redline | d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27

Analysis

max time kernel
166s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe
Size

1.0MB
MD5

7f2e31c427160633de948a131dcf7d54
SHA1

a92a03041246b27ad0f7148fcd389a1775580038
SHA256

d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27
SHA512

6f9c5729e23a174ab9b4b7fad335cf4a7fa4e851dbd7469a8626f0c911897b497c2d0bd2b131efaa5fe3810a15ab76b0b2add52f71ae6ea44b0a4662e76e64d6
SSDEEP

24576:FypgyxopsRoqlBAVEeuh0CoZW8fFy1SFtaizDIs:gJxopOoIBEEL7oV8SJ

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023203-34.dat	family_redline
behavioral2/files/0x0006000000023203-35.dat	family_redline
behavioral2/memory/4904-36-0x0000000000B10000-0x0000000000B40000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3864	x4637400.exe
2144	x2629978.exe
2028	x5517670.exe
1316	g4407006.exe
4904	h0578315.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4637400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2629978.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5517670.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 2492	1316	g4407006.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1264	2492	WerFault.exe	94
3440	1316	WerFault.exe	88

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 3864	3624	d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe	85
PID 3624 wrote to memory of 3864	3624	d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe	85
PID 3624 wrote to memory of 3864	3624	d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe	85
PID 3864 wrote to memory of 2144	3864	x4637400.exe	86
PID 3864 wrote to memory of 2144	3864	x4637400.exe	86
PID 3864 wrote to memory of 2144	3864	x4637400.exe	86
PID 2144 wrote to memory of 2028	2144	x2629978.exe	87
PID 2144 wrote to memory of 2028	2144	x2629978.exe	87
PID 2144 wrote to memory of 2028	2144	x2629978.exe	87
PID 2028 wrote to memory of 1316	2028	x5517670.exe	88
PID 2028 wrote to memory of 1316	2028	x5517670.exe	88
PID 2028 wrote to memory of 1316	2028	x5517670.exe	88
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 1316 wrote to memory of 2492	1316	g4407006.exe	94
PID 2028 wrote to memory of 4904	2028	x5517670.exe	99
PID 2028 wrote to memory of 4904	2028	x5517670.exe	99
PID 2028 wrote to memory of 4904	2028	x5517670.exe	99

C:\Users\Admin\AppData\Local\Temp\d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe
"C:\Users\Admin\AppData\Local\Temp\d2e9bace5f5a007a3bb3a42b6e8b4ee35e75bfd37d08e2de9246f1de2435cb27.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4637400.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4637400.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2629978.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2629978.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5517670.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5517670.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4407006.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4407006.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 192
        7⤵
        Program crash
        
        PID:1264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 556
        6⤵
        Program crash
        
        PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0578315.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0578315.exe
        5⤵
        Executes dropped EXE
        
        PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1316 -ip 1316
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2492 -ip 2492
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4637400.exe

Filesize
932KB

MD5
25e74bbba446c49c11a8e6b6deb84242

SHA1
712ecd22395ad7a447031e89f4750a103a498a90

SHA256
e0879a0bb4b43691f7c5cfe78777da05b27e2c8cb9bc82f09ec7c4ca1ca2707b

SHA512
867a19fd727468cf74a68acd00306ba05cf634757461670f5622681801eb7d03aced023a599d5d98d2c70e19b059ac1ec03ecc00581c76723b45a147693d9e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4637400.exe

Filesize
932KB

MD5
25e74bbba446c49c11a8e6b6deb84242

SHA1
712ecd22395ad7a447031e89f4750a103a498a90

SHA256
e0879a0bb4b43691f7c5cfe78777da05b27e2c8cb9bc82f09ec7c4ca1ca2707b

SHA512
867a19fd727468cf74a68acd00306ba05cf634757461670f5622681801eb7d03aced023a599d5d98d2c70e19b059ac1ec03ecc00581c76723b45a147693d9e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2629978.exe

Filesize
628KB

MD5
2b8b63dc27491f96e4bd7c359884e3bb

SHA1
eca321466aa2b9ee433273963349b3e45a249116

SHA256
442fc0c3c95dadecefe25d00677ea9acf00dc46091099b5f66b3ed5e09e9bf92

SHA512
efb7148a02c717c59dec005488371babb34f5873d075415fad9259ca86b992ae93a59ded971447fb0b3d95ab28b9093c9c4fd063e7f237b2e372efb25c4deee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2629978.exe

Filesize
628KB

MD5
2b8b63dc27491f96e4bd7c359884e3bb

SHA1
eca321466aa2b9ee433273963349b3e45a249116

SHA256
442fc0c3c95dadecefe25d00677ea9acf00dc46091099b5f66b3ed5e09e9bf92

SHA512
efb7148a02c717c59dec005488371babb34f5873d075415fad9259ca86b992ae93a59ded971447fb0b3d95ab28b9093c9c4fd063e7f237b2e372efb25c4deee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5517670.exe

Filesize
442KB

MD5
47a10bcc96d9e97ab7e9f49f02d9973c

SHA1
331530c2698f8ac03a80e60a242c2aeebd76cd8a

SHA256
847539e22ce240a5b857f1324dc2b8e265bb42f171ad8385852157f72fb11668

SHA512
6876e64f344a536c5782763193905301e9e03623bb33151c6a0b85461c8174d9045da381ef0234d406eff33a995c9c8dc07b8e9a1352a9ccebb55aaaddd719f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5517670.exe

Filesize
442KB

MD5
47a10bcc96d9e97ab7e9f49f02d9973c

SHA1
331530c2698f8ac03a80e60a242c2aeebd76cd8a

SHA256
847539e22ce240a5b857f1324dc2b8e265bb42f171ad8385852157f72fb11668

SHA512
6876e64f344a536c5782763193905301e9e03623bb33151c6a0b85461c8174d9045da381ef0234d406eff33a995c9c8dc07b8e9a1352a9ccebb55aaaddd719f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4407006.exe

Filesize
700KB

MD5
a6da4e33edb831e55bce8442178531b7

SHA1
84e2a1f20321f747bc586078a27ce6b51ec53e61

SHA256
2e97b7adc904cbc0e68725b69fd5d600545f44f092f18288b1fc2e31fe228101

SHA512
bd6e33a676754d8256c5124de11f337d68cb982009997a828ff0c1117de8425d559f524410ba477737bf0c15a5e5975e74ffa47a81c5ffe5b91ba7bd61bba42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4407006.exe

Filesize
700KB

MD5
a6da4e33edb831e55bce8442178531b7

SHA1
84e2a1f20321f747bc586078a27ce6b51ec53e61

SHA256
2e97b7adc904cbc0e68725b69fd5d600545f44f092f18288b1fc2e31fe228101

SHA512
bd6e33a676754d8256c5124de11f337d68cb982009997a828ff0c1117de8425d559f524410ba477737bf0c15a5e5975e74ffa47a81c5ffe5b91ba7bd61bba42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0578315.exe

Filesize
174KB

MD5
03b8660db5a74ceba4de9946153438a1

SHA1
b0efda4e54185ddb7627ffcbd03f1ffae52b2441

SHA256
1aa4cfbf5e87d384573e247764427783dd977f77b907836571fcbb16169faeec

SHA512
98caf45824f20a6187b13b18de77f7847e180cb675c9f4228a3f7821c29514aa6699b0bcdf93bfd48075cc712fba004564de629951b273b9b9fc5773f8c46b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0578315.exe

Filesize
174KB

MD5
03b8660db5a74ceba4de9946153438a1

SHA1
b0efda4e54185ddb7627ffcbd03f1ffae52b2441

SHA256
1aa4cfbf5e87d384573e247764427783dd977f77b907836571fcbb16169faeec

SHA512
98caf45824f20a6187b13b18de77f7847e180cb675c9f4228a3f7821c29514aa6699b0bcdf93bfd48075cc712fba004564de629951b273b9b9fc5773f8c46b88

Download Submit
memory/2492-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-39-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/4904-36-0x0000000000B10000-0x0000000000B40000-memory.dmp

Filesize
192KB

Download
memory/4904-38-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4904-37-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/4904-40-0x0000000005C90000-0x00000000062A8000-memory.dmp

Filesize
6.1MB

Download
memory/4904-41-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-42-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4904-43-0x00000000054D0000-0x00000000054E2000-memory.dmp

Filesize
72KB

Download
memory/4904-44-0x0000000005670000-0x00000000056AC000-memory.dmp

Filesize
240KB

Download
memory/4904-45-0x00000000056B0000-0x00000000056FC000-memory.dmp

Filesize
304KB

Download
memory/4904-46-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads