redline | 313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9

Analysis

max time kernel
138s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe
Size

1.0MB
MD5

3c68d8b81ea0b476f599e12e8a0a1537
SHA1

493d7fe200184c68a696803849345a52cbbdbe19
SHA256

313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9
SHA512

109ff8e011538cd3d789b24decbc0d3257c28749b2440b9c5721fc1dfb1e55fe661cac0783c5bc3f0ffb76c8494ca8c5d551d31f558f42917a73c09ca9396652
SSDEEP

12288:lMrvy90gHIxlkY1pybLNj/fsZsHc6VIkIvUA54I6zvRVrwhjszleFaelXi28dH5b:eyi/X1AV9it3mVzJVSQelSF2ZGyfqR

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320b-34.dat	family_redline
behavioral2/files/0x000600000002320b-35.dat	family_redline
behavioral2/memory/976-37-0x0000000000FF0000-0x0000000001020000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
2156	x8068523.exe
4160	x4086327.exe
4472	x1377140.exe
2360	g6013171.exe
976	h7137625.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8068523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4086327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1377140.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 1572	2360	g6013171.exe	97

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4824	1572	WerFault.exe	97
2520	2360	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2156	2956	313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe	86
PID 2956 wrote to memory of 2156	2956	313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe	86
PID 2956 wrote to memory of 2156	2956	313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe	86
PID 2156 wrote to memory of 4160	2156	x8068523.exe	87
PID 2156 wrote to memory of 4160	2156	x8068523.exe	87
PID 2156 wrote to memory of 4160	2156	x8068523.exe	87
PID 4160 wrote to memory of 4472	4160	x4086327.exe	88
PID 4160 wrote to memory of 4472	4160	x4086327.exe	88
PID 4160 wrote to memory of 4472	4160	x4086327.exe	88
PID 4472 wrote to memory of 2360	4472	x1377140.exe	89
PID 4472 wrote to memory of 2360	4472	x1377140.exe	89
PID 4472 wrote to memory of 2360	4472	x1377140.exe	89
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 2360 wrote to memory of 1572	2360	g6013171.exe	97
PID 4472 wrote to memory of 976	4472	x1377140.exe	106
PID 4472 wrote to memory of 976	4472	x1377140.exe	106
PID 4472 wrote to memory of 976	4472	x1377140.exe	106

C:\Users\Admin\AppData\Local\Temp\313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe
"C:\Users\Admin\AppData\Local\Temp\313fb3b3daf57241cd8f8a84921bda55a40dd68b6360f2a582f6f02babb2e3c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8068523.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8068523.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4086327.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4086327.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377140.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377140.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6013171.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6013171.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 540
        7⤵
        Program crash
        
        PID:4824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 556
        6⤵
        Program crash
        
        PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7137625.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7137625.exe
        5⤵
        Executes dropped EXE
        
        PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2360 -ip 2360
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1572 -ip 1572
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8068523.exe

Filesize
932KB

MD5
e16b22d50a0e9f91e59d6f753a697b14

SHA1
44804d819ceb54e812298acc1441b76714fc739d

SHA256
24c8e82a20b741c87cae0563790ee45c36c6ce33eff60126dc7a0e90daacd28e

SHA512
e8c8de51d7d0105a0ee8829a5598a1ba440aac7ff81ada927c7a35a499e6e8b549b559bec7ed721e4cc726ed39bd040101c47e879020ecfc5cc442cf9e32c844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8068523.exe

Filesize
932KB

MD5
e16b22d50a0e9f91e59d6f753a697b14

SHA1
44804d819ceb54e812298acc1441b76714fc739d

SHA256
24c8e82a20b741c87cae0563790ee45c36c6ce33eff60126dc7a0e90daacd28e

SHA512
e8c8de51d7d0105a0ee8829a5598a1ba440aac7ff81ada927c7a35a499e6e8b549b559bec7ed721e4cc726ed39bd040101c47e879020ecfc5cc442cf9e32c844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4086327.exe

Filesize
628KB

MD5
8274c759d7bdceb820439e8d6805a2c9

SHA1
c7a18a6d046319e665770ff8829ddc9e196de450

SHA256
239a906ad929605bde5c888cf7f563b8fe6e198408b4e0506fbdb3ccbbba2419

SHA512
2672d1fc6baa68260757c125044d9407243e95ff10e593c6c61cab30585f8e487b2f7c7f03cae14eeba229dca5678dd2c92ba7225569b68073d1f4e9b46e98b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4086327.exe

Filesize
628KB

MD5
8274c759d7bdceb820439e8d6805a2c9

SHA1
c7a18a6d046319e665770ff8829ddc9e196de450

SHA256
239a906ad929605bde5c888cf7f563b8fe6e198408b4e0506fbdb3ccbbba2419

SHA512
2672d1fc6baa68260757c125044d9407243e95ff10e593c6c61cab30585f8e487b2f7c7f03cae14eeba229dca5678dd2c92ba7225569b68073d1f4e9b46e98b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377140.exe

Filesize
443KB

MD5
52b880f470a2d9f6fe9a4b43d21fd76f

SHA1
3ca77a973ab1b2407660da408353c5bfc0ffc8a3

SHA256
d45454620fb09240c8a5de19d186b1df8cabc07b5ce73d720fbf5d4abf663135

SHA512
a72971f6772c7de96ee3f79b945f9f06bb7ba587b6840850074863a1ac974d69b27de6bdb9534a0c3456216545fd241496b4b4a84d6a1c40aef09845210014f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377140.exe

Filesize
443KB

MD5
52b880f470a2d9f6fe9a4b43d21fd76f

SHA1
3ca77a973ab1b2407660da408353c5bfc0ffc8a3

SHA256
d45454620fb09240c8a5de19d186b1df8cabc07b5ce73d720fbf5d4abf663135

SHA512
a72971f6772c7de96ee3f79b945f9f06bb7ba587b6840850074863a1ac974d69b27de6bdb9534a0c3456216545fd241496b4b4a84d6a1c40aef09845210014f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6013171.exe

Filesize
700KB

MD5
605f34b333baaaa4c3aab15eee268720

SHA1
b9c4d40d5c4b3b9608b2c7d9f7348f69d7b22528

SHA256
f7153ccc43248dcf90b58bfe290f216d1266e16d9a303c8729b0750b9587e394

SHA512
8abac8398725ad4ad0ddc88c7dd286d97a0e13e2115a645b752c86712b8d7eab86b7a1fed3ac6146250c2518ebf45a24b9132a20a5362a8d130301062e42ccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6013171.exe

Filesize
700KB

MD5
605f34b333baaaa4c3aab15eee268720

SHA1
b9c4d40d5c4b3b9608b2c7d9f7348f69d7b22528

SHA256
f7153ccc43248dcf90b58bfe290f216d1266e16d9a303c8729b0750b9587e394

SHA512
8abac8398725ad4ad0ddc88c7dd286d97a0e13e2115a645b752c86712b8d7eab86b7a1fed3ac6146250c2518ebf45a24b9132a20a5362a8d130301062e42ccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7137625.exe

Filesize
174KB

MD5
5e8f4c97128daf905fae67bc27250186

SHA1
75c613f7f97f7a102755ee9ac3ae9379d8fd51b0

SHA256
98cf544f720aca665bc21346530abea327a6319affb64bb64aaca54e10a30c0a

SHA512
9e89d8e872f1e05bb2f44aa92c8a99a80702b5a6a78a4c1d80e68b129d44b5830729b4850af1fe1bc66910402109d335349763946cd50f75aac4bd7adb156aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7137625.exe

Filesize
174KB

MD5
5e8f4c97128daf905fae67bc27250186

SHA1
75c613f7f97f7a102755ee9ac3ae9379d8fd51b0

SHA256
98cf544f720aca665bc21346530abea327a6319affb64bb64aaca54e10a30c0a

SHA512
9e89d8e872f1e05bb2f44aa92c8a99a80702b5a6a78a4c1d80e68b129d44b5830729b4850af1fe1bc66910402109d335349763946cd50f75aac4bd7adb156aa0

Download Submit
memory/976-39-0x00000000060A0000-0x00000000066B8000-memory.dmp

Filesize
6.1MB

Download
memory/976-40-0x0000000005B90000-0x0000000005C9A000-memory.dmp

Filesize
1.0MB

Download
memory/976-46-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/976-45-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/976-36-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/976-37-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download
memory/976-44-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/976-43-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/976-38-0x0000000003480000-0x0000000003486000-memory.dmp

Filesize
24KB

Download
memory/976-41-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/976-42-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

Filesize
72KB

Download
memory/1572-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads