redline | e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe
Size

1.0MB
MD5

439fcdf0f6a214e219fed2b92553901b
SHA1

b1983d9673d740dbbfc423a514848c6122e36cb4
SHA256

e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d
SHA512

b2474bd7309f981893cd72cfb71513963aece92ac402dc75f2c55068ac0810685a60906eb2102f72e3f3f9e26eae4ecced17dd8bb06c25b2e40db8dead2db667
SSDEEP

24576:fyS1oBomKzYteyUO1H3QsmqjNcW+FEso82Y0WNF3Go/:qSWKzgP3PT+EsViWX2

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000230c9-34.dat	family_redline
behavioral2/files/0x00060000000230c9-35.dat	family_redline
behavioral2/memory/1512-37-0x0000000000070000-0x00000000000A0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
460	x1576986.exe
3108	x6279041.exe
640	x5847399.exe
2128	g8098227.exe
1512	h5349106.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1576986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6279041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5847399.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 3224	2128	g8098227.exe	96

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4828	2128	WerFault.exe	93
4344	3224	WerFault.exe	96

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 460	3876	e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe	90
PID 3876 wrote to memory of 460	3876	e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe	90
PID 3876 wrote to memory of 460	3876	e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe	90
PID 460 wrote to memory of 3108	460	x1576986.exe	91
PID 460 wrote to memory of 3108	460	x1576986.exe	91
PID 460 wrote to memory of 3108	460	x1576986.exe	91
PID 3108 wrote to memory of 640	3108	x6279041.exe	92
PID 3108 wrote to memory of 640	3108	x6279041.exe	92
PID 3108 wrote to memory of 640	3108	x6279041.exe	92
PID 640 wrote to memory of 2128	640	x5847399.exe	93
PID 640 wrote to memory of 2128	640	x5847399.exe	93
PID 640 wrote to memory of 2128	640	x5847399.exe	93
PID 2128 wrote to memory of 4960	2128	g8098227.exe	95
PID 2128 wrote to memory of 4960	2128	g8098227.exe	95
PID 2128 wrote to memory of 4960	2128	g8098227.exe	95
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 2128 wrote to memory of 3224	2128	g8098227.exe	96
PID 640 wrote to memory of 1512	640	x5847399.exe	105
PID 640 wrote to memory of 1512	640	x5847399.exe	105
PID 640 wrote to memory of 1512	640	x5847399.exe	105

C:\Users\Admin\AppData\Local\Temp\e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe
"C:\Users\Admin\AppData\Local\Temp\e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1576986.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1576986.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6279041.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6279041.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5847399.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5847399.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8098227.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8098227.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4960
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 540
        7⤵
        Program crash
        
        PID:4344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 576
        6⤵
        Program crash
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5349106.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5349106.exe
        5⤵
        Executes dropped EXE
        
        PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2128 -ip 2128
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3224 -ip 3224
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1576986.exe

Filesize
932KB

MD5
a537b60577f41c0a99bd7debadf859ed

SHA1
f7bd3d1e416bedee76e075fa16d436ab1bf02095

SHA256
f44515abd1f50d8273e82b6d3c89f0af704184cb544d26844bee8d6422349cf9

SHA512
b4fa43380e5a2b6705d0b1f088b265c549a99fc31952266246ae7471c528fe60976caf1f83f6e6631b0d5a29a31732ba20641ebc45d67b82aafc5aae1ad53692

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1576986.exe

Filesize
932KB

MD5
a537b60577f41c0a99bd7debadf859ed

SHA1
f7bd3d1e416bedee76e075fa16d436ab1bf02095

SHA256
f44515abd1f50d8273e82b6d3c89f0af704184cb544d26844bee8d6422349cf9

SHA512
b4fa43380e5a2b6705d0b1f088b265c549a99fc31952266246ae7471c528fe60976caf1f83f6e6631b0d5a29a31732ba20641ebc45d67b82aafc5aae1ad53692

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6279041.exe

Filesize
628KB

MD5
0302efaa2745cb3e4cecfac917d1f2a3

SHA1
faa664606eff8e174eaed1c046d4ecb301433387

SHA256
408e13bbb1cc981365574bde1b39e30ccfb6f9339162aa2f15907bb37d69a0f2

SHA512
8b255420d53a3052b1955e49b346ea8efaa0e9ae84f6dd27db6fda91b80455c814c5f62c43a8ba450eacbbfabc3309d6fe42df9514659842a291e583ea1532cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6279041.exe

Filesize
628KB

MD5
0302efaa2745cb3e4cecfac917d1f2a3

SHA1
faa664606eff8e174eaed1c046d4ecb301433387

SHA256
408e13bbb1cc981365574bde1b39e30ccfb6f9339162aa2f15907bb37d69a0f2

SHA512
8b255420d53a3052b1955e49b346ea8efaa0e9ae84f6dd27db6fda91b80455c814c5f62c43a8ba450eacbbfabc3309d6fe42df9514659842a291e583ea1532cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5847399.exe

Filesize
442KB

MD5
f2f05af674f28977b9d0c7bb66087b64

SHA1
250ecd2a98c5117e01a175856805a9655416a74c

SHA256
4e7876416098b0bcbcf841d6a2ebb393b3e3f52969600c27e650b3490534247a

SHA512
8bb2631295f16f3f7d3746e68bbbb6f0b0adb4de6983340e2cb416ae1dd96aa0dcd345d6803d54240c13622dd95c968f00c4ed934f943afae30aa277b636857a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5847399.exe

Filesize
442KB

MD5
f2f05af674f28977b9d0c7bb66087b64

SHA1
250ecd2a98c5117e01a175856805a9655416a74c

SHA256
4e7876416098b0bcbcf841d6a2ebb393b3e3f52969600c27e650b3490534247a

SHA512
8bb2631295f16f3f7d3746e68bbbb6f0b0adb4de6983340e2cb416ae1dd96aa0dcd345d6803d54240c13622dd95c968f00c4ed934f943afae30aa277b636857a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8098227.exe

Filesize
700KB

MD5
39f83f3772359387845a5289ca51a3d1

SHA1
916b0e47e7852662e812104d2135e4f610d86930

SHA256
f786083e89151afc355d2644f4daa9b0632c33ac91b3068c18c24479f745ce51

SHA512
828509d6c72593200141794b6150801ae988fe6198e632fac743ca3b6380c6059d4fd9f6e70fc2d75a89f59f255a0f929ffbaa778b09be166b073678e821a83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8098227.exe

Filesize
700KB

MD5
39f83f3772359387845a5289ca51a3d1

SHA1
916b0e47e7852662e812104d2135e4f610d86930

SHA256
f786083e89151afc355d2644f4daa9b0632c33ac91b3068c18c24479f745ce51

SHA512
828509d6c72593200141794b6150801ae988fe6198e632fac743ca3b6380c6059d4fd9f6e70fc2d75a89f59f255a0f929ffbaa778b09be166b073678e821a83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5349106.exe

Filesize
174KB

MD5
349ff9d222c5573123bd51de0ddf384c

SHA1
efc28c907f4d960cae18c2e99e54763b1d0ef8e4

SHA256
dcf98f3e5f36ff1da3181e4b8b61cf9a2adaa8fbfaaadf87bda2a971d871129f

SHA512
e683950468ffec847770eac4ca3269143116384410dcc90b1dee4bc817a90672b2b3b2484edd8cde7a08185e9725126250c93d624cc1ace9020755312f1e1ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5349106.exe

Filesize
174KB

MD5
349ff9d222c5573123bd51de0ddf384c

SHA1
efc28c907f4d960cae18c2e99e54763b1d0ef8e4

SHA256
dcf98f3e5f36ff1da3181e4b8b61cf9a2adaa8fbfaaadf87bda2a971d871129f

SHA512
e683950468ffec847770eac4ca3269143116384410dcc90b1dee4bc817a90672b2b3b2484edd8cde7a08185e9725126250c93d624cc1ace9020755312f1e1ef5

Download Submit
memory/1512-39-0x000000000A4B0000-0x000000000AAC8000-memory.dmp

Filesize
6.1MB

Download
memory/1512-42-0x0000000009F60000-0x0000000009F72000-memory.dmp

Filesize
72KB

Download
memory/1512-46-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/1512-45-0x000000000A130000-0x000000000A17C000-memory.dmp

Filesize
304KB

Download
memory/1512-36-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1512-37-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/1512-44-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1512-40-0x000000000A020000-0x000000000A12A000-memory.dmp

Filesize
1.0MB

Download
memory/1512-38-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/1512-41-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/1512-43-0x0000000009FC0000-0x0000000009FFC000-memory.dmp

Filesize
240KB

Download
memory/3224-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads