redline | 6ffc56135363255fd5bfb361343cd67ea2a4bcd0a229c82a504a3426d37de564

General

Target

x9977711.exe
Size

442KB
MD5

f3a7993098f3a93aacc33d6b73074f8e
SHA1

d03f82159c4df90b158d1afe92a0e50a0f07c98c
SHA256

6ffc56135363255fd5bfb361343cd67ea2a4bcd0a229c82a504a3426d37de564
SHA512

73467a9e82788276ce59cf6f344cad2f44e992106254e27f3264f57217bea135d316319186c5e89806c44bbd817f58d122c034684e10a078bc6c7b66f35baed0
SSDEEP

12288:bMrFy90bTF7/1RL7JD9T9xV+IQI4uNMSscU:eyaF7/LxnxshuKAU

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

C2

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023088-13.dat	family_redline
behavioral2/files/0x0007000000023088-14.dat	family_redline
behavioral2/memory/752-16-0x00000000005E0000-0x0000000000610000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3260	g8710294.exe
752	h5607686.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x9977711.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 3308	3260	g8710294.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3192	3308	WerFault.exe	90
3272	3260	WerFault.exe	88

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 3260	1780	x9977711.exe	88
PID 1780 wrote to memory of 3260	1780	x9977711.exe	88
PID 1780 wrote to memory of 3260	1780	x9977711.exe	88
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 3260 wrote to memory of 3308	3260	g8710294.exe	90
PID 1780 wrote to memory of 752	1780	x9977711.exe	98
PID 1780 wrote to memory of 752	1780	x9977711.exe	98
PID 1780 wrote to memory of 752	1780	x9977711.exe	98

C:\Users\Admin\AppData\Local\Temp\x9977711.exe
"C:\Users\Admin\AppData\Local\Temp\x9977711.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8710294.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8710294.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 192
      4⤵
      Program crash
      PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 224
    3⤵
    - Program crash
    PID:3272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5607686.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5607686.exe
  2⤵
  - Executes dropped EXE
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3260 -ip 3260
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3308 -ip 3308
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8710294.exe

Filesize
700KB

MD5
a420a058f341d72059d1e5b5a57bc599

SHA1
4cac917ba7339bed604a58690a30c411557f2c94

SHA256
9bb807cf7b1f9185dc98521d10d14320191adb2b5dbd6dfbc2fa582d582451dd

SHA512
7d1bedc4197f4a7885c997b7e30bbd277ba86cfabdb46c19a61fa2520ce30ed52ba54bb5ebca3682ab0b60a4b0c46b5f433e000fc96e5369c450d2bd8fb8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8710294.exe

Filesize
700KB

MD5
a420a058f341d72059d1e5b5a57bc599

SHA1
4cac917ba7339bed604a58690a30c411557f2c94

SHA256
9bb807cf7b1f9185dc98521d10d14320191adb2b5dbd6dfbc2fa582d582451dd

SHA512
7d1bedc4197f4a7885c997b7e30bbd277ba86cfabdb46c19a61fa2520ce30ed52ba54bb5ebca3682ab0b60a4b0c46b5f433e000fc96e5369c450d2bd8fb8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5607686.exe

Filesize
174KB

MD5
e29ab082f19501379d35f243292375c0

SHA1
4c4d1d54fcc72ebe125f221078cda3fd27bd20d9

SHA256
7b053601300d27d22b4fc0fb16d3bbbc0fcd2ce99547d28f2f9bd22e03300842

SHA512
830d965b5a82f76386f1f7018916fe07e40b9a6c9cb8ba6ebaebe3333fb2478204cd86a5971a23b7df0bdec134e5dbe65ceba49e013cd4d84cdeb6392b3ac4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h5607686.exe

Filesize
174KB

MD5
e29ab082f19501379d35f243292375c0

SHA1
4c4d1d54fcc72ebe125f221078cda3fd27bd20d9

SHA256
7b053601300d27d22b4fc0fb16d3bbbc0fcd2ce99547d28f2f9bd22e03300842

SHA512
830d965b5a82f76386f1f7018916fe07e40b9a6c9cb8ba6ebaebe3333fb2478204cd86a5971a23b7df0bdec134e5dbe65ceba49e013cd4d84cdeb6392b3ac4a9

Download Submit
memory/752-19-0x000000000AA80000-0x000000000B098000-memory.dmp

Filesize
6.1MB

Download
memory/752-18-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/752-25-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/752-24-0x000000000A7F0000-0x000000000A83C000-memory.dmp

Filesize
304KB

Download
memory/752-15-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/752-16-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/752-17-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/752-23-0x000000000A7B0000-0x000000000A7EC000-memory.dmp

Filesize
240KB

Download
memory/752-22-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/752-20-0x000000000A460000-0x000000000A56A000-memory.dmp

Filesize
1.0MB

Download
memory/752-21-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3308-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads