Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe
Resource
win10v2004-20230915-en
General
-
Target
e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe
-
Size
1.0MB
-
MD5
439fcdf0f6a214e219fed2b92553901b
-
SHA1
b1983d9673d740dbbfc423a514848c6122e36cb4
-
SHA256
e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d
-
SHA512
b2474bd7309f981893cd72cfb71513963aece92ac402dc75f2c55068ac0810685a60906eb2102f72e3f3f9e26eae4ecced17dd8bb06c25b2e40db8dead2db667
-
SSDEEP
24576:fyS1oBomKzYteyUO1H3QsmqjNcW+FEso82Y0WNF3Go/:qSWKzgP3PT+EsViWX2
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x00060000000230c9-34.dat family_redline behavioral2/files/0x00060000000230c9-35.dat family_redline behavioral2/memory/1512-37-0x0000000000070000-0x00000000000A0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 460 x1576986.exe 3108 x6279041.exe 640 x5847399.exe 2128 g8098227.exe 1512 h5349106.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1576986.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6279041.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x5847399.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2128 set thread context of 3224 2128 g8098227.exe 96 -
Program crash 2 IoCs
pid pid_target Process procid_target 4828 2128 WerFault.exe 93 4344 3224 WerFault.exe 96 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3876 wrote to memory of 460 3876 e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe 90 PID 3876 wrote to memory of 460 3876 e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe 90 PID 3876 wrote to memory of 460 3876 e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe 90 PID 460 wrote to memory of 3108 460 x1576986.exe 91 PID 460 wrote to memory of 3108 460 x1576986.exe 91 PID 460 wrote to memory of 3108 460 x1576986.exe 91 PID 3108 wrote to memory of 640 3108 x6279041.exe 92 PID 3108 wrote to memory of 640 3108 x6279041.exe 92 PID 3108 wrote to memory of 640 3108 x6279041.exe 92 PID 640 wrote to memory of 2128 640 x5847399.exe 93 PID 640 wrote to memory of 2128 640 x5847399.exe 93 PID 640 wrote to memory of 2128 640 x5847399.exe 93 PID 2128 wrote to memory of 4960 2128 g8098227.exe 95 PID 2128 wrote to memory of 4960 2128 g8098227.exe 95 PID 2128 wrote to memory of 4960 2128 g8098227.exe 95 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 2128 wrote to memory of 3224 2128 g8098227.exe 96 PID 640 wrote to memory of 1512 640 x5847399.exe 105 PID 640 wrote to memory of 1512 640 x5847399.exe 105 PID 640 wrote to memory of 1512 640 x5847399.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe"C:\Users\Admin\AppData\Local\Temp\e444734f8f846c9730b7f82c8c10194a99b65808332a5e79d915a72bbc39918d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1576986.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1576986.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6279041.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6279041.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5847399.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5847399.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8098227.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8098227.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 5407⤵
- Program crash
PID:4344
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 5766⤵
- Program crash
PID:4828
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5349106.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5349106.exe5⤵
- Executes dropped EXE
PID:1512
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2128 -ip 21281⤵PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3224 -ip 32241⤵PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
932KB
MD5a537b60577f41c0a99bd7debadf859ed
SHA1f7bd3d1e416bedee76e075fa16d436ab1bf02095
SHA256f44515abd1f50d8273e82b6d3c89f0af704184cb544d26844bee8d6422349cf9
SHA512b4fa43380e5a2b6705d0b1f088b265c549a99fc31952266246ae7471c528fe60976caf1f83f6e6631b0d5a29a31732ba20641ebc45d67b82aafc5aae1ad53692
-
Filesize
932KB
MD5a537b60577f41c0a99bd7debadf859ed
SHA1f7bd3d1e416bedee76e075fa16d436ab1bf02095
SHA256f44515abd1f50d8273e82b6d3c89f0af704184cb544d26844bee8d6422349cf9
SHA512b4fa43380e5a2b6705d0b1f088b265c549a99fc31952266246ae7471c528fe60976caf1f83f6e6631b0d5a29a31732ba20641ebc45d67b82aafc5aae1ad53692
-
Filesize
628KB
MD50302efaa2745cb3e4cecfac917d1f2a3
SHA1faa664606eff8e174eaed1c046d4ecb301433387
SHA256408e13bbb1cc981365574bde1b39e30ccfb6f9339162aa2f15907bb37d69a0f2
SHA5128b255420d53a3052b1955e49b346ea8efaa0e9ae84f6dd27db6fda91b80455c814c5f62c43a8ba450eacbbfabc3309d6fe42df9514659842a291e583ea1532cb
-
Filesize
628KB
MD50302efaa2745cb3e4cecfac917d1f2a3
SHA1faa664606eff8e174eaed1c046d4ecb301433387
SHA256408e13bbb1cc981365574bde1b39e30ccfb6f9339162aa2f15907bb37d69a0f2
SHA5128b255420d53a3052b1955e49b346ea8efaa0e9ae84f6dd27db6fda91b80455c814c5f62c43a8ba450eacbbfabc3309d6fe42df9514659842a291e583ea1532cb
-
Filesize
442KB
MD5f2f05af674f28977b9d0c7bb66087b64
SHA1250ecd2a98c5117e01a175856805a9655416a74c
SHA2564e7876416098b0bcbcf841d6a2ebb393b3e3f52969600c27e650b3490534247a
SHA5128bb2631295f16f3f7d3746e68bbbb6f0b0adb4de6983340e2cb416ae1dd96aa0dcd345d6803d54240c13622dd95c968f00c4ed934f943afae30aa277b636857a
-
Filesize
442KB
MD5f2f05af674f28977b9d0c7bb66087b64
SHA1250ecd2a98c5117e01a175856805a9655416a74c
SHA2564e7876416098b0bcbcf841d6a2ebb393b3e3f52969600c27e650b3490534247a
SHA5128bb2631295f16f3f7d3746e68bbbb6f0b0adb4de6983340e2cb416ae1dd96aa0dcd345d6803d54240c13622dd95c968f00c4ed934f943afae30aa277b636857a
-
Filesize
700KB
MD539f83f3772359387845a5289ca51a3d1
SHA1916b0e47e7852662e812104d2135e4f610d86930
SHA256f786083e89151afc355d2644f4daa9b0632c33ac91b3068c18c24479f745ce51
SHA512828509d6c72593200141794b6150801ae988fe6198e632fac743ca3b6380c6059d4fd9f6e70fc2d75a89f59f255a0f929ffbaa778b09be166b073678e821a83d
-
Filesize
700KB
MD539f83f3772359387845a5289ca51a3d1
SHA1916b0e47e7852662e812104d2135e4f610d86930
SHA256f786083e89151afc355d2644f4daa9b0632c33ac91b3068c18c24479f745ce51
SHA512828509d6c72593200141794b6150801ae988fe6198e632fac743ca3b6380c6059d4fd9f6e70fc2d75a89f59f255a0f929ffbaa778b09be166b073678e821a83d
-
Filesize
174KB
MD5349ff9d222c5573123bd51de0ddf384c
SHA1efc28c907f4d960cae18c2e99e54763b1d0ef8e4
SHA256dcf98f3e5f36ff1da3181e4b8b61cf9a2adaa8fbfaaadf87bda2a971d871129f
SHA512e683950468ffec847770eac4ca3269143116384410dcc90b1dee4bc817a90672b2b3b2484edd8cde7a08185e9725126250c93d624cc1ace9020755312f1e1ef5
-
Filesize
174KB
MD5349ff9d222c5573123bd51de0ddf384c
SHA1efc28c907f4d960cae18c2e99e54763b1d0ef8e4
SHA256dcf98f3e5f36ff1da3181e4b8b61cf9a2adaa8fbfaaadf87bda2a971d871129f
SHA512e683950468ffec847770eac4ca3269143116384410dcc90b1dee4bc817a90672b2b3b2484edd8cde7a08185e9725126250c93d624cc1ace9020755312f1e1ef5