redline | 181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
Size

514KB
MD5

0992fa8612af49d53e65a0a26507865a
SHA1

ef8fbd69b318a9e4214fffc35043a2a185ec284a
SHA256

181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224
SHA512

36b6a7488c0e95c0b768139ccf16d98ac132ca64b0d0b30c676307eba81193b4e0239f19d1f33c5ec60e041bfce855b7ff37ab8e1323124dc4f5e05ee5de0976
SSDEEP

12288:aMrIy90/ckiJ4Gr3tfZQ3bnYjl0lSqqEF:2yh5JJtfZEjYql9D

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4512	v6024092.exe
4056	a0742606.exe
3300	b8448113.exe
4868	c3093631.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6024092.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 3732	4056	a0742606.exe	88
PID 3300 set thread context of 4620	3300	b8448113.exe	98

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4836	4056	WerFault.exe	84
3776	3300	WerFault.exe	95
2232	4620	WerFault.exe	98

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4512	3132	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	82
PID 3132 wrote to memory of 4512	3132	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	82
PID 3132 wrote to memory of 4512	3132	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	82
PID 4512 wrote to memory of 4056	4512	v6024092.exe	84
PID 4512 wrote to memory of 4056	4512	v6024092.exe	84
PID 4512 wrote to memory of 4056	4512	v6024092.exe	84
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4056 wrote to memory of 3732	4056	a0742606.exe	88
PID 4512 wrote to memory of 3300	4512	v6024092.exe	95
PID 4512 wrote to memory of 3300	4512	v6024092.exe	95
PID 4512 wrote to memory of 3300	4512	v6024092.exe	95
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3300 wrote to memory of 4620	3300	b8448113.exe	98
PID 3132 wrote to memory of 4868	3132	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	103
PID 3132 wrote to memory of 4868	3132	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	103
PID 3132 wrote to memory of 4868	3132	181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe	103

C:\Users\Admin\AppData\Local\Temp\181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe
"C:\Users\Admin\AppData\Local\Temp\181932d74de0449ae379c936cff8b71e1d7d0088375368420a8597f9156b8224.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 572
      4⤵
      Program crash
      PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8448113.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8448113.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 196
        5⤵
        Program crash
        
        PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 580
      4⤵
      Program crash
      PID:3776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3093631.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3093631.exe
  2⤵
  - Executes dropped EXE
  PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4056 -ip 4056
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3300 -ip 3300
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4620 -ip 4620
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3093631.exe

Filesize
19KB

MD5
57936d1d4de3d25378a1910a47cdf1a9

SHA1
ed56a97e30888bfec6a88e69fb6573a5f09a0ac0

SHA256
8dcd3545a7ebfd488d3f07c3f3dcd6b737cea06f8e0a53cf2b6c56f3558b58a1

SHA512
3e1c477bd458b654eb8e6d189c7c22aae225562aa06f1e151efc72ea86d98cdc35e3d44025fbdb2627fea412c8e5d4bb376d4116b2d8447cf634a0f3b64b7ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3093631.exe

Filesize
19KB

MD5
57936d1d4de3d25378a1910a47cdf1a9

SHA1
ed56a97e30888bfec6a88e69fb6573a5f09a0ac0

SHA256
8dcd3545a7ebfd488d3f07c3f3dcd6b737cea06f8e0a53cf2b6c56f3558b58a1

SHA512
3e1c477bd458b654eb8e6d189c7c22aae225562aa06f1e151efc72ea86d98cdc35e3d44025fbdb2627fea412c8e5d4bb376d4116b2d8447cf634a0f3b64b7ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe

Filesize
413KB

MD5
409eb0b9118e2550d1f5972df8e881c5

SHA1
0071797ad5ec31ed37b16aabc397746d5f075b7a

SHA256
aac9f1759c3dca327221fc5897375e8ea62a450742ee1e2584462a0158741eef

SHA512
6d9e113735e23676e0707c9d1f308c009f31ebef32d4ea233fede06dd5c13d9087dcef6f9b73b4a31626fa4b7fea08bbcc3ebecaf535acf1de1819cc1c3585a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6024092.exe

Filesize
413KB

MD5
409eb0b9118e2550d1f5972df8e881c5

SHA1
0071797ad5ec31ed37b16aabc397746d5f075b7a

SHA256
aac9f1759c3dca327221fc5897375e8ea62a450742ee1e2584462a0158741eef

SHA512
6d9e113735e23676e0707c9d1f308c009f31ebef32d4ea233fede06dd5c13d9087dcef6f9b73b4a31626fa4b7fea08bbcc3ebecaf535acf1de1819cc1c3585a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0742606.exe

Filesize
384KB

MD5
4a5afd50c7da36a093394877e8ef52b8

SHA1
7f1fb3946d6375e1dbbf1dcc2151655aefdf5563

SHA256
8698efdc9f77179c862ba36fa8a6cb06c8692f31d79cb2fba86579dd0e46d7d9

SHA512
cf6f7b4c5ad3cb6f95b55012bd6fd37135e3b21c13c4667fa7dec38a01a1f2ec4efd77431939492677b1e64609aa4db6266a533818c2ba63f411b550677cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8448113.exe

Filesize
378KB

MD5
f8f742fc0ab071d0a7a6fb9af3b42f58

SHA1
b8ef8820176459431e537cb438b22aeb0ac2167a

SHA256
397bd2db2a66bd254bf19b617387a27f9fb1092bbebc0cf2b65ed68f6f56dc55

SHA512
67e986abf86368ea41415b58eb4afb582b82cc6f415582921f2f8da7cbc9bf1e18dbfa60cd4c1cfb18457af88b04b4e935f061c92362ddc96751512c39dd7891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8448113.exe

Filesize
378KB

MD5
f8f742fc0ab071d0a7a6fb9af3b42f58

SHA1
b8ef8820176459431e537cb438b22aeb0ac2167a

SHA256
397bd2db2a66bd254bf19b617387a27f9fb1092bbebc0cf2b65ed68f6f56dc55

SHA512
67e986abf86368ea41415b58eb4afb582b82cc6f415582921f2f8da7cbc9bf1e18dbfa60cd4c1cfb18457af88b04b4e935f061c92362ddc96751512c39dd7891

Download Submit
memory/3732-20-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/3732-15-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3732-18-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/3732-17-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/3732-16-0x0000000005290000-0x0000000005296000-memory.dmp

Filesize
24KB

Download
memory/3732-24-0x00000000054D0000-0x000000000550C000-memory.dmp

Filesize
240KB

Download
memory/3732-25-0x0000000005510000-0x000000000555C000-memory.dmp

Filesize
304KB

Download
memory/3732-19-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/3732-35-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/3732-34-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3732-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4620-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads