redline | 90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf

Analysis

max time kernel
191s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe
Size

1.0MB
MD5

0b67c547dcdea81b3b844264c70c9fee
SHA1

ce01b9e17da3b7cf3a4bbf274b2bffd2b4421d99
SHA256

90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf
SHA512

1b6929cf1694aa45839c5cfc4c4db9bbd1bbe39c13dcf27290daa9356f587db582e5ea8a534465e71405c365bf9b8a1d2176da70662b303f50ee4c2b808c4b6f
SSDEEP

24576:4yJG4kv0euVcuB996NoS+jvHjvlH08lmtkeZ7xYD:/JGLuBdvDtJlS3pxY

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00090000000230f9-34.dat	family_redline
behavioral2/files/0x00090000000230f9-35.dat	family_redline
behavioral2/memory/3264-36-0x0000000000060000-0x0000000000090000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4568	x3077471.exe
5088	x2224339.exe
4548	x0549279.exe
1084	g2380329.exe
3264	h6943295.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3077471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2224339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0549279.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 2620	1084	g2380329.exe	95

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5084	2620	WerFault.exe	95
3776	1084	WerFault.exe	92
2812	2620	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4568	372	90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe	86
PID 372 wrote to memory of 4568	372	90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe	86
PID 372 wrote to memory of 4568	372	90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe	86
PID 4568 wrote to memory of 5088	4568	x3077471.exe	89
PID 4568 wrote to memory of 5088	4568	x3077471.exe	89
PID 4568 wrote to memory of 5088	4568	x3077471.exe	89
PID 5088 wrote to memory of 4548	5088	x2224339.exe	90
PID 5088 wrote to memory of 4548	5088	x2224339.exe	90
PID 5088 wrote to memory of 4548	5088	x2224339.exe	90
PID 4548 wrote to memory of 1084	4548	x0549279.exe	92
PID 4548 wrote to memory of 1084	4548	x0549279.exe	92
PID 4548 wrote to memory of 1084	4548	x0549279.exe	92
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 1084 wrote to memory of 2620	1084	g2380329.exe	95
PID 2620 wrote to memory of 2812	2620	AppLaunch.exe	102
PID 2620 wrote to memory of 2812	2620	AppLaunch.exe	102
PID 2620 wrote to memory of 2812	2620	AppLaunch.exe	102
PID 4548 wrote to memory of 3264	4548	x0549279.exe	104
PID 4548 wrote to memory of 3264	4548	x0549279.exe	104
PID 4548 wrote to memory of 3264	4548	x0549279.exe	104

C:\Users\Admin\AppData\Local\Temp\90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe
"C:\Users\Admin\AppData\Local\Temp\90a8823fdf1ea85a782b2b0ed8190ce9e336c027a9dad8d9179ea3f79fbd5caf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3077471.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3077471.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2224339.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2224339.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0549279.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0549279.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2380329.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2380329.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 540
        7⤵
        Program crash
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 540
        7⤵
        Program crash
        
        PID:2812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 556
        6⤵
        Program crash
        
        PID:3776
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6943295.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6943295.exe
        5⤵
        Executes dropped EXE
        
        PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2620 -ip 2620
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1084 -ip 1084
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3077471.exe

Filesize
932KB

MD5
decfa896d8aceddd95fa5c527dcd5401

SHA1
ae17e2e0db789cdc65f84f2e8731277108397c70

SHA256
5f8f0366c953f31d8a5ff7f1a8e459ca7dfdacf1cbdbb065d3b49d61d7d18df0

SHA512
32deb9e687ecea359a10939b5d40ec21753b93c22a86052b63b00f6cd69958f1a30d2e68ca7ed819b1ca632a5d90830fff19f0fdbcf3e26bcd6c145953a80819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3077471.exe

Filesize
932KB

MD5
decfa896d8aceddd95fa5c527dcd5401

SHA1
ae17e2e0db789cdc65f84f2e8731277108397c70

SHA256
5f8f0366c953f31d8a5ff7f1a8e459ca7dfdacf1cbdbb065d3b49d61d7d18df0

SHA512
32deb9e687ecea359a10939b5d40ec21753b93c22a86052b63b00f6cd69958f1a30d2e68ca7ed819b1ca632a5d90830fff19f0fdbcf3e26bcd6c145953a80819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2224339.exe

Filesize
628KB

MD5
490ac71ea9409d6f8222614125fbee97

SHA1
cc4c22fc376132c19be540de717cb1d1bfa0249d

SHA256
99aa8e4422e2071b4d4e67c748ef7aa427760ac36304c472e838594342dafd4e

SHA512
d5dd13cac8d14014703482627ae0b794193cb15d731cc862f2fad05fdbbe71d77418ea05b2dfd9fd82c45941f16517ba19e812dea26fa26a26daf9cb698248cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2224339.exe

Filesize
628KB

MD5
490ac71ea9409d6f8222614125fbee97

SHA1
cc4c22fc376132c19be540de717cb1d1bfa0249d

SHA256
99aa8e4422e2071b4d4e67c748ef7aa427760ac36304c472e838594342dafd4e

SHA512
d5dd13cac8d14014703482627ae0b794193cb15d731cc862f2fad05fdbbe71d77418ea05b2dfd9fd82c45941f16517ba19e812dea26fa26a26daf9cb698248cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0549279.exe

Filesize
443KB

MD5
d68ba2e138834d12ebc4f6e367baa3c4

SHA1
476711135e439794aca84289087edcbaee970fbd

SHA256
94029a6e316f49ed571f84535db667fa10c77bf7a84f1b5d15f79e8ac8770d51

SHA512
4a63f93864cb68edfd587823399434b1a4c6e9cab5daf441ac27ef61b4add067ebc8bdca85c931b0db546b743f9f96be6aca857a530916f63d2c50a28c43fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0549279.exe

Filesize
443KB

MD5
d68ba2e138834d12ebc4f6e367baa3c4

SHA1
476711135e439794aca84289087edcbaee970fbd

SHA256
94029a6e316f49ed571f84535db667fa10c77bf7a84f1b5d15f79e8ac8770d51

SHA512
4a63f93864cb68edfd587823399434b1a4c6e9cab5daf441ac27ef61b4add067ebc8bdca85c931b0db546b743f9f96be6aca857a530916f63d2c50a28c43fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2380329.exe

Filesize
700KB

MD5
f0867c3657798c7f339afe9c09761d3d

SHA1
02c26e2ca3cb0f1c85eab088df3fde61a9670c17

SHA256
d5de9c51c105808eb0a242e9c17fc3b44d6f9d441a24fae7c908035fc2f4112a

SHA512
1416de8585cdecb71ab4bae8f7980acec8fe10c51fcd8c4638681cd47d8bc07cab1eadfc0455deffe265ebb8aed463cbe6bb24f23a63e91b163565b05ec0a220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2380329.exe

Filesize
700KB

MD5
f0867c3657798c7f339afe9c09761d3d

SHA1
02c26e2ca3cb0f1c85eab088df3fde61a9670c17

SHA256
d5de9c51c105808eb0a242e9c17fc3b44d6f9d441a24fae7c908035fc2f4112a

SHA512
1416de8585cdecb71ab4bae8f7980acec8fe10c51fcd8c4638681cd47d8bc07cab1eadfc0455deffe265ebb8aed463cbe6bb24f23a63e91b163565b05ec0a220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6943295.exe

Filesize
174KB

MD5
486db9d36433851907b205fea0089235

SHA1
b54712c8ccfb8bbcc26934625ce7ef017efd9aec

SHA256
84a8a3fff4371063db01ddd1f04cdf439d29822f5094a9393dc9b41da39d911b

SHA512
f0c66e548898090ff29e9074f727e67403db79e8d407f87f9d9ffbe2a3e9647344988a1902115bbd82cbb71328fd913bb9ae6162dd6cf658cc1ea03d519b9c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6943295.exe

Filesize
174KB

MD5
486db9d36433851907b205fea0089235

SHA1
b54712c8ccfb8bbcc26934625ce7ef017efd9aec

SHA256
84a8a3fff4371063db01ddd1f04cdf439d29822f5094a9393dc9b41da39d911b

SHA512
f0c66e548898090ff29e9074f727e67403db79e8d407f87f9d9ffbe2a3e9647344988a1902115bbd82cbb71328fd913bb9ae6162dd6cf658cc1ea03d519b9c55

Download Submit
memory/2620-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-37-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3264-36-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/3264-38-0x0000000004AC0000-0x0000000004AC6000-memory.dmp

Filesize
24KB

Download
memory/3264-39-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3264-40-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/3264-41-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/3264-42-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3264-43-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3264-44-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3264-45-0x0000000004B50000-0x0000000004B8C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads