redline | a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774

Analysis

max time kernel
226s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe
Size

1.0MB
MD5

9985c664063573c6ca4e13d707e0b311
SHA1

4a955c64e44ed012c583bbfb82d2eaf7c259708d
SHA256

a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774
SHA512

d0f44833c396f390f0af4aac8d4f8c6fe10780a8ea624a8417604706656f4ebfe6f839258f8b18f41d65f7f90b94ddf84585ed7c6ee46bd8a761425c23b8908d
SSDEEP

24576:Yy3/+56Phs7H+SF5o+yaU8CE1X7BQV5xiMz3ratw9O+w8u95:f3/+0EfY+y3NE1X7BQDxiKDo8

Score

10^/10

redline tuxiu infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231cf-34.dat	family_redline
behavioral2/files/0x00090000000231cf-35.dat	family_redline
behavioral2/memory/2944-36-0x0000000000010000-0x0000000000040000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1880	x9785483.exe
3008	x6311538.exe
5024	x7881085.exe
1272	g6660709.exe
2944	h5941473.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9785483.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6311538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7881085.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 400	1272	g6660709.exe	96

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4404	400	WerFault.exe	96
4732	1272	WerFault.exe	94
1660	400	WerFault.exe	96

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1880	3144	a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe	89
PID 3144 wrote to memory of 1880	3144	a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe	89
PID 3144 wrote to memory of 1880	3144	a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe	89
PID 1880 wrote to memory of 3008	1880	x9785483.exe	91
PID 1880 wrote to memory of 3008	1880	x9785483.exe	91
PID 1880 wrote to memory of 3008	1880	x9785483.exe	91
PID 3008 wrote to memory of 5024	3008	x6311538.exe	92
PID 3008 wrote to memory of 5024	3008	x6311538.exe	92
PID 3008 wrote to memory of 5024	3008	x6311538.exe	92
PID 5024 wrote to memory of 1272	5024	x7881085.exe	94
PID 5024 wrote to memory of 1272	5024	x7881085.exe	94
PID 5024 wrote to memory of 1272	5024	x7881085.exe	94
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 1272 wrote to memory of 400	1272	g6660709.exe	96
PID 400 wrote to memory of 4404	400	AppLaunch.exe	100
PID 400 wrote to memory of 4404	400	AppLaunch.exe	100
PID 400 wrote to memory of 4404	400	AppLaunch.exe	100
PID 5024 wrote to memory of 2944	5024	x7881085.exe	108
PID 5024 wrote to memory of 2944	5024	x7881085.exe	108
PID 5024 wrote to memory of 2944	5024	x7881085.exe	108

C:\Users\Admin\AppData\Local\Temp\a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe
"C:\Users\Admin\AppData\Local\Temp\a78740afe5f04a6f8f9e0479a6b40da230200c515121d37e05269bc5dde77774.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9785483.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9785483.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6311538.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6311538.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7881085.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7881085.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6660709.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6660709.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 540
        7⤵
        Program crash
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 540
        7⤵
        Program crash
        
        PID:1660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 580
        6⤵
        Program crash
        
        PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5941473.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5941473.exe
        5⤵
        Executes dropped EXE
        
        PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 400 -ip 400
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1272 -ip 1272
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9785483.exe

Filesize
932KB

MD5
5c367bd3367170415f763430a1e0cfda

SHA1
c2726d2b49d142c8dacf9107a97ef6bc1f8940b8

SHA256
40df92c63035f50b5b3dd2dff88cc05592bd766b3700c7d518cfd74bccf06118

SHA512
89248c2a559e024652284814b1c9d2bb72fa091e6744b090676f16ba5363bbfda9e35a3d216d8d16ba13e80bed691e14e0e8f9d95c6f150ac1a066e6002aac6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9785483.exe

Filesize
932KB

MD5
5c367bd3367170415f763430a1e0cfda

SHA1
c2726d2b49d142c8dacf9107a97ef6bc1f8940b8

SHA256
40df92c63035f50b5b3dd2dff88cc05592bd766b3700c7d518cfd74bccf06118

SHA512
89248c2a559e024652284814b1c9d2bb72fa091e6744b090676f16ba5363bbfda9e35a3d216d8d16ba13e80bed691e14e0e8f9d95c6f150ac1a066e6002aac6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6311538.exe

Filesize
628KB

MD5
c38ff2506b02eef26b184ee1ce251ded

SHA1
2ee52673ef52464c816e63ecdecfc38165facee1

SHA256
6690d3405160fb85f6a380b5adcb00a004408acc4f8b434e3b7feeb18145f778

SHA512
21dc0df8d0f4f6b75f09dc8b663d4d5b9175eddc4deb66f859e1f14984f2f36dcb5d66fbe6834bf701794a8124af30c36437f9786b76cd7b4bf9602da937061a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6311538.exe

Filesize
628KB

MD5
c38ff2506b02eef26b184ee1ce251ded

SHA1
2ee52673ef52464c816e63ecdecfc38165facee1

SHA256
6690d3405160fb85f6a380b5adcb00a004408acc4f8b434e3b7feeb18145f778

SHA512
21dc0df8d0f4f6b75f09dc8b663d4d5b9175eddc4deb66f859e1f14984f2f36dcb5d66fbe6834bf701794a8124af30c36437f9786b76cd7b4bf9602da937061a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7881085.exe

Filesize
443KB

MD5
d84552782c4a3c47896e11184fe2081e

SHA1
ecb3934de2fc39e4097bef820f3a82baf9518066

SHA256
1ef37edba9cc536fb9403a6fd377db7c2ef98e65fce9a4d462cb694443334737

SHA512
252edd4416773876c78f877599614b6fbb3b17287d31ae833d7073d05923ee365ef8425f6e839cf8aec9f63eeb1ad98fc574edb4e688e6c008a8ae3ba28c0726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7881085.exe

Filesize
443KB

MD5
d84552782c4a3c47896e11184fe2081e

SHA1
ecb3934de2fc39e4097bef820f3a82baf9518066

SHA256
1ef37edba9cc536fb9403a6fd377db7c2ef98e65fce9a4d462cb694443334737

SHA512
252edd4416773876c78f877599614b6fbb3b17287d31ae833d7073d05923ee365ef8425f6e839cf8aec9f63eeb1ad98fc574edb4e688e6c008a8ae3ba28c0726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6660709.exe

Filesize
700KB

MD5
f85f9f9bf1b0a0baf5f3930973aa0730

SHA1
e0270671449cfc17c924f05f44387860a23cb2da

SHA256
093042eeadfa0f859bc2db4f955eb3b7032d8f2deb7632baca825f46b209d117

SHA512
4c2abac5c3bddbebfb86dc98c4ccbbb779c6e9d298df7313350ec9b45e9f27a71a2a957eed67c7ef9d5910fc669733a02be35d2406a34b60ad242ccc5ad8d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6660709.exe

Filesize
700KB

MD5
f85f9f9bf1b0a0baf5f3930973aa0730

SHA1
e0270671449cfc17c924f05f44387860a23cb2da

SHA256
093042eeadfa0f859bc2db4f955eb3b7032d8f2deb7632baca825f46b209d117

SHA512
4c2abac5c3bddbebfb86dc98c4ccbbb779c6e9d298df7313350ec9b45e9f27a71a2a957eed67c7ef9d5910fc669733a02be35d2406a34b60ad242ccc5ad8d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5941473.exe

Filesize
174KB

MD5
82da4101e550a25baf8bdce233d4c338

SHA1
047d14498df0643fad1c83c0837a241a0d145cd4

SHA256
7cd4c2f8a3d9903fee5cb8a02e4267f00b96f48195a0a0de9a28148869fba74e

SHA512
4f842fcc2e3e1b02b5874f54acafe035c33a6ff6217d19d79929f0a8d7db42c08ebadf375e57a2aca55323bd2ef1ef671fb73d476ead35221cdd77a5bc15b779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5941473.exe

Filesize
174KB

MD5
82da4101e550a25baf8bdce233d4c338

SHA1
047d14498df0643fad1c83c0837a241a0d145cd4

SHA256
7cd4c2f8a3d9903fee5cb8a02e4267f00b96f48195a0a0de9a28148869fba74e

SHA512
4f842fcc2e3e1b02b5874f54acafe035c33a6ff6217d19d79929f0a8d7db42c08ebadf375e57a2aca55323bd2ef1ef671fb73d476ead35221cdd77a5bc15b779

Download Submit
memory/400-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-37-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/2944-36-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/2944-38-0x00000000024A0000-0x00000000024A6000-memory.dmp

Filesize
24KB

Download
memory/2944-39-0x000000000A470000-0x000000000AA88000-memory.dmp

Filesize
6.1MB

Download
memory/2944-40-0x0000000009FC0000-0x000000000A0CA000-memory.dmp

Filesize
1.0MB

Download
memory/2944-41-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/2944-42-0x0000000009F00000-0x0000000009F12000-memory.dmp

Filesize
72KB

Download
memory/2944-43-0x0000000009F60000-0x0000000009F9C000-memory.dmp

Filesize
240KB

Download
memory/2944-44-0x000000000A0D0000-0x000000000A11C000-memory.dmp

Filesize
304KB

Download
memory/2944-45-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads