redline | 719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31

Analysis

max time kernel
166s
max time network
213s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe
Size

514KB
MD5

11f045680800970ca3dd16dfb37e5f1d
SHA1

4b9969886c5d4e371004f4bbc3d183d5c28c7699
SHA256

719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31
SHA512

942f921448aa6a29565b2350293e886a624ab878930fe96f456daf95801a4087f8193b145144d74d57e08a33f2e71009ffb99da649044746c180b7eb38452b1e
SSDEEP

12288:WMrOy90TJJ204VJ5otYhixnw6O8EbJ27um8tMeiOce+q:MyKJ2fX6Og+6ODbJs58tRisJ

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2344	v8649320.exe
2576	a0187137.exe

Loads dropped DLL 8 IoCs

pid	Process
2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe
2344	v8649320.exe
2344	v8649320.exe
2576	a0187137.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8649320.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2536	2576	a0187137.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	2576	WerFault.exe	30

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2632 wrote to memory of 2344	2632	719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe	29
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2344 wrote to memory of 2576	2344	v8649320.exe	30
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2536	2576	a0187137.exe	31
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32
PID 2576 wrote to memory of 2144	2576	a0187137.exe	32

C:\Users\Admin\AppData\Local\Temp\719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe
"C:\Users\Admin\AppData\Local\Temp\719ce53ae8f59243cf658e0503344034fc34bb55c93c0b274aebcc1e2a04ea31.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8649320.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8649320.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8649320.exe

Filesize
412KB

MD5
07829f13f11a598efa17a8356430cc09

SHA1
46efb61d78432554e617bb9abc9ae4487d5318ab

SHA256
2f30c99ad745a8c7eccaa284bacef3df95339338302d9a36be5ce4988fcc9603

SHA512
69f52d635386e7d72819262678ce5c68618fa408a71b2d16c6ec5486ecc4132aa1bdd33c82ebc0e95a911c690b44ee725854101540208d3a4dd3abf37861445b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8649320.exe

Filesize
412KB

MD5
07829f13f11a598efa17a8356430cc09

SHA1
46efb61d78432554e617bb9abc9ae4487d5318ab

SHA256
2f30c99ad745a8c7eccaa284bacef3df95339338302d9a36be5ce4988fcc9603

SHA512
69f52d635386e7d72819262678ce5c68618fa408a71b2d16c6ec5486ecc4132aa1bdd33c82ebc0e95a911c690b44ee725854101540208d3a4dd3abf37861445b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8649320.exe

Filesize
412KB

MD5
07829f13f11a598efa17a8356430cc09

SHA1
46efb61d78432554e617bb9abc9ae4487d5318ab

SHA256
2f30c99ad745a8c7eccaa284bacef3df95339338302d9a36be5ce4988fcc9603

SHA512
69f52d635386e7d72819262678ce5c68618fa408a71b2d16c6ec5486ecc4132aa1bdd33c82ebc0e95a911c690b44ee725854101540208d3a4dd3abf37861445b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8649320.exe

Filesize
412KB

MD5
07829f13f11a598efa17a8356430cc09

SHA1
46efb61d78432554e617bb9abc9ae4487d5318ab

SHA256
2f30c99ad745a8c7eccaa284bacef3df95339338302d9a36be5ce4988fcc9603

SHA512
69f52d635386e7d72819262678ce5c68618fa408a71b2d16c6ec5486ecc4132aa1bdd33c82ebc0e95a911c690b44ee725854101540208d3a4dd3abf37861445b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0187137.exe

Filesize
384KB

MD5
2b419b3eea8654cd1402c683653ff6ad

SHA1
d59bcde3bb513deee8360d593673b1212b082d66

SHA256
0828a5e5252351ffb0c2038ea471e252766dab3df7f40d5e79fc46e35e4d0dac

SHA512
f3ae9e24b37012ce6685b6f87fa5a63125a46e84839c56d49b328987ef381d802c0d0d1797d2e60d18a341a1938694b501568fa60606053df2af1bb98d55a5aa

Download Submit
memory/2536-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-33-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2536-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads