redline | a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe
Size

938KB
MD5

4f4823b0b396a31f2df180e79cec1512
SHA1

3418182abafec939d395db6e83707b29934f5b50
SHA256

a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556
SHA512

1d7415aad8a474d7a2b2cf4a4895990c52dfe463f7a3ab49f2346949e972e5bf9417c461859d853a60a471a69d156829d18889e857443a5d891e7227ef431866
SSDEEP

24576:VyUIf2kFQ7N92OhtF0JLU55Ue3QZMWEon:wBfwjfhz0NU5ealQ

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023228-34.dat	family_redline
behavioral2/files/0x0006000000023228-35.dat	family_redline
behavioral2/memory/3816-36-0x00000000003E0000-0x0000000000410000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4728	x6046725.exe
3944	x1191744.exe
1444	x4264815.exe
1612	g3580526.exe
3816	h9317178.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1191744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4264815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6046725.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 4388	1612	g3580526.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4644	4388	WerFault.exe	90
4924	1612	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4728	3416	a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe	85
PID 3416 wrote to memory of 4728	3416	a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe	85
PID 3416 wrote to memory of 4728	3416	a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe	85
PID 4728 wrote to memory of 3944	4728	x6046725.exe	86
PID 4728 wrote to memory of 3944	4728	x6046725.exe	86
PID 4728 wrote to memory of 3944	4728	x6046725.exe	86
PID 3944 wrote to memory of 1444	3944	x1191744.exe	87
PID 3944 wrote to memory of 1444	3944	x1191744.exe	87
PID 3944 wrote to memory of 1444	3944	x1191744.exe	87
PID 1444 wrote to memory of 1612	1444	x4264815.exe	89
PID 1444 wrote to memory of 1612	1444	x4264815.exe	89
PID 1444 wrote to memory of 1612	1444	x4264815.exe	89
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1612 wrote to memory of 4388	1612	g3580526.exe	90
PID 1444 wrote to memory of 3816	1444	x4264815.exe	99
PID 1444 wrote to memory of 3816	1444	x4264815.exe	99
PID 1444 wrote to memory of 3816	1444	x4264815.exe	99

C:\Users\Admin\AppData\Local\Temp\a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe
"C:\Users\Admin\AppData\Local\Temp\a04115867893708616de6433157a4cef7501e91d07a0ee244a4c59fff1b24556.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6046725.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6046725.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1191744.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1191744.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4264815.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4264815.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3580526.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3580526.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 540
        7⤵
        Program crash
        
        PID:4644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 556
        6⤵
        Program crash
        
        PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9317178.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9317178.exe
        5⤵
        Executes dropped EXE
        
        PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4388 -ip 4388
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1612 -ip 1612
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6046725.exe

Filesize
836KB

MD5
57e2682692f6f55b1ea8d88ff0b5861e

SHA1
8f58b28f69047449aa0fb39a93bcbaac9e03abd8

SHA256
4d26fa4b0ff823ce637496bab687077db6a21f8e6eadb93c08feb5a4e8cb74fd

SHA512
7e0ba5bac8881c32c418c3a488f3dea1a21fc5f262c17c658d3139af1b77e4d23240b9ef8b73d5cbb063f661f7dc22c34fba61af23143acd11dd6af86618ba78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6046725.exe

Filesize
836KB

MD5
57e2682692f6f55b1ea8d88ff0b5861e

SHA1
8f58b28f69047449aa0fb39a93bcbaac9e03abd8

SHA256
4d26fa4b0ff823ce637496bab687077db6a21f8e6eadb93c08feb5a4e8cb74fd

SHA512
7e0ba5bac8881c32c418c3a488f3dea1a21fc5f262c17c658d3139af1b77e4d23240b9ef8b73d5cbb063f661f7dc22c34fba61af23143acd11dd6af86618ba78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1191744.exe

Filesize
571KB

MD5
233d231847eb3c65108b8d09431fa704

SHA1
eef5a6745b96c8261e392fcf982fa0c4e08f54ba

SHA256
67250da371c302e63aee1d6df5b55932d0d0b4cf0773dcbf40134ccc91664fb9

SHA512
7cdeb86aae45b18d2b2b0193ef57df04cc0015f365f8ba0eeed198de0bc51bf1e32a67501327e6c8af36a481ee1c40811ec4f898131875951eeae38f2e4401bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1191744.exe

Filesize
571KB

MD5
233d231847eb3c65108b8d09431fa704

SHA1
eef5a6745b96c8261e392fcf982fa0c4e08f54ba

SHA256
67250da371c302e63aee1d6df5b55932d0d0b4cf0773dcbf40134ccc91664fb9

SHA512
7cdeb86aae45b18d2b2b0193ef57df04cc0015f365f8ba0eeed198de0bc51bf1e32a67501327e6c8af36a481ee1c40811ec4f898131875951eeae38f2e4401bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4264815.exe

Filesize
394KB

MD5
c01ee32aec5dd7f665cf12feb1795925

SHA1
6791937ebc0d7615bb70349f7cd5fbfc79f79a95

SHA256
844ca0a9626204f2f0d6ec485d439d0ae2f78bd81eee1ec198ece4005dda372e

SHA512
b404efe51184a4c57ee24ef12d5bd3325602e22eea2799955196e7c5791b3ca8a5ab3c49271a04c3e2113653ff7e1f0d804eb102fc7a75e0416bfb1113b108e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4264815.exe

Filesize
394KB

MD5
c01ee32aec5dd7f665cf12feb1795925

SHA1
6791937ebc0d7615bb70349f7cd5fbfc79f79a95

SHA256
844ca0a9626204f2f0d6ec485d439d0ae2f78bd81eee1ec198ece4005dda372e

SHA512
b404efe51184a4c57ee24ef12d5bd3325602e22eea2799955196e7c5791b3ca8a5ab3c49271a04c3e2113653ff7e1f0d804eb102fc7a75e0416bfb1113b108e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3580526.exe

Filesize
365KB

MD5
ff55847a3063bdf6bc757c23973c0879

SHA1
db8059ec776c5095d82658d64d529b088a246758

SHA256
22e7b89e24064b80733ed066133324ba82f1739fdedffa4887e465f4d5b4707e

SHA512
0c9d0cc16ea126553fe9640282f25182ec9c729a555eb9e7ad0a8f9a92b44c81c6f46c6b81ab3c21121cda1176e92de5ae3267fe38d40fb045e6136bb25b1c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3580526.exe

Filesize
365KB

MD5
ff55847a3063bdf6bc757c23973c0879

SHA1
db8059ec776c5095d82658d64d529b088a246758

SHA256
22e7b89e24064b80733ed066133324ba82f1739fdedffa4887e465f4d5b4707e

SHA512
0c9d0cc16ea126553fe9640282f25182ec9c729a555eb9e7ad0a8f9a92b44c81c6f46c6b81ab3c21121cda1176e92de5ae3267fe38d40fb045e6136bb25b1c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9317178.exe

Filesize
174KB

MD5
cbc13989db8d03461c1329da97511d66

SHA1
89f1cfcb2377ff45c95d1c973a518db7ac1a43f4

SHA256
f80e32beb0bad102f0678669af1dc6fddfaca6143a52dd9e77c77f364a0b6b44

SHA512
c7bd7dc72acd839ac6113a61190cf795b6249e9c51799bc406fc230b2126ed0626009087185639f9a23bc105820e0669c8b55f3095d14f64214a5910cb90adf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9317178.exe

Filesize
174KB

MD5
cbc13989db8d03461c1329da97511d66

SHA1
89f1cfcb2377ff45c95d1c973a518db7ac1a43f4

SHA256
f80e32beb0bad102f0678669af1dc6fddfaca6143a52dd9e77c77f364a0b6b44

SHA512
c7bd7dc72acd839ac6113a61190cf795b6249e9c51799bc406fc230b2126ed0626009087185639f9a23bc105820e0669c8b55f3095d14f64214a5910cb90adf6

Download Submit
memory/3816-39-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/3816-42-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3816-46-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3816-45-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3816-36-0x00000000003E0000-0x0000000000410000-memory.dmp

Filesize
192KB

Download
memory/3816-37-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3816-44-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Filesize
304KB

Download
memory/3816-40-0x0000000004FD0000-0x00000000050DA000-memory.dmp

Filesize
1.0MB

Download
memory/3816-38-0x0000000002690000-0x0000000002696000-memory.dmp

Filesize
24KB

Download
memory/3816-41-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/3816-43-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/4388-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4388-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4388-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4388-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads