redline | 23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6

Analysis

max time kernel
125s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe
Size

956KB
MD5

31fd8e589dfe54ad536aaca731464837
SHA1

0672bbd5423629166ec10af4a6146743853eb50f
SHA256

23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6
SHA512

89721332708e9801dfda6faf69a230b5ece5cc15a48d573fc7589efe04844f0d41806c3172b2dfcd1ea3645a09e89855e8346745310f938a057704ecc626224f
SSDEEP

24576:gyuTPbU+tkm/RSLsEkPBVOi4rpT94ZTl95E2Wq:naUw9RSTkLcrdKR5ET

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023262-34.dat	family_redline
behavioral2/files/0x0006000000023262-35.dat	family_redline
behavioral2/memory/3360-36-0x0000000000390000-0x00000000003C0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1916	x0145607.exe
5040	x4610526.exe
4788	x5648618.exe
2088	g3042038.exe
3360	h9565734.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0145607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4610526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5648618.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 3660	2088	g3042038.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2188	2088	WerFault.exe	88
3272	3660	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1916	2824	23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe	85
PID 2824 wrote to memory of 1916	2824	23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe	85
PID 2824 wrote to memory of 1916	2824	23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe	85
PID 1916 wrote to memory of 5040	1916	x0145607.exe	86
PID 1916 wrote to memory of 5040	1916	x0145607.exe	86
PID 1916 wrote to memory of 5040	1916	x0145607.exe	86
PID 5040 wrote to memory of 4788	5040	x4610526.exe	87
PID 5040 wrote to memory of 4788	5040	x4610526.exe	87
PID 5040 wrote to memory of 4788	5040	x4610526.exe	87
PID 4788 wrote to memory of 2088	4788	x5648618.exe	88
PID 4788 wrote to memory of 2088	4788	x5648618.exe	88
PID 4788 wrote to memory of 2088	4788	x5648618.exe	88
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 2088 wrote to memory of 3660	2088	g3042038.exe	92
PID 4788 wrote to memory of 3360	4788	x5648618.exe	100
PID 4788 wrote to memory of 3360	4788	x5648618.exe	100
PID 4788 wrote to memory of 3360	4788	x5648618.exe	100

C:\Users\Admin\AppData\Local\Temp\23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe
"C:\Users\Admin\AppData\Local\Temp\23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0145607.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0145607.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4610526.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4610526.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5648618.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5648618.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3042038.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3042038.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 540
        7⤵
        Program crash
        
        PID:3272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 552
        6⤵
        Program crash
        
        PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9565734.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9565734.exe
        5⤵
        Executes dropped EXE
        
        PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2088 -ip 2088
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3660 -ip 3660
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0145607.exe

Filesize
854KB

MD5
e8a291b6f6b970536019c424935cf889

SHA1
496b61c20479e002a33ce762e80df4b2fe2b6703

SHA256
b5f6a47cd1c02cc8eb5f29e7525feee8ccc75bdb2e9c3b5c16762601e4eb191f

SHA512
13d5c0ed35663d8fe21f124f1e5a309318cb7c352fb46722b2e9a8fc1e971c7cf6df91ad361e15eab7f9d68f8781efbb5487cac161c4035f317c4e14586f2eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0145607.exe

Filesize
854KB

MD5
e8a291b6f6b970536019c424935cf889

SHA1
496b61c20479e002a33ce762e80df4b2fe2b6703

SHA256
b5f6a47cd1c02cc8eb5f29e7525feee8ccc75bdb2e9c3b5c16762601e4eb191f

SHA512
13d5c0ed35663d8fe21f124f1e5a309318cb7c352fb46722b2e9a8fc1e971c7cf6df91ad361e15eab7f9d68f8781efbb5487cac161c4035f317c4e14586f2eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4610526.exe

Filesize
590KB

MD5
94a86eff259d9989b0733a4ee9a68a03

SHA1
460f09fcc8e58219bd7241b90c0c5ac07906c67a

SHA256
b32248ce41cc08d315486960028d8c9e83746bb2ba2668367f9aa07cd91cda66

SHA512
20a74d1f11986144481fb0ee3431e100de04560568fc912089e25ef58ca93ce81167a391c5173b7e2c2b572eac3f5c7d471bccb8abcd2e5ce829017d6d56f08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4610526.exe

Filesize
590KB

MD5
94a86eff259d9989b0733a4ee9a68a03

SHA1
460f09fcc8e58219bd7241b90c0c5ac07906c67a

SHA256
b32248ce41cc08d315486960028d8c9e83746bb2ba2668367f9aa07cd91cda66

SHA512
20a74d1f11986144481fb0ee3431e100de04560568fc912089e25ef58ca93ce81167a391c5173b7e2c2b572eac3f5c7d471bccb8abcd2e5ce829017d6d56f08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5648618.exe

Filesize
404KB

MD5
1beda0446c6d5f0cc76ec27314a5bdd8

SHA1
db592939c6301bb9c5a8d0463b0b890bd89d5508

SHA256
c76bfbce421933f3b095c47fb8f064d856a4133055432a9cc222129f5c76721e

SHA512
f41bf248e44b2271a19aea956d034a169a57fc2159da65223b23380d8119294cddb4e5ef9466347a5b5983858bd17fe57b4f2cbf77f468b5eec0465d54fe28bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5648618.exe

Filesize
404KB

MD5
1beda0446c6d5f0cc76ec27314a5bdd8

SHA1
db592939c6301bb9c5a8d0463b0b890bd89d5508

SHA256
c76bfbce421933f3b095c47fb8f064d856a4133055432a9cc222129f5c76721e

SHA512
f41bf248e44b2271a19aea956d034a169a57fc2159da65223b23380d8119294cddb4e5ef9466347a5b5983858bd17fe57b4f2cbf77f468b5eec0465d54fe28bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3042038.exe

Filesize
378KB

MD5
7f0afe443fe72639ebbfb5b969acf7e1

SHA1
b9b2f5eb06b79b30ba2881e73ba415886386ce30

SHA256
925a3d75c6ef346eaac61f9b5adcd92af50431e101895b7f0d87e2db9884ba06

SHA512
0586a03a115756a9569a6efe3fbd87433f041110a19e1e2b586e1e90921ca5b451a886f82ef52f90460809cbad4a7aede66a802455b24f60e46ef5d6d5642ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3042038.exe

Filesize
378KB

MD5
7f0afe443fe72639ebbfb5b969acf7e1

SHA1
b9b2f5eb06b79b30ba2881e73ba415886386ce30

SHA256
925a3d75c6ef346eaac61f9b5adcd92af50431e101895b7f0d87e2db9884ba06

SHA512
0586a03a115756a9569a6efe3fbd87433f041110a19e1e2b586e1e90921ca5b451a886f82ef52f90460809cbad4a7aede66a802455b24f60e46ef5d6d5642ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9565734.exe

Filesize
174KB

MD5
c4f7e1ebaa453b1432ebcf980fe7218e

SHA1
668e3a868a6f8f057d0c24880e79986b59664f8d

SHA256
583114f72468e1559aaff4019e862a76bcf84af6a9493ddecd5f4d2ccbd3f8eb

SHA512
e3d9fd7463d29cf7fe21d43c592680e8a348777386527ee435b98c531ec2dded9f7965758d84c89d72ff7392b895b5f416fc0810612c5300b7cda63d802f9bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9565734.exe

Filesize
174KB

MD5
c4f7e1ebaa453b1432ebcf980fe7218e

SHA1
668e3a868a6f8f057d0c24880e79986b59664f8d

SHA256
583114f72468e1559aaff4019e862a76bcf84af6a9493ddecd5f4d2ccbd3f8eb

SHA512
e3d9fd7463d29cf7fe21d43c592680e8a348777386527ee435b98c531ec2dded9f7965758d84c89d72ff7392b895b5f416fc0810612c5300b7cda63d802f9bb3

Download Submit
memory/3360-39-0x000000000A6F0000-0x000000000AD08000-memory.dmp

Filesize
6.1MB

Download
memory/3360-42-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/3360-46-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/3360-45-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3360-36-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/3360-37-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3360-44-0x000000000A310000-0x000000000A35C000-memory.dmp

Filesize
304KB

Download
memory/3360-40-0x000000000A200000-0x000000000A30A000-memory.dmp

Filesize
1.0MB

Download
memory/3360-38-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/3360-41-0x000000000A140000-0x000000000A152000-memory.dmp

Filesize
72KB

Download
memory/3360-43-0x000000000A1A0000-0x000000000A1DC000-memory.dmp

Filesize
240KB

Download
memory/3660-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads