redline | bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
Size

567KB
MD5

2cc6cd76d79dcf0755db05f04f40f085
SHA1

a2ff4b22b3da8cd8b2a8c8764f0071a3b7403ad7
SHA256

bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4
SHA512

4473555da2d416a288695c311e02f84ef615b2ffd5faf13d3ce3fbf857343bcd4d4053cf36d64dd0095b21e315a63e798f83d14db0ec615d0564b1a065bcf3e2
SSDEEP

12288:RMriy90qbRcrpfFoSiLHw/S71LzUpjlCM9tdTDD:TyN1crni8WzUpZCMZ

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4636	v3717937.exe
2988	a4204768.exe
3388	b6377477.exe
4356	c8533066.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3717937.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 3316	2988	a4204768.exe	92
PID 3388 set thread context of 2656	3388	b6377477.exe	104

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1344	2988	WerFault.exe	88
4220	3388	WerFault.exe	95
2372	2656	WerFault.exe	104

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4636	2708	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	87
PID 2708 wrote to memory of 4636	2708	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	87
PID 2708 wrote to memory of 4636	2708	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	87
PID 4636 wrote to memory of 2988	4636	v3717937.exe	88
PID 4636 wrote to memory of 2988	4636	v3717937.exe	88
PID 4636 wrote to memory of 2988	4636	v3717937.exe	88
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 2988 wrote to memory of 3316	2988	a4204768.exe	92
PID 4636 wrote to memory of 3388	4636	v3717937.exe	95
PID 4636 wrote to memory of 3388	4636	v3717937.exe	95
PID 4636 wrote to memory of 3388	4636	v3717937.exe	95
PID 3388 wrote to memory of 2596	3388	b6377477.exe	103
PID 3388 wrote to memory of 2596	3388	b6377477.exe	103
PID 3388 wrote to memory of 2596	3388	b6377477.exe	103
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 3388 wrote to memory of 2656	3388	b6377477.exe	104
PID 2708 wrote to memory of 4356	2708	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	109
PID 2708 wrote to memory of 4356	2708	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	109
PID 2708 wrote to memory of 4356	2708	bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe	109

C:\Users\Admin\AppData\Local\Temp\bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe
"C:\Users\Admin\AppData\Local\Temp\bce4c2f14de3d573129f4a78c09bb1a6eb060671c15852acd05cafed2f483db4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 140
      4⤵
      Program crash
      PID:1344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6377477.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6377477.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 540
        5⤵
        Program crash
        
        PID:2372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 136
      4⤵
      Program crash
      PID:4220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8533066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8533066.exe
  2⤵
  - Executes dropped EXE
  PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2988 -ip 2988
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3388 -ip 3388
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2656 -ip 2656
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8533066.exe

Filesize
18KB

MD5
e6035776afbc928f163051af77a758b1

SHA1
27cb235a2790a06b6bef4062ab6ff2eca8923456

SHA256
3f8c47f4a1fed2fb66d217fd70f34acbdb9f21906e312c7f187bb797c60ae84f

SHA512
1fcbac7d028bd703613c79e16d07349e05d124a805083ff428ff749382973e7f7759541f02a7eefeae9bcc5ed3fc61f7e214c54fdf5b4f68d0d3cf3b08139753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8533066.exe

Filesize
18KB

MD5
e6035776afbc928f163051af77a758b1

SHA1
27cb235a2790a06b6bef4062ab6ff2eca8923456

SHA256
3f8c47f4a1fed2fb66d217fd70f34acbdb9f21906e312c7f187bb797c60ae84f

SHA512
1fcbac7d028bd703613c79e16d07349e05d124a805083ff428ff749382973e7f7759541f02a7eefeae9bcc5ed3fc61f7e214c54fdf5b4f68d0d3cf3b08139753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe

Filesize
466KB

MD5
8c8173baf2e67a940c8c48c03beac9f6

SHA1
6216ee2c5270a80d343eed95cac68bfe5186837a

SHA256
847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2

SHA512
2efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3717937.exe

Filesize
466KB

MD5
8c8173baf2e67a940c8c48c03beac9f6

SHA1
6216ee2c5270a80d343eed95cac68bfe5186837a

SHA256
847c96dbc9b75afc9a8a36a5381153fc555ebb4e01e64555e7bcb669ea1023b2

SHA512
2efa61e4b752daca2df4123a7029bd75db62c60988d5e9493480a39e032557dfef098e0af75dd494ebe7c98ebe6958a846e5bc89c6f0b7f731b7b3e752b5ebd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4204768.exe

Filesize
707KB

MD5
9ab016785e50278a579af890aab259cc

SHA1
d67d6fab2a2194102c59d94945388d016003e55d

SHA256
712ae2a3aa2b544126aaa067ade5c4e84bc01f2e875e0214cf6ca03543dc82b6

SHA512
f89e9249190ca8b51bae584c0a3e1f26fc134c99bb7fce67f04a9b059beaee7271348b1f524f2e42060d836e2f5fbd5477648601b76a879d0c7cb5335cd0aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6377477.exe

Filesize
700KB

MD5
9fd9c5c643a0cb93fc9782db5125dd25

SHA1
8eaefb900f80a5583b01b29de246deb553a9183f

SHA256
12c83592f8c1c720dd3b4c12dd81fa2b24f3345a7074771917203e21be40b6d8

SHA512
eac6df8deae47512d0e56973836ac4cf8728762a3aeef7f1fdc377222755a5d5e90ab080898f40fc3936f7b5cd0216b13da2815541bf7808212b414f799a1134

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6377477.exe

Filesize
700KB

MD5
9fd9c5c643a0cb93fc9782db5125dd25

SHA1
8eaefb900f80a5583b01b29de246deb553a9183f

SHA256
12c83592f8c1c720dd3b4c12dd81fa2b24f3345a7074771917203e21be40b6d8

SHA512
eac6df8deae47512d0e56973836ac4cf8728762a3aeef7f1fdc377222755a5d5e90ab080898f40fc3936f7b5cd0216b13da2815541bf7808212b414f799a1134

Download Submit
memory/2656-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-20-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/3316-24-0x0000000004A40000-0x0000000004A7C000-memory.dmp

Filesize
240KB

Download
memory/3316-25-0x0000000004A80000-0x0000000004ACC000-memory.dmp

Filesize
304KB

Download
memory/3316-26-0x00000000739C0000-0x0000000074170000-memory.dmp

Filesize
7.7MB

Download
memory/3316-19-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3316-18-0x0000000004B50000-0x0000000004C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3316-17-0x0000000005060000-0x0000000005678000-memory.dmp

Filesize
6.1MB

Download
memory/3316-16-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/3316-15-0x00000000739C0000-0x0000000074170000-memory.dmp

Filesize
7.7MB

Download
memory/3316-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3316-35-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads