redline | cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe
Size

1.0MB
MD5

2a6e11cfe25c5b88147a176f45c95c75
SHA1

2713b7c35daac11e8a3361dd055efe41e9e1ecfe
SHA256

cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79
SHA512

9b0a1f886504b2d23eebc438198c732a428bf7182a71a4f1c9c15cda343deb129ec03d84c0f9e32e5c26e1cd4814ae5f8fc7e7e341cf5f8ee5461afd23444dca
SSDEEP

24576:ByAtcnpvkxwE99FkMcU9aD+Lfv49ch5yFniyad:0A0ZfE94U9r89eanU

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e4-34.dat	family_redline
behavioral2/files/0x00070000000231e4-35.dat	family_redline
behavioral2/memory/3612-36-0x00000000007B0000-0x00000000007E0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4600	x0534055.exe
4568	x0021083.exe
4484	x7905287.exe
2444	g7829731.exe
3612	h6040855.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0534055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0021083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7905287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 5088	2444	g7829731.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1848	5088	WerFault.exe	92
1960	2444	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4600	4056	cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe	87
PID 4056 wrote to memory of 4600	4056	cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe	87
PID 4056 wrote to memory of 4600	4056	cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe	87
PID 4600 wrote to memory of 4568	4600	x0534055.exe	88
PID 4600 wrote to memory of 4568	4600	x0534055.exe	88
PID 4600 wrote to memory of 4568	4600	x0534055.exe	88
PID 4568 wrote to memory of 4484	4568	x0021083.exe	89
PID 4568 wrote to memory of 4484	4568	x0021083.exe	89
PID 4568 wrote to memory of 4484	4568	x0021083.exe	89
PID 4484 wrote to memory of 2444	4484	x7905287.exe	90
PID 4484 wrote to memory of 2444	4484	x7905287.exe	90
PID 4484 wrote to memory of 2444	4484	x7905287.exe	90
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 2444 wrote to memory of 5088	2444	g7829731.exe	92
PID 4484 wrote to memory of 3612	4484	x7905287.exe	101
PID 4484 wrote to memory of 3612	4484	x7905287.exe	101
PID 4484 wrote to memory of 3612	4484	x7905287.exe	101

C:\Users\Admin\AppData\Local\Temp\cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe
"C:\Users\Admin\AppData\Local\Temp\cbc704addac3560a5962afa8a84f9ff44b335c98384415fcb031aeb849e8ea79.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0534055.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0534055.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0021083.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0021083.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7905287.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7905287.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829731.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829731.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 540
        7⤵
        Program crash
        
        PID:1848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 140
        6⤵
        Program crash
        
        PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6040855.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6040855.exe
        5⤵
        Executes dropped EXE
        
        PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2444 -ip 2444
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5088 -ip 5088
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0534055.exe

Filesize
931KB

MD5
7416bf38f70fffb516ae7c29b8cad15f

SHA1
ef9a4a6efac05487b4c71dfc841c49c25b772900

SHA256
820bdb3f164f2fe6d503472821e9046574012966880e20e4fb6d7ac3d65f90c8

SHA512
636743b9b5681c15f0e40152982d0e558fc641e440c8b839a1d250e3f8aa0447817198508cd27a62ca0b7932c3f38e6fcb14b30c431fd6908c9634cbed8b90e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0534055.exe

Filesize
931KB

MD5
7416bf38f70fffb516ae7c29b8cad15f

SHA1
ef9a4a6efac05487b4c71dfc841c49c25b772900

SHA256
820bdb3f164f2fe6d503472821e9046574012966880e20e4fb6d7ac3d65f90c8

SHA512
636743b9b5681c15f0e40152982d0e558fc641e440c8b839a1d250e3f8aa0447817198508cd27a62ca0b7932c3f38e6fcb14b30c431fd6908c9634cbed8b90e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0021083.exe

Filesize
628KB

MD5
8eca8e10935075576cc60a3ce948f54c

SHA1
6a0ba6baa4c38f10b0bbca5ddaef312368220a87

SHA256
1c7747510cb10283a3d43f7715791f1f5cf84fb548363589f7df7208980655bc

SHA512
7c1815add40af48726f1ce055d5e2cc74781dde3b64edfb76298fa4a454a07182c301577e9bac0d9bece29d3b341635d914d14a79ebd5c8fa107aa809e27f0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0021083.exe

Filesize
628KB

MD5
8eca8e10935075576cc60a3ce948f54c

SHA1
6a0ba6baa4c38f10b0bbca5ddaef312368220a87

SHA256
1c7747510cb10283a3d43f7715791f1f5cf84fb548363589f7df7208980655bc

SHA512
7c1815add40af48726f1ce055d5e2cc74781dde3b64edfb76298fa4a454a07182c301577e9bac0d9bece29d3b341635d914d14a79ebd5c8fa107aa809e27f0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7905287.exe

Filesize
442KB

MD5
36d56781c7e1d81807ceed1fe6464f93

SHA1
41f44bf34ee84d822432268b9893f0070337f575

SHA256
024638437c48977df01f314a352b22948cce0bfc4a23550bd68d2f9321796909

SHA512
5c6022cb7dce9259a7f2a97e4628bb904ec79ae1e7300b677a97e546e9e3be5a8895e5d3f1340b29f56f6c695eb6b666db26d990595816abfa27cdf988525827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7905287.exe

Filesize
442KB

MD5
36d56781c7e1d81807ceed1fe6464f93

SHA1
41f44bf34ee84d822432268b9893f0070337f575

SHA256
024638437c48977df01f314a352b22948cce0bfc4a23550bd68d2f9321796909

SHA512
5c6022cb7dce9259a7f2a97e4628bb904ec79ae1e7300b677a97e546e9e3be5a8895e5d3f1340b29f56f6c695eb6b666db26d990595816abfa27cdf988525827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829731.exe

Filesize
700KB

MD5
bb0e8cfe0fb46c98520beb19b2638bc6

SHA1
d934149f484871137e834f1c37053d21ffad4940

SHA256
17310375c40bd781a6205d4858fcb690fbba4eb6ad18a410d9dac0cd108c6fb0

SHA512
cd1fba0e56109277d44085109ae0158b4ea010441e565f5004290fbcd0abecccc09d6a44df29de4945fae31c6c517e80ba657c00a26ee9888c692522c4a42e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829731.exe

Filesize
700KB

MD5
bb0e8cfe0fb46c98520beb19b2638bc6

SHA1
d934149f484871137e834f1c37053d21ffad4940

SHA256
17310375c40bd781a6205d4858fcb690fbba4eb6ad18a410d9dac0cd108c6fb0

SHA512
cd1fba0e56109277d44085109ae0158b4ea010441e565f5004290fbcd0abecccc09d6a44df29de4945fae31c6c517e80ba657c00a26ee9888c692522c4a42e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6040855.exe

Filesize
174KB

MD5
098fb74a905e28f690b24f173eb15184

SHA1
aaf4ab61e17b639ad06bc8f0618ec3c9be860a6a

SHA256
ec2a8551b744a368edfe87ff473eae038b79d2ead51c4cd9f4658b7ff12f8a2c

SHA512
875d3096d5f69921f2090bb1d4763818a0b6509f1c8b22208040c7a1f27783f6137ad426833b6a7771fd23029abfb18b3fcd69505c0dd942efbcf59bec99bf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6040855.exe

Filesize
174KB

MD5
098fb74a905e28f690b24f173eb15184

SHA1
aaf4ab61e17b639ad06bc8f0618ec3c9be860a6a

SHA256
ec2a8551b744a368edfe87ff473eae038b79d2ead51c4cd9f4658b7ff12f8a2c

SHA512
875d3096d5f69921f2090bb1d4763818a0b6509f1c8b22208040c7a1f27783f6137ad426833b6a7771fd23029abfb18b3fcd69505c0dd942efbcf59bec99bf38

Download Submit
memory/3612-39-0x00000000057F0000-0x0000000005E08000-memory.dmp

Filesize
6.1MB

Download
memory/3612-41-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3612-46-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3612-45-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/3612-36-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/3612-38-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/3612-44-0x0000000005210000-0x000000000525C000-memory.dmp

Filesize
304KB

Download
memory/3612-40-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/3612-37-0x0000000004FD0000-0x0000000004FD6000-memory.dmp

Filesize
24KB

Download
memory/3612-42-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/3612-43-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/5088-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads