redline | 07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 06:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe
Size

567KB
MD5

40f488fc41869c2977aabf08edb40dae
SHA1

b3a248df7e086b2c7e203988de7f2548abcfbdcb
SHA256

07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5
SHA512

fcfbfeb9fcf05ae59bf3a56c7503c62400bfd4f2161fd8c6c147d375f8b1e3ca33817a16c65ea5fd8f9141dec79042cb566cf25ab2091904dc89e43a386638c4
SSDEEP

12288:HMrUy90W0CMT1mXL6h0IRK97+/pQRij/C86jNRV:ryv0Ca9h0IU9N8CV

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2344	v9770518.exe
3108	a6325214.exe
1644	b6890755.exe
4796	c7000662.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9770518.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3108 set thread context of 2136	3108	a6325214.exe	91
PID 1644 set thread context of 4404	1644	b6890755.exe	98

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4984	3108	WerFault.exe	89
2412	1644	WerFault.exe	94
2912	4404	WerFault.exe	98

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2344	4368	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe	88
PID 4368 wrote to memory of 2344	4368	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe	88
PID 4368 wrote to memory of 2344	4368	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe	88
PID 2344 wrote to memory of 3108	2344	v9770518.exe	89
PID 2344 wrote to memory of 3108	2344	v9770518.exe	89
PID 2344 wrote to memory of 3108	2344	v9770518.exe	89
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 3108 wrote to memory of 2136	3108	a6325214.exe	91
PID 2344 wrote to memory of 1644	2344	v9770518.exe	94
PID 2344 wrote to memory of 1644	2344	v9770518.exe	94
PID 2344 wrote to memory of 1644	2344	v9770518.exe	94
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 1644 wrote to memory of 4404	1644	b6890755.exe	98
PID 4368 wrote to memory of 4796	4368	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe	103
PID 4368 wrote to memory of 4796	4368	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe	103
PID 4368 wrote to memory of 4796	4368	07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe	103

C:\Users\Admin\AppData\Local\Temp\07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe
"C:\Users\Admin\AppData\Local\Temp\07e6e1ea25277e49c085f36e932666f6fa11b1397defa91d8925bddc19dadca5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9770518.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9770518.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6325214.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6325214.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 148
      4⤵
      Program crash
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6890755.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6890755.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 540
        5⤵
        Program crash
        
        PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 148
      4⤵
      Program crash
      PID:2412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7000662.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7000662.exe
  2⤵
  - Executes dropped EXE
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3108 -ip 3108
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1644 -ip 1644
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4404 -ip 4404
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7000662.exe

Filesize
18KB

MD5
bbd89ffd37cbd758e081068a32fd845b

SHA1
ed7296731c737d1ce9ed320f9c2fc98f5b78a407

SHA256
0cc62ccd3dfdc05011df959b64f24b595f1e174dacb522f96476c6e6eb9823ce

SHA512
5e324cdf1776539b697b5edee70a15f99eec2a552b36edba885ac6b3405881010d3f7bf7223bb5fd43aa9ba7dce423f19a2f4a6e8e129ae0d9ab05bb7e682c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c7000662.exe

Filesize
18KB

MD5
bbd89ffd37cbd758e081068a32fd845b

SHA1
ed7296731c737d1ce9ed320f9c2fc98f5b78a407

SHA256
0cc62ccd3dfdc05011df959b64f24b595f1e174dacb522f96476c6e6eb9823ce

SHA512
5e324cdf1776539b697b5edee70a15f99eec2a552b36edba885ac6b3405881010d3f7bf7223bb5fd43aa9ba7dce423f19a2f4a6e8e129ae0d9ab05bb7e682c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9770518.exe

Filesize
466KB

MD5
7af1b036fcee14c0c3981c58da2b5fe1

SHA1
8d94e507771d9a3c6558852f3cddc88f16a5b7ba

SHA256
73366f3a83ce1f7647f55f87edc0cae47494b082c4e7a24430961462a9061b57

SHA512
cdbc10814bbd867e3a5f08e4a31f50fe22297271f6154b0216619a999a9ebd456cd9b1a44abd2ea84b80bffeb8cd7fdc1ccae320456051f3145ff17e5649f69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9770518.exe

Filesize
466KB

MD5
7af1b036fcee14c0c3981c58da2b5fe1

SHA1
8d94e507771d9a3c6558852f3cddc88f16a5b7ba

SHA256
73366f3a83ce1f7647f55f87edc0cae47494b082c4e7a24430961462a9061b57

SHA512
cdbc10814bbd867e3a5f08e4a31f50fe22297271f6154b0216619a999a9ebd456cd9b1a44abd2ea84b80bffeb8cd7fdc1ccae320456051f3145ff17e5649f69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6325214.exe

Filesize
707KB

MD5
29a11c30bc7de15342e71c88e90db5c5

SHA1
1739360a25a806ab8e23e542166fe2b001eecad9

SHA256
3bbe4c25481d0c55cc74d3a2d7aff3ec544e6069555a80299838c060542a7d1c

SHA512
deaceca38fd2c228c2de1fbf6bf26414e489c5c29aa9a5b138b4cd622880a15c20fb9de7f66565fb50aa144cf7d78bc6d6a77531554732ebde981230af3f448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6325214.exe

Filesize
707KB

MD5
29a11c30bc7de15342e71c88e90db5c5

SHA1
1739360a25a806ab8e23e542166fe2b001eecad9

SHA256
3bbe4c25481d0c55cc74d3a2d7aff3ec544e6069555a80299838c060542a7d1c

SHA512
deaceca38fd2c228c2de1fbf6bf26414e489c5c29aa9a5b138b4cd622880a15c20fb9de7f66565fb50aa144cf7d78bc6d6a77531554732ebde981230af3f448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6890755.exe

Filesize
700KB

MD5
47e1906bf5de3e0f339c3f20b856a745

SHA1
fa0a9100ad90186f28b1eb7f89e78551d2ece26f

SHA256
2a967a7958f41476dbb5361b0ac16becb3f031191317811eccef91add6a8b691

SHA512
7fecb6dbfc1cc45cc50150e56b98d762f621b08615f457eae0dfbf847897548e426eeaf88e923d665f7851ccd400016ac908f128eeee92a014e4bd21061e3257

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6890755.exe

Filesize
700KB

MD5
47e1906bf5de3e0f339c3f20b856a745

SHA1
fa0a9100ad90186f28b1eb7f89e78551d2ece26f

SHA256
2a967a7958f41476dbb5361b0ac16becb3f031191317811eccef91add6a8b691

SHA512
7fecb6dbfc1cc45cc50150e56b98d762f621b08615f457eae0dfbf847897548e426eeaf88e923d665f7851ccd400016ac908f128eeee92a014e4bd21061e3257

Download Submit
memory/2136-15-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/2136-31-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2136-35-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/2136-34-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2136-33-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/2136-32-0x0000000005640000-0x0000000005652000-memory.dmp

Filesize
72KB

Download
memory/2136-16-0x0000000005670000-0x0000000005676000-memory.dmp

Filesize
24KB

Download
memory/2136-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-29-0x0000000005CF0000-0x0000000006308000-memory.dmp

Filesize
6.1MB

Download
memory/2136-30-0x00000000059E0000-0x0000000005AEA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-20-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads