redline | 321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27

Analysis

max time kernel
139s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 04:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe
Size

1.0MB
MD5

5b8f378f2dc2830855dc401ac2d65315
SHA1

8544709d39146ec64b9a0d2c9df6c4eeda63f3f4
SHA256

321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27
SHA512

c599d4268d8ab190bb664597dcb28640db760b9dc31efd74b0683468a3ea3645a5fb846f93ff390573b2faf004d792006a893f157958e5fdd542681239989f78
SSDEEP

24576:qyyTAotI+thHX1L81DGHFjJU6PfM50jHL:xeAotIYHXV81DGljJTPfIY

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002325f-34.dat	family_redline
behavioral2/files/0x000600000002325f-35.dat	family_redline
behavioral2/memory/1980-36-0x0000000000DD0000-0x0000000000E00000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4848	x1657369.exe
1252	x0119350.exe
3756	x4854368.exe
736	g2368368.exe
1980	h1227259.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1657369.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0119350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4854368.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 736 set thread context of 5072	736	g2368368.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2724	736	WerFault.exe	87
3648	5072	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4848	1628	321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe	84
PID 1628 wrote to memory of 4848	1628	321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe	84
PID 1628 wrote to memory of 4848	1628	321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe	84
PID 4848 wrote to memory of 1252	4848	x1657369.exe	85
PID 4848 wrote to memory of 1252	4848	x1657369.exe	85
PID 4848 wrote to memory of 1252	4848	x1657369.exe	85
PID 1252 wrote to memory of 3756	1252	x0119350.exe	86
PID 1252 wrote to memory of 3756	1252	x0119350.exe	86
PID 1252 wrote to memory of 3756	1252	x0119350.exe	86
PID 3756 wrote to memory of 736	3756	x4854368.exe	87
PID 3756 wrote to memory of 736	3756	x4854368.exe	87
PID 3756 wrote to memory of 736	3756	x4854368.exe	87
PID 736 wrote to memory of 3844	736	g2368368.exe	94
PID 736 wrote to memory of 3844	736	g2368368.exe	94
PID 736 wrote to memory of 3844	736	g2368368.exe	94
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 736 wrote to memory of 5072	736	g2368368.exe	95
PID 3756 wrote to memory of 1980	3756	x4854368.exe	103
PID 3756 wrote to memory of 1980	3756	x4854368.exe	103
PID 3756 wrote to memory of 1980	3756	x4854368.exe	103

C:\Users\Admin\AppData\Local\Temp\321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe
"C:\Users\Admin\AppData\Local\Temp\321370d84adcbf458700e808dd3f45a626a6b4c11ded2c9b1f8fb8c7e5358f27.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1657369.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1657369.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0119350.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0119350.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4854368.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4854368.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2368368.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2368368.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:736
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 540
        7⤵
        Program crash
        
        PID:3648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 576
        6⤵
        Program crash
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1227259.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1227259.exe
        5⤵
        Executes dropped EXE
        
        PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 736 -ip 736
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5072 -ip 5072
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1657369.exe

Filesize
932KB

MD5
50d6f12cc8ae6ad73dd712bf8b8fcc90

SHA1
b47569cf57e55df237c2c54e54b43da1321b19be

SHA256
1c1c785c09e541b36ef887db54f80147e795ff8d112d54bc2de2de49b86cf19e

SHA512
4d53b1e0d9c5a6479ae9fd9ab1dade7ad189806a10332e15d522923cea21f46c9b7914dfd75c8375431388051b933553934113e34daefc2b8dfe27636f14e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1657369.exe

Filesize
932KB

MD5
50d6f12cc8ae6ad73dd712bf8b8fcc90

SHA1
b47569cf57e55df237c2c54e54b43da1321b19be

SHA256
1c1c785c09e541b36ef887db54f80147e795ff8d112d54bc2de2de49b86cf19e

SHA512
4d53b1e0d9c5a6479ae9fd9ab1dade7ad189806a10332e15d522923cea21f46c9b7914dfd75c8375431388051b933553934113e34daefc2b8dfe27636f14e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0119350.exe

Filesize
628KB

MD5
9bca544fa0fab622e8837d7c4bafa89f

SHA1
aa9cfc7d1a76024e4f0ad942c03bd602fdd42e95

SHA256
8059d8f76eb351becc95756679d2f140749f813ad2207bb0b1660fd7118a305f

SHA512
6bacd704714859ad3ffd4652bc0b1dc3708470b675dd8960ba1832e37ba90605481e53f5f6a6b63411d626f7de29bce6af4fac70346cdb775cf17f2c85f3dfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0119350.exe

Filesize
628KB

MD5
9bca544fa0fab622e8837d7c4bafa89f

SHA1
aa9cfc7d1a76024e4f0ad942c03bd602fdd42e95

SHA256
8059d8f76eb351becc95756679d2f140749f813ad2207bb0b1660fd7118a305f

SHA512
6bacd704714859ad3ffd4652bc0b1dc3708470b675dd8960ba1832e37ba90605481e53f5f6a6b63411d626f7de29bce6af4fac70346cdb775cf17f2c85f3dfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4854368.exe

Filesize
443KB

MD5
fb2e9b78d253c4943fb002440dc5dca5

SHA1
937a5cc3237a5c35d45ef466dd8f7d1dbfa8405b

SHA256
81753d3219a058730be2846dac1d5a951eb2d53211e8eda66f476c9b9a23d27c

SHA512
0607b4b50c933fb5d63d445dd602556f47aa8ef008fbf47cfc7e4b6bc6660f04d298ddaf37281ba1b66de4d1ba5661a212e0df9e86fc41a430218df7f5e9c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4854368.exe

Filesize
443KB

MD5
fb2e9b78d253c4943fb002440dc5dca5

SHA1
937a5cc3237a5c35d45ef466dd8f7d1dbfa8405b

SHA256
81753d3219a058730be2846dac1d5a951eb2d53211e8eda66f476c9b9a23d27c

SHA512
0607b4b50c933fb5d63d445dd602556f47aa8ef008fbf47cfc7e4b6bc6660f04d298ddaf37281ba1b66de4d1ba5661a212e0df9e86fc41a430218df7f5e9c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2368368.exe

Filesize
700KB

MD5
3f8df8626cd836b1b05563746ca282da

SHA1
826b186f9b1573ce97cd7f04708177ce75dd9afb

SHA256
62055aa8362f2584fcf25d80a0e6f1baf35ce9bc4030702793098c7872699d3e

SHA512
b4e9e6ee8416ba841bbc1b1814942d5b6af38b3c7e506c8a1c59b856613a0fc1e48532f80a5f473286a78ea5f189678275f46888cbe985bea32e3cebeb1f5eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2368368.exe

Filesize
700KB

MD5
3f8df8626cd836b1b05563746ca282da

SHA1
826b186f9b1573ce97cd7f04708177ce75dd9afb

SHA256
62055aa8362f2584fcf25d80a0e6f1baf35ce9bc4030702793098c7872699d3e

SHA512
b4e9e6ee8416ba841bbc1b1814942d5b6af38b3c7e506c8a1c59b856613a0fc1e48532f80a5f473286a78ea5f189678275f46888cbe985bea32e3cebeb1f5eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1227259.exe

Filesize
174KB

MD5
22b652f4a9b3a923734c9d30a2097b47

SHA1
d9d9d88b96786336767871fd92bd6df29bd9cb64

SHA256
194665e1148d8519daf3bc29ba02ff9a97a573be1224617dc4d252221716ba2c

SHA512
d5bdfe4d5eb760e073bbf266d9faacf82398ef792a4fa012e8c3835e91ab4ec0dff7bbea541e7a4ac56a8ce483a24e40d2ed28e22aeed65c446f86d45c1315bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1227259.exe

Filesize
174KB

MD5
22b652f4a9b3a923734c9d30a2097b47

SHA1
d9d9d88b96786336767871fd92bd6df29bd9cb64

SHA256
194665e1148d8519daf3bc29ba02ff9a97a573be1224617dc4d252221716ba2c

SHA512
d5bdfe4d5eb760e073bbf266d9faacf82398ef792a4fa012e8c3835e91ab4ec0dff7bbea541e7a4ac56a8ce483a24e40d2ed28e22aeed65c446f86d45c1315bd

Download Submit
memory/1980-39-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

Filesize
6.1MB

Download
memory/1980-41-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/1980-46-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/1980-45-0x0000000073EF0000-0x00000000746A0000-memory.dmp

Filesize
7.7MB

Download
memory/1980-36-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/1980-37-0x0000000073EF0000-0x00000000746A0000-memory.dmp

Filesize
7.7MB

Download
memory/1980-44-0x000000000AD50000-0x000000000AD9C000-memory.dmp

Filesize
304KB

Download
memory/1980-40-0x000000000AC40000-0x000000000AD4A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-38-0x00000000055B0000-0x00000000055B6000-memory.dmp

Filesize
24KB

Download
memory/1980-42-0x000000000AB80000-0x000000000AB92000-memory.dmp

Filesize
72KB

Download
memory/1980-43-0x000000000ABE0000-0x000000000AC1C000-memory.dmp

Filesize
240KB

Download
memory/5072-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads