redline | e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529

Analysis

max time kernel
154s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe
Size

1.0MB
MD5

5c09a739b2065cde125823aadb03cb9b
SHA1

dd1fcba25cd515d955836e67248e71a9b6566595
SHA256

e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529
SHA512

16467c5a3146fad73b0e7c983fd71466bc3b59f12400d4c6f5d5753a2bbce5428a397cbf31e2411c47ba96f999fb1e2a8be6f9336857375ed79a819079415a4e
SSDEEP

24576:fyt1pThJxx6Df54n9/Lsl+FJmyKmwJVe:qDpdJ4faxFdKD

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023120-33.dat	family_redline
behavioral2/files/0x0007000000023120-35.dat	family_redline
behavioral2/memory/3432-36-0x00000000008E0000-0x0000000000910000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4956	x8862545.exe
1312	x3540695.exe
956	x9622654.exe
4044	g0400332.exe
3432	h4251232.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8862545.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3540695.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9622654.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4044 set thread context of 3664	4044	g0400332.exe	100

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3620	4044	WerFault.exe	91
3156	3664	WerFault.exe	100

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 4956	3920	e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe	88
PID 3920 wrote to memory of 4956	3920	e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe	88
PID 3920 wrote to memory of 4956	3920	e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe	88
PID 4956 wrote to memory of 1312	4956	x8862545.exe	89
PID 4956 wrote to memory of 1312	4956	x8862545.exe	89
PID 4956 wrote to memory of 1312	4956	x8862545.exe	89
PID 1312 wrote to memory of 956	1312	x3540695.exe	90
PID 1312 wrote to memory of 956	1312	x3540695.exe	90
PID 1312 wrote to memory of 956	1312	x3540695.exe	90
PID 956 wrote to memory of 4044	956	x9622654.exe	91
PID 956 wrote to memory of 4044	956	x9622654.exe	91
PID 956 wrote to memory of 4044	956	x9622654.exe	91
PID 4044 wrote to memory of 5108	4044	g0400332.exe	99
PID 4044 wrote to memory of 5108	4044	g0400332.exe	99
PID 4044 wrote to memory of 5108	4044	g0400332.exe	99
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 4044 wrote to memory of 3664	4044	g0400332.exe	100
PID 956 wrote to memory of 3432	956	x9622654.exe	105
PID 956 wrote to memory of 3432	956	x9622654.exe	105
PID 956 wrote to memory of 3432	956	x9622654.exe	105

C:\Users\Admin\AppData\Local\Temp\e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe
"C:\Users\Admin\AppData\Local\Temp\e10c1b1865a2f9235ef8b71f145452c61dbd8f4e05837039766f7bf4a6d01529.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8862545.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8862545.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3540695.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3540695.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9622654.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9622654.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0400332.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0400332.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 540
        7⤵
        Program crash
        
        PID:3156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 136
        6⤵
        Program crash
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4251232.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4251232.exe
        5⤵
        Executes dropped EXE
        
        PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4044 -ip 4044
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3664 -ip 3664
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8862545.exe

Filesize
933KB

MD5
04dbe4c79e00592b395bae2664c05548

SHA1
e25c1deca27997435fe201aab311011732fea89b

SHA256
484b44c5b02d3ae0b1eff4187bc882e6c11b1f879f38fcfcbc046134cb390792

SHA512
4f549b6c1fbbfa5e740268e0adf90ac177b4477e5c74bec31c753a095fe26663cc78078d1769d5fc758a209cfe9e6931daf39c6cd3aaaa76fd91fcbd9c4d9014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8862545.exe

Filesize
933KB

MD5
04dbe4c79e00592b395bae2664c05548

SHA1
e25c1deca27997435fe201aab311011732fea89b

SHA256
484b44c5b02d3ae0b1eff4187bc882e6c11b1f879f38fcfcbc046134cb390792

SHA512
4f549b6c1fbbfa5e740268e0adf90ac177b4477e5c74bec31c753a095fe26663cc78078d1769d5fc758a209cfe9e6931daf39c6cd3aaaa76fd91fcbd9c4d9014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3540695.exe

Filesize
629KB

MD5
1aea6e562653951a5c845e6126d0a080

SHA1
0890c6d7c6cb131cce977bf3c3d801621168ba1c

SHA256
acefd1bbce0113cea2be700a5d221c5f089044b43937b86c9cb62143c4da7c60

SHA512
699cb5c9241b0b126d3dea0187af40ae801859854d12552e5ed660b0b9cd095c69fe2321ae9ca4139436f5fed77bc0a21792eb5ee7b3552628aad8b978819518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3540695.exe

Filesize
629KB

MD5
1aea6e562653951a5c845e6126d0a080

SHA1
0890c6d7c6cb131cce977bf3c3d801621168ba1c

SHA256
acefd1bbce0113cea2be700a5d221c5f089044b43937b86c9cb62143c4da7c60

SHA512
699cb5c9241b0b126d3dea0187af40ae801859854d12552e5ed660b0b9cd095c69fe2321ae9ca4139436f5fed77bc0a21792eb5ee7b3552628aad8b978819518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9622654.exe

Filesize
443KB

MD5
c5499fab32c9c36f115b6e22957885ae

SHA1
e499e1577fd33d82b2eb9a854e072192cde89172

SHA256
abe21cb809c27c02f4bcaa05f4eaffcc2b989c3057adc1aaf6792efcfe5ba1c3

SHA512
455cab9afbfdf009ca51cfe76ab30e731beb0a8edaca1b6e402a689b119a2b359f9dd19385978464bc5e8bfa0c5f0e7fb756a514418480da1679f7520332db60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9622654.exe

Filesize
443KB

MD5
c5499fab32c9c36f115b6e22957885ae

SHA1
e499e1577fd33d82b2eb9a854e072192cde89172

SHA256
abe21cb809c27c02f4bcaa05f4eaffcc2b989c3057adc1aaf6792efcfe5ba1c3

SHA512
455cab9afbfdf009ca51cfe76ab30e731beb0a8edaca1b6e402a689b119a2b359f9dd19385978464bc5e8bfa0c5f0e7fb756a514418480da1679f7520332db60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0400332.exe

Filesize
700KB

MD5
d19784c74c0e4e6ce1f611dc25abc9e1

SHA1
3b134b57b21ce62e8fccc48a7f5211973e9866c3

SHA256
e9cd8cf6e2edd8ac459ac0eb97713b05f193239bd5ba6dc8daded0a51d6890d3

SHA512
691d8af586338fc6dc88bce1afc0876039f95f6b897f99d74b859d117bf9faaa85149946d61808ec88305e33cff72ba1fc1ae9e9bf053692ef2702a869538597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0400332.exe

Filesize
700KB

MD5
d19784c74c0e4e6ce1f611dc25abc9e1

SHA1
3b134b57b21ce62e8fccc48a7f5211973e9866c3

SHA256
e9cd8cf6e2edd8ac459ac0eb97713b05f193239bd5ba6dc8daded0a51d6890d3

SHA512
691d8af586338fc6dc88bce1afc0876039f95f6b897f99d74b859d117bf9faaa85149946d61808ec88305e33cff72ba1fc1ae9e9bf053692ef2702a869538597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4251232.exe

Filesize
174KB

MD5
9a47dc3e253a62491a6382c3c4cfc3d7

SHA1
e43bd6778719e76d2b0e43b185be9ed645e54367

SHA256
95ae7cad4b35a4091c2c8bf56d858cb5cb8440e75c786f11b7229787560a1475

SHA512
1118efd0c3778d49570c619fb1a66093593472f3d79d17b0b7b4370022ff2a1dffb0887e23b8256647bfa69bca298d6d631b465b512fa5b1623e874689179a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4251232.exe

Filesize
174KB

MD5
9a47dc3e253a62491a6382c3c4cfc3d7

SHA1
e43bd6778719e76d2b0e43b185be9ed645e54367

SHA256
95ae7cad4b35a4091c2c8bf56d858cb5cb8440e75c786f11b7229787560a1475

SHA512
1118efd0c3778d49570c619fb1a66093593472f3d79d17b0b7b4370022ff2a1dffb0887e23b8256647bfa69bca298d6d631b465b512fa5b1623e874689179a4b

Download Submit
memory/3432-39-0x0000000005920000-0x0000000005F38000-memory.dmp

Filesize
6.1MB

Download
memory/3432-40-0x0000000005470000-0x000000000557A000-memory.dmp

Filesize
1.0MB

Download
memory/3432-46-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/3432-45-0x0000000073C50000-0x0000000074400000-memory.dmp

Filesize
7.7MB

Download
memory/3432-36-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/3432-37-0x0000000073C50000-0x0000000074400000-memory.dmp

Filesize
7.7MB

Download
memory/3432-44-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/3432-43-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/3432-38-0x0000000002A80000-0x0000000002A86000-memory.dmp

Filesize
24KB

Download
memory/3432-42-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/3432-41-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/3664-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads