redline | 0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe
Size

1.0MB
MD5

e1676989588741ad6c80e13ebc267491
SHA1

2c8354591bc4e0ed6d8a20fbf48fdf9dd1d2a533
SHA256

0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd
SHA512

04bd7aa3b51194ebc31aa614098deecf53ce3295236eb394ebf35e7df0211a9b960ff3f92bb3049e0736701ba8f5b9a4cc4f7858cc7c3ccbd54ea800fc3f39a1
SSDEEP

24576:YyRr2wHLOjPggZvf9rWGPXRwu/pNgvflzmHP3wwfkKmg:fRPgPnRlNQs3

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231d7-34.dat	family_redline
behavioral2/files/0x00060000000231d7-35.dat	family_redline
behavioral2/memory/3816-36-0x0000000000930000-0x0000000000960000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1384	x3945728.exe
2396	x4199127.exe
3128	x5952378.exe
1248	g9269993.exe
3816	h2688106.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3945728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4199127.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5952378.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 4392	1248	g9269993.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4204	1248	WerFault.exe	89
4484	4392	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1384	3556	0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe	86
PID 3556 wrote to memory of 1384	3556	0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe	86
PID 3556 wrote to memory of 1384	3556	0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe	86
PID 1384 wrote to memory of 2396	1384	x3945728.exe	87
PID 1384 wrote to memory of 2396	1384	x3945728.exe	87
PID 1384 wrote to memory of 2396	1384	x3945728.exe	87
PID 2396 wrote to memory of 3128	2396	x4199127.exe	88
PID 2396 wrote to memory of 3128	2396	x4199127.exe	88
PID 2396 wrote to memory of 3128	2396	x4199127.exe	88
PID 3128 wrote to memory of 1248	3128	x5952378.exe	89
PID 3128 wrote to memory of 1248	3128	x5952378.exe	89
PID 3128 wrote to memory of 1248	3128	x5952378.exe	89
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 1248 wrote to memory of 4392	1248	g9269993.exe	92
PID 3128 wrote to memory of 3816	3128	x5952378.exe	98
PID 3128 wrote to memory of 3816	3128	x5952378.exe	98
PID 3128 wrote to memory of 3816	3128	x5952378.exe	98

C:\Users\Admin\AppData\Local\Temp\0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe
"C:\Users\Admin\AppData\Local\Temp\0b97fab15da596b5e178ed4c683b32137551e7cd28d68ca3db085f0b5ec9eafd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3945728.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3945728.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4199127.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4199127.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5952378.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5952378.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9269993.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9269993.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 540
        7⤵
        Program crash
        
        PID:4484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 148
        6⤵
        Program crash
        
        PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2688106.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2688106.exe
        5⤵
        Executes dropped EXE
        
        PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1248 -ip 1248
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 4392
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3945728.exe

Filesize
932KB

MD5
c88bbcdcb9fa8c47f58a12f1a765ced0

SHA1
852d3f8ebe33d4e33f65da963dd4f2c0a520b739

SHA256
30f4caf4a9c3203c22334178d46e0da3b1d17e26d6c3241c232bc283f629f70a

SHA512
55b62144763803040ecf6e07867939e38c048e52c8a4c3467ad7eb9b301f8a1dc01f70c5bca03b9279e6da3a521bee8bb5b5801213645057476cc3159b85af44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3945728.exe

Filesize
932KB

MD5
c88bbcdcb9fa8c47f58a12f1a765ced0

SHA1
852d3f8ebe33d4e33f65da963dd4f2c0a520b739

SHA256
30f4caf4a9c3203c22334178d46e0da3b1d17e26d6c3241c232bc283f629f70a

SHA512
55b62144763803040ecf6e07867939e38c048e52c8a4c3467ad7eb9b301f8a1dc01f70c5bca03b9279e6da3a521bee8bb5b5801213645057476cc3159b85af44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4199127.exe

Filesize
628KB

MD5
2e5a243271255810b466e15ff15010d7

SHA1
a79865e26a5e762fa956e00b62feb2313e5d7dbe

SHA256
1c90b22b26b5060569b6fbab8aef02ad6367032b99ced87f399639830321f47c

SHA512
194607194086b459743ec95d2a40160c8884df2184d45f63e1625fa22031d9ead653d31f730b41354f3479b4564f3dff33c2ddc809c8284b31ee638f6040e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4199127.exe

Filesize
628KB

MD5
2e5a243271255810b466e15ff15010d7

SHA1
a79865e26a5e762fa956e00b62feb2313e5d7dbe

SHA256
1c90b22b26b5060569b6fbab8aef02ad6367032b99ced87f399639830321f47c

SHA512
194607194086b459743ec95d2a40160c8884df2184d45f63e1625fa22031d9ead653d31f730b41354f3479b4564f3dff33c2ddc809c8284b31ee638f6040e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5952378.exe

Filesize
442KB

MD5
d98d7aaab673f871f46ce0d1f286539f

SHA1
1915cf5adcc0ac49aa5938afcfdbac8100a31a70

SHA256
13f0f7a777c6cec3f13c088826d3d4e4672c89357649e45587aeebcc51b9a9a4

SHA512
6b1bc95d0649dcbe1850b63ff34fcfd3ad49afb57fe419b7f43fe27a4e797ffa643f894daced91a40ec7676c7a4a0b44c53a3f0134e3e75c28c31f6899470449

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5952378.exe

Filesize
442KB

MD5
d98d7aaab673f871f46ce0d1f286539f

SHA1
1915cf5adcc0ac49aa5938afcfdbac8100a31a70

SHA256
13f0f7a777c6cec3f13c088826d3d4e4672c89357649e45587aeebcc51b9a9a4

SHA512
6b1bc95d0649dcbe1850b63ff34fcfd3ad49afb57fe419b7f43fe27a4e797ffa643f894daced91a40ec7676c7a4a0b44c53a3f0134e3e75c28c31f6899470449

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9269993.exe

Filesize
700KB

MD5
4a6f9962fbdbaa879588d5d1b3cd07f6

SHA1
1a02c36f25313dd12474c8ac42441ed8e35c7b2f

SHA256
9f37898d814eb72500921e97e18a99b8713b87dd6fc7cb4b36d0872536dd3520

SHA512
65ea938cd49b2db363b8c4ffc671fb8af25b085762642a7a5e26493ce86c5736e13388e28267e51b018f476c57db1246b2f28075f8d0c6c3302b3633eedbeec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9269993.exe

Filesize
700KB

MD5
4a6f9962fbdbaa879588d5d1b3cd07f6

SHA1
1a02c36f25313dd12474c8ac42441ed8e35c7b2f

SHA256
9f37898d814eb72500921e97e18a99b8713b87dd6fc7cb4b36d0872536dd3520

SHA512
65ea938cd49b2db363b8c4ffc671fb8af25b085762642a7a5e26493ce86c5736e13388e28267e51b018f476c57db1246b2f28075f8d0c6c3302b3633eedbeec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2688106.exe

Filesize
174KB

MD5
39dc20fbb613c55458b953770974822b

SHA1
e1927be4b4314f3f099ee32f24906f626ecf8bbd

SHA256
8239aa2532b49155e2d89ba58ff4e2b7150bd3295f0a6715117af06747414d3e

SHA512
836c18ed16a6484af450d718930c39755673c94a19c013b5af844238f6eb17f7d5ba367b4e2ab0bcfa78020d05a9d4cba1f5538a781798086f871f6ca6b901db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2688106.exe

Filesize
174KB

MD5
39dc20fbb613c55458b953770974822b

SHA1
e1927be4b4314f3f099ee32f24906f626ecf8bbd

SHA256
8239aa2532b49155e2d89ba58ff4e2b7150bd3295f0a6715117af06747414d3e

SHA512
836c18ed16a6484af450d718930c39755673c94a19c013b5af844238f6eb17f7d5ba367b4e2ab0bcfa78020d05a9d4cba1f5538a781798086f871f6ca6b901db

Download Submit
memory/3816-39-0x000000000ADA0000-0x000000000B3B8000-memory.dmp

Filesize
6.1MB

Download
memory/3816-42-0x000000000A820000-0x000000000A832000-memory.dmp

Filesize
72KB

Download
memory/3816-46-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3816-45-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/3816-36-0x0000000000930000-0x0000000000960000-memory.dmp

Filesize
192KB

Download
memory/3816-37-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/3816-44-0x000000000A9F0000-0x000000000AA3C000-memory.dmp

Filesize
304KB

Download
memory/3816-40-0x000000000A8E0000-0x000000000A9EA000-memory.dmp

Filesize
1.0MB

Download
memory/3816-38-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

Filesize
24KB

Download
memory/3816-41-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3816-43-0x000000000A880000-0x000000000A8BC000-memory.dmp

Filesize
240KB

Download
memory/4392-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads