Analysis
-
max time kernel
125s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe
Resource
win10v2004-20230915-en
General
-
Target
23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe
-
Size
956KB
-
MD5
31fd8e589dfe54ad536aaca731464837
-
SHA1
0672bbd5423629166ec10af4a6146743853eb50f
-
SHA256
23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6
-
SHA512
89721332708e9801dfda6faf69a230b5ece5cc15a48d573fc7589efe04844f0d41806c3172b2dfcd1ea3645a09e89855e8346745310f938a057704ecc626224f
-
SSDEEP
24576:gyuTPbU+tkm/RSLsEkPBVOi4rpT94ZTl95E2Wq:naUw9RSTkLcrdKR5ET
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000023262-34.dat family_redline behavioral2/files/0x0006000000023262-35.dat family_redline behavioral2/memory/3360-36-0x0000000000390000-0x00000000003C0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 1916 x0145607.exe 5040 x4610526.exe 4788 x5648618.exe 2088 g3042038.exe 3360 h9565734.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0145607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4610526.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x5648618.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2088 set thread context of 3660 2088 g3042038.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 2188 2088 WerFault.exe 88 3272 3660 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2824 wrote to memory of 1916 2824 23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe 85 PID 2824 wrote to memory of 1916 2824 23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe 85 PID 2824 wrote to memory of 1916 2824 23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe 85 PID 1916 wrote to memory of 5040 1916 x0145607.exe 86 PID 1916 wrote to memory of 5040 1916 x0145607.exe 86 PID 1916 wrote to memory of 5040 1916 x0145607.exe 86 PID 5040 wrote to memory of 4788 5040 x4610526.exe 87 PID 5040 wrote to memory of 4788 5040 x4610526.exe 87 PID 5040 wrote to memory of 4788 5040 x4610526.exe 87 PID 4788 wrote to memory of 2088 4788 x5648618.exe 88 PID 4788 wrote to memory of 2088 4788 x5648618.exe 88 PID 4788 wrote to memory of 2088 4788 x5648618.exe 88 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 2088 wrote to memory of 3660 2088 g3042038.exe 92 PID 4788 wrote to memory of 3360 4788 x5648618.exe 100 PID 4788 wrote to memory of 3360 4788 x5648618.exe 100 PID 4788 wrote to memory of 3360 4788 x5648618.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe"C:\Users\Admin\AppData\Local\Temp\23e62e4fae5dae34e3d0a51e62e232c7c08e438f3cf769bcf2c362c553287bb6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0145607.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0145607.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4610526.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4610526.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5648618.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5648618.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3042038.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3042038.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 5407⤵
- Program crash
PID:3272
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 5526⤵
- Program crash
PID:2188
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9565734.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9565734.exe5⤵
- Executes dropped EXE
PID:3360
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2088 -ip 20881⤵PID:4532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3660 -ip 36601⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854KB
MD5e8a291b6f6b970536019c424935cf889
SHA1496b61c20479e002a33ce762e80df4b2fe2b6703
SHA256b5f6a47cd1c02cc8eb5f29e7525feee8ccc75bdb2e9c3b5c16762601e4eb191f
SHA51213d5c0ed35663d8fe21f124f1e5a309318cb7c352fb46722b2e9a8fc1e971c7cf6df91ad361e15eab7f9d68f8781efbb5487cac161c4035f317c4e14586f2eaf
-
Filesize
854KB
MD5e8a291b6f6b970536019c424935cf889
SHA1496b61c20479e002a33ce762e80df4b2fe2b6703
SHA256b5f6a47cd1c02cc8eb5f29e7525feee8ccc75bdb2e9c3b5c16762601e4eb191f
SHA51213d5c0ed35663d8fe21f124f1e5a309318cb7c352fb46722b2e9a8fc1e971c7cf6df91ad361e15eab7f9d68f8781efbb5487cac161c4035f317c4e14586f2eaf
-
Filesize
590KB
MD594a86eff259d9989b0733a4ee9a68a03
SHA1460f09fcc8e58219bd7241b90c0c5ac07906c67a
SHA256b32248ce41cc08d315486960028d8c9e83746bb2ba2668367f9aa07cd91cda66
SHA51220a74d1f11986144481fb0ee3431e100de04560568fc912089e25ef58ca93ce81167a391c5173b7e2c2b572eac3f5c7d471bccb8abcd2e5ce829017d6d56f08f
-
Filesize
590KB
MD594a86eff259d9989b0733a4ee9a68a03
SHA1460f09fcc8e58219bd7241b90c0c5ac07906c67a
SHA256b32248ce41cc08d315486960028d8c9e83746bb2ba2668367f9aa07cd91cda66
SHA51220a74d1f11986144481fb0ee3431e100de04560568fc912089e25ef58ca93ce81167a391c5173b7e2c2b572eac3f5c7d471bccb8abcd2e5ce829017d6d56f08f
-
Filesize
404KB
MD51beda0446c6d5f0cc76ec27314a5bdd8
SHA1db592939c6301bb9c5a8d0463b0b890bd89d5508
SHA256c76bfbce421933f3b095c47fb8f064d856a4133055432a9cc222129f5c76721e
SHA512f41bf248e44b2271a19aea956d034a169a57fc2159da65223b23380d8119294cddb4e5ef9466347a5b5983858bd17fe57b4f2cbf77f468b5eec0465d54fe28bd
-
Filesize
404KB
MD51beda0446c6d5f0cc76ec27314a5bdd8
SHA1db592939c6301bb9c5a8d0463b0b890bd89d5508
SHA256c76bfbce421933f3b095c47fb8f064d856a4133055432a9cc222129f5c76721e
SHA512f41bf248e44b2271a19aea956d034a169a57fc2159da65223b23380d8119294cddb4e5ef9466347a5b5983858bd17fe57b4f2cbf77f468b5eec0465d54fe28bd
-
Filesize
378KB
MD57f0afe443fe72639ebbfb5b969acf7e1
SHA1b9b2f5eb06b79b30ba2881e73ba415886386ce30
SHA256925a3d75c6ef346eaac61f9b5adcd92af50431e101895b7f0d87e2db9884ba06
SHA5120586a03a115756a9569a6efe3fbd87433f041110a19e1e2b586e1e90921ca5b451a886f82ef52f90460809cbad4a7aede66a802455b24f60e46ef5d6d5642ba9
-
Filesize
378KB
MD57f0afe443fe72639ebbfb5b969acf7e1
SHA1b9b2f5eb06b79b30ba2881e73ba415886386ce30
SHA256925a3d75c6ef346eaac61f9b5adcd92af50431e101895b7f0d87e2db9884ba06
SHA5120586a03a115756a9569a6efe3fbd87433f041110a19e1e2b586e1e90921ca5b451a886f82ef52f90460809cbad4a7aede66a802455b24f60e46ef5d6d5642ba9
-
Filesize
174KB
MD5c4f7e1ebaa453b1432ebcf980fe7218e
SHA1668e3a868a6f8f057d0c24880e79986b59664f8d
SHA256583114f72468e1559aaff4019e862a76bcf84af6a9493ddecd5f4d2ccbd3f8eb
SHA512e3d9fd7463d29cf7fe21d43c592680e8a348777386527ee435b98c531ec2dded9f7965758d84c89d72ff7392b895b5f416fc0810612c5300b7cda63d802f9bb3
-
Filesize
174KB
MD5c4f7e1ebaa453b1432ebcf980fe7218e
SHA1668e3a868a6f8f057d0c24880e79986b59664f8d
SHA256583114f72468e1559aaff4019e862a76bcf84af6a9493ddecd5f4d2ccbd3f8eb
SHA512e3d9fd7463d29cf7fe21d43c592680e8a348777386527ee435b98c531ec2dded9f7965758d84c89d72ff7392b895b5f416fc0810612c5300b7cda63d802f9bb3