redline | 81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe
Size

1.0MB
MD5

e0a2918fcba6822fb2533a5af0580ccd
SHA1

b26f693bb5c86c572b3c436f7be692877842794f
SHA256

81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96
SHA512

ef568993bcdbca45c8eda3f01489c03630523453dc04a25d266788d6c667a1ac09e66dd948a922809cac3373385bdd92b5e095f43448a0fb5b1b6f3375d3eefe
SSDEEP

12288:fMr/y90AK1aH4oyl7XlKTSyGOyuFR6OK/f+uuYfJw7cXWK4SRhRnX8fazlnQoktC:0ylCv5lpXPOy7fRjS7S5vRrnXb3Fh

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231e4-34.dat	family_redline
behavioral2/files/0x00060000000231e4-35.dat	family_redline
behavioral2/memory/4676-36-0x0000000000040000-0x0000000000070000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
2324	x9353243.exe
1644	x9188298.exe
4104	x9087459.exe
3500	g5938105.exe
4676	h4190383.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9353243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9188298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9087459.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3500 set thread context of 3816	3500	g5938105.exe	88

Program crash 3 IoCs

pid	pid_target	Process	procid_target
496	3816	WerFault.exe	88
2108	3816	WerFault.exe	88
720	3500	WerFault.exe	86

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2324	2884	81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe	83
PID 2884 wrote to memory of 2324	2884	81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe	83
PID 2884 wrote to memory of 2324	2884	81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe	83
PID 2324 wrote to memory of 1644	2324	x9353243.exe	84
PID 2324 wrote to memory of 1644	2324	x9353243.exe	84
PID 2324 wrote to memory of 1644	2324	x9353243.exe	84
PID 1644 wrote to memory of 4104	1644	x9188298.exe	85
PID 1644 wrote to memory of 4104	1644	x9188298.exe	85
PID 1644 wrote to memory of 4104	1644	x9188298.exe	85
PID 4104 wrote to memory of 3500	4104	x9087459.exe	86
PID 4104 wrote to memory of 3500	4104	x9087459.exe	86
PID 4104 wrote to memory of 3500	4104	x9087459.exe	86
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3500 wrote to memory of 3816	3500	g5938105.exe	88
PID 3816 wrote to memory of 496	3816	AppLaunch.exe	99
PID 3816 wrote to memory of 496	3816	AppLaunch.exe	99
PID 3816 wrote to memory of 496	3816	AppLaunch.exe	99
PID 4104 wrote to memory of 4676	4104	x9087459.exe	105
PID 4104 wrote to memory of 4676	4104	x9087459.exe	105
PID 4104 wrote to memory of 4676	4104	x9087459.exe	105

C:\Users\Admin\AppData\Local\Temp\81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe
"C:\Users\Admin\AppData\Local\Temp\81b0f02e80fad3040b997505f3392e43d51b693bbcdac9d386bf7acd029bfd96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9353243.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9353243.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188298.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188298.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9087459.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9087459.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5938105.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5938105.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 540
        7⤵
        Program crash
        
        PID:496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 540
        7⤵
        Program crash
        
        PID:2108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 136
        6⤵
        Program crash
        
        PID:720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4190383.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4190383.exe
        5⤵
        Executes dropped EXE
        
        PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3816 -ip 3816
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3500 -ip 3500
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9353243.exe

Filesize
931KB

MD5
a870485f365e8a01b7532083ff8b0f7a

SHA1
959ba03311c86eb1a72b79f0df5a984bf54f6849

SHA256
133e678479d814dae4ae5d3f3a0fc63e0ff92a6a3b2b3c34b71f0f066bd97489

SHA512
ce7469b3ce64a84e0ff1c305c381d27c65e985fe230a9088fb1bf78e5890dc942fa57fdca1cb93af92e70e01de27aec295ade543189e250d753edf006e828aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9353243.exe

Filesize
931KB

MD5
a870485f365e8a01b7532083ff8b0f7a

SHA1
959ba03311c86eb1a72b79f0df5a984bf54f6849

SHA256
133e678479d814dae4ae5d3f3a0fc63e0ff92a6a3b2b3c34b71f0f066bd97489

SHA512
ce7469b3ce64a84e0ff1c305c381d27c65e985fe230a9088fb1bf78e5890dc942fa57fdca1cb93af92e70e01de27aec295ade543189e250d753edf006e828aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188298.exe

Filesize
627KB

MD5
f7907029e57999954ccdf5068f3a8911

SHA1
5c73a2c4c2be2b6400400e6cac4dcdb0e4a0a3d4

SHA256
fc489c25d3ed7170bca4bf11d85afb49fa81765f0065edb4cff1283b4d68fd58

SHA512
1b36013cc324c378f40424854389c0af707c610758705548d30ee3a6c51d6c84b923a3e9794829b6cac823a10b17ae27362b58d68923314ccdce82ed510a8118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9188298.exe

Filesize
627KB

MD5
f7907029e57999954ccdf5068f3a8911

SHA1
5c73a2c4c2be2b6400400e6cac4dcdb0e4a0a3d4

SHA256
fc489c25d3ed7170bca4bf11d85afb49fa81765f0065edb4cff1283b4d68fd58

SHA512
1b36013cc324c378f40424854389c0af707c610758705548d30ee3a6c51d6c84b923a3e9794829b6cac823a10b17ae27362b58d68923314ccdce82ed510a8118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9087459.exe

Filesize
442KB

MD5
98119a485257c911d702e7eeab290d0a

SHA1
1c519a4fd81c370ab08dd0e04868ae9051339900

SHA256
33d5841f3020a2f1590cd5f1c39432d50cc33705defc676e4dbef8d509926e99

SHA512
a87d483837019196e5d1943e748ad18fd504d64a7fca7c81806d47c9172495115388666be369ace013355158f970eb7e1edf0c32a3f1c1d5ce9afbd2acc4eeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9087459.exe

Filesize
442KB

MD5
98119a485257c911d702e7eeab290d0a

SHA1
1c519a4fd81c370ab08dd0e04868ae9051339900

SHA256
33d5841f3020a2f1590cd5f1c39432d50cc33705defc676e4dbef8d509926e99

SHA512
a87d483837019196e5d1943e748ad18fd504d64a7fca7c81806d47c9172495115388666be369ace013355158f970eb7e1edf0c32a3f1c1d5ce9afbd2acc4eeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5938105.exe

Filesize
700KB

MD5
5341fee73b3c4a59bdc2858129668b8e

SHA1
4a4c6f726ae7fbe6a96fac3fd4087b856af9a15b

SHA256
2a25ec2ee146dcd301f6f0379ad16d33fc380ead38d7235c1625a03132bc1d7a

SHA512
cbf1dce34eb0a00213572ca8a7ca560882b07d715654436799f2cd8d6fb90f28a2ff3d0535cfd7e7a32354b1642210c21d90dbad591fae408fc98cd9b3c8e3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5938105.exe

Filesize
700KB

MD5
5341fee73b3c4a59bdc2858129668b8e

SHA1
4a4c6f726ae7fbe6a96fac3fd4087b856af9a15b

SHA256
2a25ec2ee146dcd301f6f0379ad16d33fc380ead38d7235c1625a03132bc1d7a

SHA512
cbf1dce34eb0a00213572ca8a7ca560882b07d715654436799f2cd8d6fb90f28a2ff3d0535cfd7e7a32354b1642210c21d90dbad591fae408fc98cd9b3c8e3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4190383.exe

Filesize
174KB

MD5
23fcddd8dc66a93518184b5e1dbb8b39

SHA1
0b01ec34447e71516378f5375b953e7878356c2e

SHA256
8cc2b2c44ccc60bbcd400320aa98734326e35a26bd158ae84dd797468f509eeb

SHA512
2eb320ab5db8ac298c8b2a18e95fbd6fc0daf3e3b91e322e71ba063028d1db3628bff8e6a4b7014d32896a7bb0727054eee417db21c3f890b6ba2460eeb1ab50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4190383.exe

Filesize
174KB

MD5
23fcddd8dc66a93518184b5e1dbb8b39

SHA1
0b01ec34447e71516378f5375b953e7878356c2e

SHA256
8cc2b2c44ccc60bbcd400320aa98734326e35a26bd158ae84dd797468f509eeb

SHA512
2eb320ab5db8ac298c8b2a18e95fbd6fc0daf3e3b91e322e71ba063028d1db3628bff8e6a4b7014d32896a7bb0727054eee417db21c3f890b6ba2460eeb1ab50

Download Submit
memory/3816-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-39-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/4676-37-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/4676-38-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download
memory/4676-36-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/4676-40-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download
memory/4676-42-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/4676-41-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/4676-43-0x0000000004B70000-0x0000000004BAC000-memory.dmp

Filesize
240KB

Download
memory/4676-44-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

Filesize
304KB

Download
memory/4676-45-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/4676-46-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads