redline | bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4

Analysis

max time kernel
125s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
Size

567KB
MD5

2cc6cd76d79dcf0755db05f04f40f085
SHA1

a2ff4b22b3da8cd8b2a8c8764f0071a3b7403ad7
SHA256

bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4
SHA512

4473555da2d416a288695c311e02f84ef615b2ffd5faf13d3ce3fbf857343bcd4d4053cf36d64dd0095b21e315a63e798f83d14db0ec615d0564b1a065bcf3e2
SSDEEP

12288:RMriy90qbRcrpfFoSiLHw/S71LzUpjlCM9tdTDD:TyN1crni8WzUpZCMZ

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2452	v3717937.exe
2312	a4204768.exe

Loads dropped DLL 9 IoCs

pid	Process
2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
2452	v3717937.exe
2452	v3717937.exe
2452	v3717937.exe
2312	a4204768.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3717937.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 2996	2312	a4204768.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	2312	WerFault.exe	29

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2356 wrote to memory of 2452	2356	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	28
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2452 wrote to memory of 2312	2452	v3717937.exe	29
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2996	2312	a4204768.exe	31
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32
PID 2312 wrote to memory of 2640	2312	a4204768.exe	32

C:\Users\Admin\AppData\Local\Temp\bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
"C:\Users\Admin\AppData\Local\Temp\bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 268
      4⤵
      Loads dropped DLL
      Program crash
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe

Filesize
466KB

MD5
8c8173baf2e67a940c8c48c03beac9f6

SHA1
6216ee2c5270a80d343eed95cac68bfe5186837a

SHA256
847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2

SHA512
2efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe

Filesize
466KB

MD5
8c8173baf2e67a940c8c48c03beac9f6

SHA1
6216ee2c5270a80d343eed95cac68bfe5186837a

SHA256
847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2

SHA512
2efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe

Filesize
466KB

MD5
8c8173baf2e67a940c8c48c03beac9f6

SHA1
6216ee2c5270a80d343eed95cac68bfe5186837a

SHA256
847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2

SHA512
2efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe

Filesize
466KB

MD5
8c8173baf2e67a940c8c48c03beac9f6

SHA1
6216ee2c5270a80d343eed95cac68bfe5186837a

SHA256
847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2

SHA512
2efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
memory/2996-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2996-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2996-37-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads