73

SHA256
3ec2a5f3365044b148e16133d416475ba16142aabd25cfa215ee3b8bdf1fdd54

SHA512
3bb64e18ab78b75143c53068d61595528ac47e2f13828130ed415f2affd0a13152feb1d43647a520dc4e63659b23f79b81433a2ddcf9f62edde9b107b23aea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2429086.exe

Filesize
390KB

MD5
793c21710d24416a52bde25ef0c00136

SHA1
b063dce74093b29c34b6e50891d141e055fd39c5

SHA256
a885b563e8a4be5cd393bd423bc9ee9c4157b4393849b7cb77c87a1d08879121

SHA512
c95e5efb3e21c76ce7dc0cb6566bcd9604be289a0706df6b3afb27de69e5f1cb710e7aa0dc3144b936ea203089920e6aaf95db2212770d35841e3b31b96cdaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2429086.exe

Filesize
390KB

MD5
793c21710d24416a52bde25ef0c00136

SHA1
b063dce74093b29c34b6e50891d141e055fd39c5

SHA256
a885b563e8a4be5cd393bd423bc9ee9c4157b4393849b7cb77c87a1d08879121

SHA512
c95e5efb3e21c76ce7dc0cb6566bcd9604be289a0706df6b3afb27de69e5f1cb710e7aa0dc3144b936ea203089920e6aaf95db2212770d35841e3b31b96cdaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5626810.exe

Filesize
364KB

MD5
1a95866724a31d6299be71fd7118d7a1

SHA1
6836ccd9a56ce67208aff588ddef1c2330369d37

SHA256
1dbb38e6e75b10e9eaa051fcc3d6e4c079e7dd097cca190931199050fa477515

SHA512
ebea9077d12857fb6a8f5e597f992afe7ed59002db4c0fcd9d6a4f63a1292f2bc3d6e09673b20cfa499ac4c675f400370a44155dd45d51f69ec93d2cba7e2664

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5626810.exe

Filesize
364KB

MD5
1a95866724a31d6299be71fd7118d7a1

SHA1
6836ccd9a56ce67208aff588ddef1c2330369d37

SHA256
1dbb38e6e75b10e9eaa051fcc3d6e4c079e7dd097cca190931199050fa477515

SHA512
ebea9077d12857fb6a8f5e597f992afe7ed59002db4c0fcd9d6a4f63a1292f2bc3d6e09673b20cfa499ac4c675f400370a44155dd45d51f69ec93d2cba7e2664

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1023363.exe

Filesize
174KB

MD5
2589d7e4a9952734c6cbd97c168193bc

SHA1
7d368027a1d7a676916e39e988d5d8544b88f6fa

SHA256
a111b6674e47f939577c7c1a9965ffd4969b26e5b0d8a96426d76819e84cf1c0

SHA512
9645c4297e960d14e40dbe9c24ddf7c5700740c61601028e3ce11f6158c1d33699fe2a7444eb675e73dea4e98462455f935c1ef9de2b824007ae9a53f9b87d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1023363.exe

Filesize
174KB

MD5
2589d7e4a9952734c6cbd97c168193bc

SHA1
7d368027a1d7a676916e39e988d5d8544b88f6fa

SHA256
a111b6674e47f939577c7c1a9965ffd4969b26e5b0d8a96426d76819e84cf1c0

SHA512
9645c4297e960d14e40dbe9c24ddf7c5700740c61601028e3ce11f6158c1d33699fe2a7444eb675e73dea4e98462455f935c1ef9de2b824007ae9a53f9b87d83

Download Submit
memory/1080-39-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-40-0x000000000B1B0000-0x000000000B7C8000-memory.dmp

Filesize
6.1MB

Download
memory/1080-46-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1080-45-0x000000000AE60000-0x000000000AEAC000-memory.dmp

Filesize
304KB

Download
memory/1080-36-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-37-0x0000000000C70000-0x0000000000CA0000-memory.dmp

Filesize
192KB

Download
memory/1080-44-0x000000000AE20000-0x000000000AE5C000-memory.dmp

Filesize
240KB

Download
memory/1080-43-0x0000000005690000-0x00000000056A2000-memory.dmp

Filesize
72KB

Download
memory/1080-38-0x0000000003050000-0x0000000003056000-memory.dmp

Filesize
24KB

Download
memory/1080-41-0x000000000AB90000-0x000000000AC9A000-memory.dmp

Filesize
1.0MB

Download
memory/1080-42-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1144-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1144-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1144-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1144-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads