redline | 181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224

Analysis

max time kernel
143s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
Size

514KB
MD5

0992fa8612af49d53e65a0a26507865a
SHA1

ef8fbd69b318a9e4214fffc35043a2a185ec284a
SHA256

181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224
SHA512

36b6a7488c0e95c0b768139ccf16d98ac132ca64b0d0b30c676307eba81193b4e0239f19d1f33c5ec60e041bfce855b7ff37ab8e1323124dc4f5e05ee5de0976
SSDEEP

12288:aMrIy90/ckiJ4Gr3tfZQ3bnYjl0lSqqEF:2yh5JJtfZEjYql9D

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1444	v6024092.exe
2292	a0742606.exe

Loads dropped DLL 8 IoCs

pid	Process
1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
1444	v6024092.exe
1444	v6024092.exe
2292	a0742606.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6024092.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2704	2292	a0742606.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	2292	WerFault.exe	29

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1448 wrote to memory of 1444	1448	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	28
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 1444 wrote to memory of 2292	1444	v6024092.exe	29
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2704	2292	a0742606.exe	30
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31
PID 2292 wrote to memory of 2640	2292	a0742606.exe	31

C:\Users\Admin\AppData\Local\Temp\181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
"C:\Users\Admin\AppData\Local\Temp\181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe

Filesize
413KB

MD5
409eb0b9118e2550d1f5972df8e881c5

SHA1
0071797ad5ec31ed37b16aabc397746d5f075b7a

SHA256
aac9f1759c3dca327221fc5897375e8ea62a450742ee1e2584462a0158741eef

SHA512
6d9e113735e23676e0707c9d1f308c009f31ebef32d4ea233fede06dd5c13d9087dcef6f9b73b4a31626fa4b7fea08bbcc3ebecaf535acf1de1819cc1c3585a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe

Filesize
413KB

MD5
409eb0b9118e2550d1f5972df8e881c5

SHA1
0071797ad5ec31ed37b16aabc397746d5f075b7a

SHA256
aac9f1759c3dca327221fc5897375e8ea62a450742ee1e2584462a0158741eef

SHA512
6d9e113735e23676e0707c9d1f308c009f31ebef32d4ea233fede06dd5c13d9087dcef6f9b73b4a31626fa4b7fea08bbcc3ebecaf535acf1de1819cc1c3585a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe

Filesize
413KB

MD5
409eb0b9118e2550d1f5972df8e881c5

SHA1
0071797ad5ec31ed37b16aabc397746d5f075b7a

SHA256
aac9f1759c3dca327221fc5897375e8ea62a450742ee1e2584462a0158741eef

SHA512
6d9e113735e23676e0707c9d1f308c009f31ebef32d4ea233fede06dd5c13d9087dcef6f9b73b4a31626fa4b7fea08bbcc3ebecaf535acf1de1819cc1c3585a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe

Filesize
413KB

MD5
409eb0b9118e2550d1f5972df8e881c5

SHA1
0071797ad5ec31ed37b16aabc397746d5f075b7a

SHA256
aac9f1759c3dca327221fc5897375e8ea62a450742ee1e2584462a0158741eef

SHA512
6d9e113735e23676e0707c9d1f308c009f31ebef32d4ea233fede06dd5c13d9087dcef6f9b73b4a31626fa4b7fea08bbcc3ebecaf535acf1de1819cc1c3585a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
memory/2704-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-34-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads