redline | b7215d29651d883138e7000f2568418b02cb62350924f78ec75b7c7f0d3a9a72

Analysis

max time kernel
157s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

506KB
MD5

0f724d78d4a65272ac085236c9caf06b
SHA1

9449892f318709e1abfd33dd059dbdd1de8a0392
SHA256

b7215d29651d883138e7000f2568418b02cb62350924f78ec75b7c7f0d3a9a72
SHA512

6c4e203e8de1c30cb4fc417fb55887adb80682f1c24ff7f2a8786a7ca179369cdbe4c16fbbe0efc154eaac741ff62c3d81132fd2a8f8125613ac1df4ba678ba5
SSDEEP

12288:qMriy90OWwCjyUi0kYkqnDIw4M0/2+Vlnw+Q1:0yywmyUigbDIw7AZQ1

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4452	v8951797.exe
4644	b1432077.exe
3056	c9143329.exe
3024	d2056472.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8951797.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 2724	4644	b1432077.exe	90
PID 3056 set thread context of 1316	3056	c9143329.exe	99

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3468	4644	WerFault.exe	88
4656	2724	WerFault.exe	90
768	3056	WerFault.exe	97

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 4452	4152	file.exe	87
PID 4152 wrote to memory of 4452	4152	file.exe	87
PID 4152 wrote to memory of 4452	4152	file.exe	87
PID 4452 wrote to memory of 4644	4452	v8951797.exe	88
PID 4452 wrote to memory of 4644	4452	v8951797.exe	88
PID 4452 wrote to memory of 4644	4452	v8951797.exe	88
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4644 wrote to memory of 2724	4644	b1432077.exe	90
PID 4452 wrote to memory of 3056	4452	v8951797.exe	97
PID 4452 wrote to memory of 3056	4452	v8951797.exe	97
PID 4452 wrote to memory of 3056	4452	v8951797.exe	97
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 3056 wrote to memory of 1316	3056	c9143329.exe	99
PID 4152 wrote to memory of 3024	4152	file.exe	105
PID 4152 wrote to memory of 3024	4152	file.exe	105
PID 4152 wrote to memory of 3024	4152	file.exe	105

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 540
        5⤵
        Program crash
        
        PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 552
      4⤵
      Program crash
      PID:3468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143329.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143329.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 552
      4⤵
      Program crash
      PID:768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2056472.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2056472.exe
  2⤵
  - Executes dropped EXE
  PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2724 -ip 2724
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4644 -ip 4644
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3056 -ip 3056
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2056472.exe

Filesize
19KB

MD5
e187daa5150d3c47191e43aaa3f52057

SHA1
b2efe176a8fc4e5c656c78a8bd8c3615a94e06ab

SHA256
065694316980f07d5093a145542832fd17544f7692486232edd40187fd325db7

SHA512
1cc863cd7a3b4f519f530c86763f93080c579234da2b38fbcf754cd501670b9aa3835462ed8929d50553156d6139f9936a3ad131b81bb142beb45836a9fbbbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2056472.exe

Filesize
19KB

MD5
e187daa5150d3c47191e43aaa3f52057

SHA1
b2efe176a8fc4e5c656c78a8bd8c3615a94e06ab

SHA256
065694316980f07d5093a145542832fd17544f7692486232edd40187fd325db7

SHA512
1cc863cd7a3b4f519f530c86763f93080c579234da2b38fbcf754cd501670b9aa3835462ed8929d50553156d6139f9936a3ad131b81bb142beb45836a9fbbbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe

Filesize
404KB

MD5
f450161c6fbfb5e27aaab5d37245a5f6

SHA1
1b2fd749a55efcbff0663ae81deaee1e32f49bdb

SHA256
c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c

SHA512
804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951797.exe

Filesize
404KB

MD5
f450161c6fbfb5e27aaab5d37245a5f6

SHA1
1b2fd749a55efcbff0663ae81deaee1e32f49bdb

SHA256
c71853ce7739dcd4eb7fff1d68a55cf69b784a33a42f7bae69fcb75a4402103c

SHA512
804c87aff36dae417f999719d88d2bb89e5eb7632040f3ec24921c132672d46037c67cf88a5c71c71c0482801d2b1bb536d131139da0194849d99f0ca1b0568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1432077.exe

Filesize
365KB

MD5
51bb6acc0f4a12e5c6fba58447b0069a

SHA1
c04e8f4b99395ef575b3fa17aba6cd4a37a5b27f

SHA256
6a93e04395d8460db6c5de3e8d033268737eb3e74cf356d6e647154ef8f12cc6

SHA512
e749bd23481e699884ebdcb9ece28dc181ed1c80a9fe43db5a9518b8d88add2d2f20927d7601d6577563304e613b0ce846e2ffff474251f6100e7e42549a77d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143329.exe

Filesize
384KB

MD5
8c648236a813795020178f3c6a26f663

SHA1
529c4915583644921f62ee3377bfd55d280e0e0a

SHA256
776d36f05dcb937f5a2f82b18232ff49b90376f8582dac97d7df2175ac23ddb9

SHA512
bc6efb32f199cf80894cb9d196415eae3e233c776d6f1c753bf1bcaff4e4c0642c7678c37184405bf4bbe0587c4e14b66e42c496800fa430e11fc71d9eb1cb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143329.exe

Filesize
384KB

MD5
8c648236a813795020178f3c6a26f663

SHA1
529c4915583644921f62ee3377bfd55d280e0e0a

SHA256
776d36f05dcb937f5a2f82b18232ff49b90376f8582dac97d7df2175ac23ddb9

SHA512
bc6efb32f199cf80894cb9d196415eae3e233c776d6f1c753bf1bcaff4e4c0642c7678c37184405bf4bbe0587c4e14b66e42c496800fa430e11fc71d9eb1cb5f

Download Submit
memory/1316-28-0x0000000005D30000-0x0000000006348000-memory.dmp

Filesize
6.1MB

Download
memory/1316-32-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/1316-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-23-0x00000000731F0000-0x00000000739A0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-35-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1316-34-0x00000000057D0000-0x000000000581C000-memory.dmp

Filesize
304KB

Download
memory/1316-27-0x0000000001600000-0x0000000001606000-memory.dmp

Filesize
24KB

Download
memory/1316-33-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/1316-29-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/1316-30-0x00000000731F0000-0x00000000739A0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-31-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2724-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2724-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2724-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2724-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads