redline | 8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510

Analysis

max time kernel
131s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe
Size

697KB
MD5

4fe6ede779eeb859c9e8dee5282fdfda
SHA1

687aeed5d541159067a2ab61b32767a901c0ed60
SHA256

8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510
SHA512

1e950c2feddc7bd3dfa334560e02339dc3b80977140ffa4c6776172045eec12f4ce99a0fa21c22eac62120b9e9e564760ceac7abdf900bab40142b604b49d734
SSDEEP

12288:BMrJy90wKgEtrs/R7i3x74zpwo48454+Q21PzxgRCCYFyMZf:kyytV7Wpwrjub8PWRjYFy0f

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016c35-24.dat	family_redline
behavioral1/files/0x0008000000016c35-27.dat	family_redline
behavioral1/files/0x0008000000016c35-29.dat	family_redline
behavioral1/files/0x0008000000016c35-28.dat	family_redline
behavioral1/memory/2592-30-0x00000000009A0000-0x00000000009D0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2532	x7709238.exe
2540	x9357648.exe
2592	h5047492.exe

Loads dropped DLL 6 IoCs

pid	Process
2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe
2532	x7709238.exe
2532	x7709238.exe
2540	x9357648.exe
2540	x9357648.exe
2592	h5047492.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7709238.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9357648.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2064 wrote to memory of 2532	2064	8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe	28
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2532 wrote to memory of 2540	2532	x7709238.exe	29
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30
PID 2540 wrote to memory of 2592	2540	x9357648.exe	30

C:\Users\Admin\AppData\Local\Temp\8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe
"C:\Users\Admin\AppData\Local\Temp\8af0fbe47bb26c0e9f91293caf153fd568c45899bc6004e5a4c9935658213510.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7709238.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7709238.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9357648.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9357648.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5047492.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5047492.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7709238.exe

Filesize
595KB

MD5
5d21a08ac0684f1a04adfc45a4c05f0d

SHA1
d1ab889f073c879b16d0cc1a17755d70d38b1bf0

SHA256
045e60708bc750346dece1184eb55e8c202112aada473f9afabf652991ddd60c

SHA512
4f4e600bef49ae381ca782d586d55bb0382971a7c6bed54473dfd924572d3698865eb2f1874b62c891c34dc62cfae305ab806cdcf396269066314ab02865e144

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7709238.exe

Filesize
595KB

MD5
5d21a08ac0684f1a04adfc45a4c05f0d

SHA1
d1ab889f073c879b16d0cc1a17755d70d38b1bf0

SHA256
045e60708bc750346dece1184eb55e8c202112aada473f9afabf652991ddd60c

SHA512
4f4e600bef49ae381ca782d586d55bb0382971a7c6bed54473dfd924572d3698865eb2f1874b62c891c34dc62cfae305ab806cdcf396269066314ab02865e144

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9357648.exe

Filesize
292KB

MD5
6f8dd107052f1dda8346c77963720b1a

SHA1
8a2eabf56b68f68bba8bcc95051b7d5905ffbb9e

SHA256
f334407a75b51c7851ecba81411d32da9438087c85b61ba3ae26823f72880993

SHA512
65167c06c773d2905b0f461f6243338b6bffc1a3338610b18266e785ed04a46bae9f9365268ebb98a46389aee0b99487d0378dedc769ce856f72c5337354172c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9357648.exe

Filesize
292KB

MD5
6f8dd107052f1dda8346c77963720b1a

SHA1
8a2eabf56b68f68bba8bcc95051b7d5905ffbb9e

SHA256
f334407a75b51c7851ecba81411d32da9438087c85b61ba3ae26823f72880993

SHA512
65167c06c773d2905b0f461f6243338b6bffc1a3338610b18266e785ed04a46bae9f9365268ebb98a46389aee0b99487d0378dedc769ce856f72c5337354172c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5047492.exe

Filesize
174KB

MD5
f1a31d46522590840cd142a6be47222d

SHA1
3f69fafb50f4881772aba506d66ed62401141ed3

SHA256
2b5842d0577dc1beff756dd1105ebb9086d70a7147e0fd6e0114f2f68ce5693d

SHA512
e1ee85fd36c27267bcf5b9b019ca23ca03e6a1a8e7b8cd49662347d6c4fcdfb878f7a3f001ba4734a2a227d06597eeea84da6c9f0c7653528201f07a3988d2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5047492.exe

Filesize
174KB

MD5
f1a31d46522590840cd142a6be47222d

SHA1
3f69fafb50f4881772aba506d66ed62401141ed3

SHA256
2b5842d0577dc1beff756dd1105ebb9086d70a7147e0fd6e0114f2f68ce5693d

SHA512
e1ee85fd36c27267bcf5b9b019ca23ca03e6a1a8e7b8cd49662347d6c4fcdfb878f7a3f001ba4734a2a227d06597eeea84da6c9f0c7653528201f07a3988d2c4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7709238.exe

Filesize
595KB

MD5
5d21a08ac0684f1a04adfc45a4c05f0d

SHA1
d1ab889f073c879b16d0cc1a17755d70d38b1bf0

SHA256
045e60708bc750346dece1184eb55e8c202112aada473f9afabf652991ddd60c

SHA512
4f4e600bef49ae381ca782d586d55bb0382971a7c6bed54473dfd924572d3698865eb2f1874b62c891c34dc62cfae305ab806cdcf396269066314ab02865e144

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7709238.exe

Filesize
595KB

MD5
5d21a08ac0684f1a04adfc45a4c05f0d

SHA1
d1ab889f073c879b16d0cc1a17755d70d38b1bf0

SHA256
045e60708bc750346dece1184eb55e8c202112aada473f9afabf652991ddd60c

SHA512
4f4e600bef49ae381ca782d586d55bb0382971a7c6bed54473dfd924572d3698865eb2f1874b62c891c34dc62cfae305ab806cdcf396269066314ab02865e144

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9357648.exe

Filesize
292KB

MD5
6f8dd107052f1dda8346c77963720b1a

SHA1
8a2eabf56b68f68bba8bcc95051b7d5905ffbb9e

SHA256
f334407a75b51c7851ecba81411d32da9438087c85b61ba3ae26823f72880993

SHA512
65167c06c773d2905b0f461f6243338b6bffc1a3338610b18266e785ed04a46bae9f9365268ebb98a46389aee0b99487d0378dedc769ce856f72c5337354172c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9357648.exe

Filesize
292KB

MD5
6f8dd107052f1dda8346c77963720b1a

SHA1
8a2eabf56b68f68bba8bcc95051b7d5905ffbb9e

SHA256
f334407a75b51c7851ecba81411d32da9438087c85b61ba3ae26823f72880993

SHA512
65167c06c773d2905b0f461f6243338b6bffc1a3338610b18266e785ed04a46bae9f9365268ebb98a46389aee0b99487d0378dedc769ce856f72c5337354172c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5047492.exe

Filesize
174KB

MD5
f1a31d46522590840cd142a6be47222d

SHA1
3f69fafb50f4881772aba506d66ed62401141ed3

SHA256
2b5842d0577dc1beff756dd1105ebb9086d70a7147e0fd6e0114f2f68ce5693d

SHA512
e1ee85fd36c27267bcf5b9b019ca23ca03e6a1a8e7b8cd49662347d6c4fcdfb878f7a3f001ba4734a2a227d06597eeea84da6c9f0c7653528201f07a3988d2c4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5047492.exe

Filesize
174KB

MD5
f1a31d46522590840cd142a6be47222d

SHA1
3f69fafb50f4881772aba506d66ed62401141ed3

SHA256
2b5842d0577dc1beff756dd1105ebb9086d70a7147e0fd6e0114f2f68ce5693d

SHA512
e1ee85fd36c27267bcf5b9b019ca23ca03e6a1a8e7b8cd49662347d6c4fcdfb878f7a3f001ba4734a2a227d06597eeea84da6c9f0c7653528201f07a3988d2c4

Download Submit
memory/2592-30-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/2592-31-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads