redline | 3bad5318d1eadf9f6d544fc5ed49c1e737fb2db130f60b70bab6f26392c87c30

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe
Size

909KB
MD5

89eb57f8336e4fa95663f64fd2ba5fdc
SHA1

30bc23cd4d7c49326423ffea9e9fd24a60214ca1
SHA256

1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710
SHA512

4c9811e15a74664c58f2f00efae5d607fcc576ae98de97e993eac663b90281e33b9634c88f1ce702cd04f5e24418b8c4117ed5fd0a2ab39debf3276de8d9f18c
SSDEEP

12288:SMrfy90DOZ2s5Ze9aC1cx+aA8q7PPCxXaFFn/sAONQzkuuvtICQPQGG:ByHo+8kCS4aubCY//kSkBmCQPQGG

Score

10^/10

redline taiga infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/212-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

2wz9822.exe4xG079RF.exe

pid process

704 2wz9822.exe
4388 4xG079RF.exe

pid	process
704	2wz9822.exe
4388	4xG079RF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2wz9822.exe

description pid process target process

PID 704 set thread context of 212 704 2wz9822.exe AppLaunch.exe

description	pid	process	target process
PID 704 set thread context of 212	704	2wz9822.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe2wz9822.exe

description	pid	process	target process
PID 3148 wrote to memory of 704	3148	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe	2wz9822.exe
PID 3148 wrote to memory of 704	3148	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe	2wz9822.exe
PID 3148 wrote to memory of 704	3148	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe	2wz9822.exe
PID 704 wrote to memory of 4752	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 4752	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 4752	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 704 wrote to memory of 212	704	2wz9822.exe	AppLaunch.exe
PID 3148 wrote to memory of 4388	3148	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe	4xG079RF.exe
PID 3148 wrote to memory of 4388	3148	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe	4xG079RF.exe
PID 3148 wrote to memory of 4388	3148	1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe	4xG079RF.exe

C:\Users\Admin\AppData\Local\Temp\1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe
"C:\Users\Admin\AppData\Local\Temp\1f41b39d2b8ae20411682600943b3adf98567e247168192fb07ff103e71c9710.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wz9822.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wz9822.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4xG079RF.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4xG079RF.exe
2⤵
- Executes dropped EXE
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wz9822.exe

Filesize
414KB

MD5
5592f560af7cf807f386cc2bcf7dd61a

SHA1
b7bacf3b630c0486730d72622ce954b90a13a74d

SHA256
d1bfce6063fdd6011206e564ed01459896f5f2e94c4e5bbe4b97df932aa9d8fc

SHA512
2463518147071915c525f4e9cf51666e9a50730bd112bd57be56e0bd3cc4bd882355fd993ad4b3ae92648a4d1ddca30553f1ee4aec473f2a60fca456743a20f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4xG079RF.exe

Filesize
1.5MB

MD5
c0d4d52192f53ea6e49090492e8a0e93

SHA1
8617e4753b060088c038faa0e28fe20fe3834842

SHA256
a197125bb79a0cf507cf93ce0dade10e08b666a4f808425c1a38d0e476aca256

SHA512
00eb351a2110a9be5ef529e708c72bbb0f62aa7bf40534613323132ff94aadc5f257f2498aacf6ab7743a0069ac084baf634b838ed502396be269b09b4eefcc3

Download Submit
memory/212-14-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/212-11-0x000000007400E000-0x000000007400F000-memory.dmp

Filesize
4KB

Download
memory/212-12-0x0000000008100000-0x00000000086A4000-memory.dmp

Filesize
5.6MB

Download
memory/212-13-0x0000000007C50000-0x0000000007CE2000-memory.dmp

Filesize
584KB

Download
memory/212-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/212-15-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/212-16-0x0000000008CD0000-0x00000000092E8000-memory.dmp

Filesize
6.1MB

Download
memory/212-17-0x0000000007F40000-0x000000000804A000-memory.dmp

Filesize
1.0MB

Download
memory/212-18-0x0000000007E50000-0x0000000007E62000-memory.dmp

Filesize
72KB

Download
memory/212-19-0x0000000007EB0000-0x0000000007EEC000-memory.dmp

Filesize
240KB

Download
memory/212-20-0x0000000007EF0000-0x0000000007F3C000-memory.dmp

Filesize
304KB

Download