redline | 68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe
Size

939KB
MD5

d3a9d7ee9371601a97e84d5ae410aa01
SHA1

955e83d08036504207500cbbabc45961ca018f2c
SHA256

68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4
SHA512

cdfd01cb70d9063d4aa6570c25e43715c44c9590498fc87a0795ed49bda83ec88ed9e7ecb9773f9eefaf99562fdd0e0c781cea26ea2bb7b39cf8214cc80b8f80
SSDEEP

12288:1Mrsy90xUYR8q0bFS87ajpIyhg/u8Co9pMEr0DG0b8uoPt/2iDY49kEMSjX8cbBN:1y8R8qYS87yi/plPRkiDfjs8Ly/g4k

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002327d-34.dat	family_redline
behavioral2/files/0x000600000002327d-35.dat	family_redline
behavioral2/memory/2908-36-0x0000000000D70000-0x0000000000DA0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1196	x9156473.exe
4524	x7886984.exe
2688	x8060868.exe
416	g5504701.exe
2908	h5985697.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9156473.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7886984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8060868.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 416 set thread context of 4936	416	g5504701.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4148	416	WerFault.exe	86
1876	4936	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1196	3528	68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe	82
PID 3528 wrote to memory of 1196	3528	68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe	82
PID 3528 wrote to memory of 1196	3528	68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe	82
PID 1196 wrote to memory of 4524	1196	x9156473.exe	83
PID 1196 wrote to memory of 4524	1196	x9156473.exe	83
PID 1196 wrote to memory of 4524	1196	x9156473.exe	83
PID 4524 wrote to memory of 2688	4524	x7886984.exe	85
PID 4524 wrote to memory of 2688	4524	x7886984.exe	85
PID 4524 wrote to memory of 2688	4524	x7886984.exe	85
PID 2688 wrote to memory of 416	2688	x8060868.exe	86
PID 2688 wrote to memory of 416	2688	x8060868.exe	86
PID 2688 wrote to memory of 416	2688	x8060868.exe	86
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 416 wrote to memory of 4936	416	g5504701.exe	92
PID 2688 wrote to memory of 2908	2688	x8060868.exe	99
PID 2688 wrote to memory of 2908	2688	x8060868.exe	99
PID 2688 wrote to memory of 2908	2688	x8060868.exe	99

C:\Users\Admin\AppData\Local\Temp\68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe
"C:\Users\Admin\AppData\Local\Temp\68764e4b281b0a6766ddecdef7881560bb75e9c9ff685c5c5841c305d6b026c4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9156473.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9156473.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886984.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886984.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8060868.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8060868.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5504701.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5504701.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:416
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 540
        7⤵
        Program crash
        
        PID:1876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 552
        6⤵
        Program crash
        
        PID:4148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5985697.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5985697.exe
        5⤵
        Executes dropped EXE
        
        PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 416 -ip 416
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4936 -ip 4936
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9156473.exe

Filesize
837KB

MD5
79a840e3fbd6a318763a8416a8817ca4

SHA1
bd89c701736b46197038996ad9d5a8af9ac83b4a

SHA256
528f097d0f9cc5f29f5302974455f5ae893e1dbcc3b8176f999b123e4d65a82b

SHA512
3ce66029bc841bb811c96274afbec865fc658881cb5d1c369e78068ed76b67b4e93990b078e2da84161169828c5a642f8cff0df299658e91dafad555e50841f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9156473.exe

Filesize
837KB

MD5
79a840e3fbd6a318763a8416a8817ca4

SHA1
bd89c701736b46197038996ad9d5a8af9ac83b4a

SHA256
528f097d0f9cc5f29f5302974455f5ae893e1dbcc3b8176f999b123e4d65a82b

SHA512
3ce66029bc841bb811c96274afbec865fc658881cb5d1c369e78068ed76b67b4e93990b078e2da84161169828c5a642f8cff0df299658e91dafad555e50841f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886984.exe

Filesize
571KB

MD5
3144fc9aee95db30e1fc855d2aea4521

SHA1
5ce0a61ae26f26192b5a2fa5f33e3f691b8c00b8

SHA256
ee840c570e18d07781802c15bfed47f46fce59fa3667bc79bd353e7786df037a

SHA512
766773acd939f44ac97c3ef907dacfdaa806de25b00b23635f41fe005c5282356c541abd992b2d48b16dbbce322344cc7217056c096be2bcc695a73782e4925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7886984.exe

Filesize
571KB

MD5
3144fc9aee95db30e1fc855d2aea4521

SHA1
5ce0a61ae26f26192b5a2fa5f33e3f691b8c00b8

SHA256
ee840c570e18d07781802c15bfed47f46fce59fa3667bc79bd353e7786df037a

SHA512
766773acd939f44ac97c3ef907dacfdaa806de25b00b23635f41fe005c5282356c541abd992b2d48b16dbbce322344cc7217056c096be2bcc695a73782e4925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8060868.exe

Filesize
394KB

MD5
6b7d53d0d959c1cc7d6c4474932b154b

SHA1
433a85bc64dc073f6cbbd9a9d0abcf64a37064f9

SHA256
1286eab6d84f75b79cdd461b06abb4bcd92cb3dae59185952d9b391b2b29b297

SHA512
a598ffdc3760ade26131237765350ea055d2b9de759e940c3599b50cf999c51884aed9f67480b231a92cc5818f872418436cb725386456e61f4b59c1a7a57208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8060868.exe

Filesize
394KB

MD5
6b7d53d0d959c1cc7d6c4474932b154b

SHA1
433a85bc64dc073f6cbbd9a9d0abcf64a37064f9

SHA256
1286eab6d84f75b79cdd461b06abb4bcd92cb3dae59185952d9b391b2b29b297

SHA512
a598ffdc3760ade26131237765350ea055d2b9de759e940c3599b50cf999c51884aed9f67480b231a92cc5818f872418436cb725386456e61f4b59c1a7a57208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5504701.exe

Filesize
365KB

MD5
6ba05391591230d54821349c8caa22f9

SHA1
4073e6a41d92c94c980a5a8942f2983e0738b80d

SHA256
f7828764de2c2d486b59ac4d88592b21718b0b72c04f06c2a27d0963edd23b71

SHA512
09919bff21cf3b64e707c140e4c2d589b68bef562ef2ab5e928a6282fbe39d49b8b8445e11ddd53d138c9d9cc2bb1f9e69ad0af1abf833bce86d26e04f11f133

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5504701.exe

Filesize
365KB

MD5
6ba05391591230d54821349c8caa22f9

SHA1
4073e6a41d92c94c980a5a8942f2983e0738b80d

SHA256
f7828764de2c2d486b59ac4d88592b21718b0b72c04f06c2a27d0963edd23b71

SHA512
09919bff21cf3b64e707c140e4c2d589b68bef562ef2ab5e928a6282fbe39d49b8b8445e11ddd53d138c9d9cc2bb1f9e69ad0af1abf833bce86d26e04f11f133

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5985697.exe

Filesize
174KB

MD5
990d38e5b93ff47b340eacfa44016ff6

SHA1
4567bccfb71ed7ab9a52e11f64362b8f48fa97e9

SHA256
7677014b0b6460b660e57b4f0c9f65bf921841ef0bd2dea83217fc0252ffe0e8

SHA512
30a00e48b02e56de17ddfa26cd3de33ed2ec00fe477474ea91bdc4413835403391d0a77b6cb42230e9b16aabd85511f566a5eb02f800e6553779414a73fed7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5985697.exe

Filesize
174KB

MD5
990d38e5b93ff47b340eacfa44016ff6

SHA1
4567bccfb71ed7ab9a52e11f64362b8f48fa97e9

SHA256
7677014b0b6460b660e57b4f0c9f65bf921841ef0bd2dea83217fc0252ffe0e8

SHA512
30a00e48b02e56de17ddfa26cd3de33ed2ec00fe477474ea91bdc4413835403391d0a77b6cb42230e9b16aabd85511f566a5eb02f800e6553779414a73fed7c1

Download Submit
memory/2908-39-0x0000000005EB0000-0x00000000064C8000-memory.dmp

Filesize
6.1MB

Download
memory/2908-42-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/2908-46-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/2908-45-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/2908-36-0x0000000000D70000-0x0000000000DA0000-memory.dmp

Filesize
192KB

Download
memory/2908-37-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/2908-44-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/2908-40-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/2908-38-0x00000000030E0000-0x00000000030E6000-memory.dmp

Filesize
24KB

Download
memory/2908-41-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/2908-43-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/4936-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4936-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads