redline | 4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe
Size

1.0MB
MD5

55ef1e5fe8a3967f3e63185b55755b6d
SHA1

1371600fa4621f25003d0b4bc57519849d6dea2f
SHA256

4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d
SHA512

fb34a2f44332d6cac21e6c905bb13e6372fcced8f382f0ddd52cf89a720b837a630e9190bb1df0b35b2a64f28ef805acd125ad1e369f69f378df22796a13350f
SSDEEP

24576:yyv3i+VoE7b6Zo61kUvOu6U2SzX7BzKBtntR6ms4u:Z/Db6v2u6UDzX7BzKBd6mv

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023207-34.dat	family_redline
behavioral2/files/0x0007000000023207-35.dat	family_redline
behavioral2/memory/2296-36-0x00000000002D0000-0x0000000000300000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4624	x1898414.exe
2044	x0956643.exe
3652	x7021876.exe
348	g9535831.exe
2296	h5607065.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1898414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0956643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7021876.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 348 set thread context of 3100	348	g9535831.exe	98

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2304	3100	WerFault.exe	98
4560	348	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4624	1988	4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe	86
PID 1988 wrote to memory of 4624	1988	4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe	86
PID 1988 wrote to memory of 4624	1988	4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe	86
PID 4624 wrote to memory of 2044	4624	x1898414.exe	87
PID 4624 wrote to memory of 2044	4624	x1898414.exe	87
PID 4624 wrote to memory of 2044	4624	x1898414.exe	87
PID 2044 wrote to memory of 3652	2044	x0956643.exe	88
PID 2044 wrote to memory of 3652	2044	x0956643.exe	88
PID 2044 wrote to memory of 3652	2044	x0956643.exe	88
PID 3652 wrote to memory of 348	3652	x7021876.exe	89
PID 3652 wrote to memory of 348	3652	x7021876.exe	89
PID 3652 wrote to memory of 348	3652	x7021876.exe	89
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 348 wrote to memory of 3100	348	g9535831.exe	98
PID 3652 wrote to memory of 2296	3652	x7021876.exe	103
PID 3652 wrote to memory of 2296	3652	x7021876.exe	103
PID 3652 wrote to memory of 2296	3652	x7021876.exe	103

C:\Users\Admin\AppData\Local\Temp\4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe
"C:\Users\Admin\AppData\Local\Temp\4894998a92beaa8ca1a10cac3d3b41a4188056bfff1a5d0f8e431fbdd0bd9e4d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1898414.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1898414.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0956643.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0956643.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7021876.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7021876.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9535831.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9535831.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 540
        7⤵
        Program crash
        
        PID:2304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 152
        6⤵
        Program crash
        
        PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5607065.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5607065.exe
        5⤵
        Executes dropped EXE
        
        PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 348 -ip 348
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3100 -ip 3100
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1898414.exe

Filesize
933KB

MD5
79016b2a53b9ae1215a177ad6061f802

SHA1
88cb9717b3e1f1c4b746ff8489ba701bc05882ac

SHA256
55b1dda23bf3b7e334383e2d48b7ad648d0f4288d8fdb9c0c2080ec467ec6b0b

SHA512
de28bfa568c6f49aa06a781c0a8d0785097330f300d752fcd7d6a1f6a639a1c5a4b7aa69bcded8120a0e289a8d38bcb60802aa94f5bf88a32f434176f46cf8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1898414.exe

Filesize
933KB

MD5
79016b2a53b9ae1215a177ad6061f802

SHA1
88cb9717b3e1f1c4b746ff8489ba701bc05882ac

SHA256
55b1dda23bf3b7e334383e2d48b7ad648d0f4288d8fdb9c0c2080ec467ec6b0b

SHA512
de28bfa568c6f49aa06a781c0a8d0785097330f300d752fcd7d6a1f6a639a1c5a4b7aa69bcded8120a0e289a8d38bcb60802aa94f5bf88a32f434176f46cf8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0956643.exe

Filesize
629KB

MD5
565395f07f19df260b379e8e065cc91a

SHA1
aec272568efa37036177ded8da75204bd5054a37

SHA256
8c2026711969d63484d5e4e8dd461c7cf51db05f8db875cf78055f5a5a14f774

SHA512
45510b3a76e741d96f4e5d859acaccdb5aa2fe4cfa1201710e172de777de3b912a1c9e38dc2b874bc3b565b957c5308a96ad464af5db302e634a5aa0adf0000b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0956643.exe

Filesize
629KB

MD5
565395f07f19df260b379e8e065cc91a

SHA1
aec272568efa37036177ded8da75204bd5054a37

SHA256
8c2026711969d63484d5e4e8dd461c7cf51db05f8db875cf78055f5a5a14f774

SHA512
45510b3a76e741d96f4e5d859acaccdb5aa2fe4cfa1201710e172de777de3b912a1c9e38dc2b874bc3b565b957c5308a96ad464af5db302e634a5aa0adf0000b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7021876.exe

Filesize
443KB

MD5
a07eb72f1c9c79c42cfe6ea8ea1bc9b0

SHA1
3ba1abc92cdf56e9018547666a526fab3db68ad2

SHA256
0a7380d6cb7ab6c4dcd876572aba662d80f95695abd7c7fcae9b87269cc38bbc

SHA512
d36d3825b40fa80a9d79c2e36a52998805299c98b2194615f232e3506606623039a9ea84be29ec561850eeee3354d392c361a19afa7a51afffe8baf1a7120942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7021876.exe

Filesize
443KB

MD5
a07eb72f1c9c79c42cfe6ea8ea1bc9b0

SHA1
3ba1abc92cdf56e9018547666a526fab3db68ad2

SHA256
0a7380d6cb7ab6c4dcd876572aba662d80f95695abd7c7fcae9b87269cc38bbc

SHA512
d36d3825b40fa80a9d79c2e36a52998805299c98b2194615f232e3506606623039a9ea84be29ec561850eeee3354d392c361a19afa7a51afffe8baf1a7120942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9535831.exe

Filesize
700KB

MD5
9b5f3d7a7907546a2bc40984cf3903bb

SHA1
b17d8252ee06f619d1065cfee9de27a27b722cd9

SHA256
5a5227029b36e1f9e185075727de04e8b49bdfb0b6d5164f87976eb990cafb2a

SHA512
c9c983d542ff639675816fabd30dd31f797ee7f52e40fbdc0e375d52dec5a6aadab8042e13bd706febd3c3d1193e76db2d7ef57f78665bb22d6b05c09b0c5bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9535831.exe

Filesize
700KB

MD5
9b5f3d7a7907546a2bc40984cf3903bb

SHA1
b17d8252ee06f619d1065cfee9de27a27b722cd9

SHA256
5a5227029b36e1f9e185075727de04e8b49bdfb0b6d5164f87976eb990cafb2a

SHA512
c9c983d542ff639675816fabd30dd31f797ee7f52e40fbdc0e375d52dec5a6aadab8042e13bd706febd3c3d1193e76db2d7ef57f78665bb22d6b05c09b0c5bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5607065.exe

Filesize
174KB

MD5
49930693fbb2f1b859653a734a560aaf

SHA1
b3cb6be92a07bdf13e00e7c83d369d8f761551e6

SHA256
4f9334d432e679d85f2c1eebd3568f35f96f6be4ca3f865b6b9a37b803ace594

SHA512
44171ac04c7fb6b34f03be5de2ec7142d5ba59d05acc021848ef44469e0e5fbb0f54da532ed8678383c2708889bd235ca9f35f6a3e17be08d6c2de9bb4cd86a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5607065.exe

Filesize
174KB

MD5
49930693fbb2f1b859653a734a560aaf

SHA1
b3cb6be92a07bdf13e00e7c83d369d8f761551e6

SHA256
4f9334d432e679d85f2c1eebd3568f35f96f6be4ca3f865b6b9a37b803ace594

SHA512
44171ac04c7fb6b34f03be5de2ec7142d5ba59d05acc021848ef44469e0e5fbb0f54da532ed8678383c2708889bd235ca9f35f6a3e17be08d6c2de9bb4cd86a1

Download Submit
memory/2296-39-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/2296-40-0x0000000004F80000-0x000000000508A000-memory.dmp

Filesize
1.0MB

Download
memory/2296-46-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2296-45-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2296-36-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/2296-37-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2296-44-0x0000000004E70000-0x0000000004EBC000-memory.dmp

Filesize
304KB

Download
memory/2296-43-0x0000000004E00000-0x0000000004E3C000-memory.dmp

Filesize
240KB

Download
memory/2296-38-0x00000000027E0000-0x00000000027E6000-memory.dmp

Filesize
24KB

Download
memory/2296-42-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2296-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3100-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads