Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 04:56
Static task
static1
Behavioral task
behavioral1
Sample
a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe
Resource
win10v2004-20230915-en
General
-
Target
a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe
-
Size
1.0MB
-
MD5
e2afde3ecee647cf8f500c6fd14cab42
-
SHA1
9419ba9d941cb8ea3bf0b408ed21532cdfd1ab9f
-
SHA256
a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a
-
SHA512
6df25575750b5863f6a09be57837ab57c569992ca0323d510bbaebfa71c3de4c88d9251303b2b305ce7906600af3bb290629fc25b493edbd13f9a21a88114c96
-
SSDEEP
12288:iMrIy90xp6n3TkjztmSR5TsMNAt9kMUAKYi0DgNleWGXyJUvK++8G/72yRr8+6dQ:iynotT9LAXnDOeruoERLWWlchFij
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x00060000000231da-34.dat family_redline behavioral2/files/0x00060000000231da-35.dat family_redline behavioral2/memory/3244-36-0x00000000007C0000-0x00000000007F0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 844 x8784802.exe 4824 x3121515.exe 4192 x6729903.exe 1592 g2312590.exe 3244 h8523904.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x6729903.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8784802.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3121515.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1592 set thread context of 3956 1592 g2312590.exe 91 -
Program crash 2 IoCs
pid pid_target Process procid_target 4776 1592 WerFault.exe 89 2768 3956 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3044 wrote to memory of 844 3044 a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe 86 PID 3044 wrote to memory of 844 3044 a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe 86 PID 3044 wrote to memory of 844 3044 a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe 86 PID 844 wrote to memory of 4824 844 x8784802.exe 87 PID 844 wrote to memory of 4824 844 x8784802.exe 87 PID 844 wrote to memory of 4824 844 x8784802.exe 87 PID 4824 wrote to memory of 4192 4824 x3121515.exe 88 PID 4824 wrote to memory of 4192 4824 x3121515.exe 88 PID 4824 wrote to memory of 4192 4824 x3121515.exe 88 PID 4192 wrote to memory of 1592 4192 x6729903.exe 89 PID 4192 wrote to memory of 1592 4192 x6729903.exe 89 PID 4192 wrote to memory of 1592 4192 x6729903.exe 89 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 1592 wrote to memory of 3956 1592 g2312590.exe 91 PID 4192 wrote to memory of 3244 4192 x6729903.exe 104 PID 4192 wrote to memory of 3244 4192 x6729903.exe 104 PID 4192 wrote to memory of 3244 4192 x6729903.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe"C:\Users\Admin\AppData\Local\Temp\a0f8e2b26c6c20bd278a67028fd951544c26fe408490a65de58b8e8212ee9a9a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8784802.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8784802.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3121515.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3121515.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6729903.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6729903.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2312590.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2312590.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5407⤵
- Program crash
PID:2768
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1406⤵
- Program crash
PID:4776
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8523904.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8523904.exe5⤵
- Executes dropped EXE
PID:3244
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1592 -ip 15921⤵PID:4876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3956 -ip 39561⤵PID:4872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
932KB
MD58a7bf02e52bb78fa018970ca9ee2d889
SHA1d7862d22da8e5846cccb6f209f479ad74ab961a5
SHA256fc0650fb5d628973dd7207078a6c55dae21064ae46ed76579e7e33509b3ffed7
SHA512753716a7037e2196e9044f59cd56ba8adef48ac658a684cad6d4cbba3848119a9e193852a27f25e74e753d9883f84fedcdcf3ae60db2323a1b41b69d2292a240
-
Filesize
932KB
MD58a7bf02e52bb78fa018970ca9ee2d889
SHA1d7862d22da8e5846cccb6f209f479ad74ab961a5
SHA256fc0650fb5d628973dd7207078a6c55dae21064ae46ed76579e7e33509b3ffed7
SHA512753716a7037e2196e9044f59cd56ba8adef48ac658a684cad6d4cbba3848119a9e193852a27f25e74e753d9883f84fedcdcf3ae60db2323a1b41b69d2292a240
-
Filesize
628KB
MD5328781ba4183c1b2dea95a2c9f4e2fb2
SHA1c3d303d136968060d39a716d7680cd7cf52cec46
SHA2560ab5e2c09f256d9c9fe0e575c8fa8680992199e563915603c64952e144f6e846
SHA51216e62b9108aa0bee0ee04b2243cdbbf7a9cbc4923d35a16a0dce1736aa29936e8fbaadeaa8f6e5644736b82cb0326a52f33a13a695f782677e17c76a62715c5e
-
Filesize
628KB
MD5328781ba4183c1b2dea95a2c9f4e2fb2
SHA1c3d303d136968060d39a716d7680cd7cf52cec46
SHA2560ab5e2c09f256d9c9fe0e575c8fa8680992199e563915603c64952e144f6e846
SHA51216e62b9108aa0bee0ee04b2243cdbbf7a9cbc4923d35a16a0dce1736aa29936e8fbaadeaa8f6e5644736b82cb0326a52f33a13a695f782677e17c76a62715c5e
-
Filesize
442KB
MD51e83b4c180806e89335f699a7341ebfd
SHA187b80267b793382f37a0b7185af881ccca4d57ab
SHA2562b062cb912bb28cbabf06b705f270e98ce3cf0d66ad8886e5c06f10876079bff
SHA5126114e97c9a6278998c19bac9243bbbfb256718810b49bdf648a61c9a861f0145068ab2695b12ee1f0081234798dc3e110742add665beab642920100188e60534
-
Filesize
442KB
MD51e83b4c180806e89335f699a7341ebfd
SHA187b80267b793382f37a0b7185af881ccca4d57ab
SHA2562b062cb912bb28cbabf06b705f270e98ce3cf0d66ad8886e5c06f10876079bff
SHA5126114e97c9a6278998c19bac9243bbbfb256718810b49bdf648a61c9a861f0145068ab2695b12ee1f0081234798dc3e110742add665beab642920100188e60534
-
Filesize
700KB
MD50ee045f663d07dca4edf5b360e8809c5
SHA10e5a7e9c4670d81334a16ef818fa6c2219873a24
SHA2564bdf30014565dcdd65617da362ca46f371380b749083cd843ac85465aa22c221
SHA512b98057f5a2310aa75d9f48d8e9c1da87fe3cbe4b055d30bccfce601ef0fb0776d99536c56f2c086eeb21816b979b91109e2429554449fe7c0b8f7eba6929bc83
-
Filesize
700KB
MD50ee045f663d07dca4edf5b360e8809c5
SHA10e5a7e9c4670d81334a16ef818fa6c2219873a24
SHA2564bdf30014565dcdd65617da362ca46f371380b749083cd843ac85465aa22c221
SHA512b98057f5a2310aa75d9f48d8e9c1da87fe3cbe4b055d30bccfce601ef0fb0776d99536c56f2c086eeb21816b979b91109e2429554449fe7c0b8f7eba6929bc83
-
Filesize
174KB
MD5d1dd45032d3c87eaee199d76ca2a7530
SHA1e2e0b47a4efb66c0ce92b579598ed1dbcd5277f2
SHA2561f3b74e6fb8faf0dc9003e66bdec35620483261e08544713dac8e3f10b682e54
SHA512e0d7bce976f92ff51afd91fdd12baa3730b864e321b5ae4037e454d86afbc352ab5a8a7ef08c1cd959d8fbf7d5a988d9865fdf8edd6841d5e5ae8a799aefd623
-
Filesize
174KB
MD5d1dd45032d3c87eaee199d76ca2a7530
SHA1e2e0b47a4efb66c0ce92b579598ed1dbcd5277f2
SHA2561f3b74e6fb8faf0dc9003e66bdec35620483261e08544713dac8e3f10b682e54
SHA512e0d7bce976f92ff51afd91fdd12baa3730b864e321b5ae4037e454d86afbc352ab5a8a7ef08c1cd959d8fbf7d5a988d9865fdf8edd6841d5e5ae8a799aefd623