redline | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe
Size

903KB
MD5

468625bfbc5b9c6f04d805bfa3e1546a
SHA1

c39e0852f79372afd720d45fada6fb3906d8fc35
SHA256

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918
SHA512

24a8e52c281133cdc127f7e8e1ea23e0ecf57ae38247e6b63115159e11b746050b405d7d7626b2fd79283bff59ebdf3c390c2df40ca5965e0c7d0344ef98250f
SSDEEP

24576:Iydo+8kfdQKKtL/CJNyci1baTTnXT11Lp1ftA:PdB8kiKCL/CJAP1bafnXDpJt

Score

10^/10

redline taiga infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral7/memory/1220-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

11ri7807.exe12Iz401.exe

pid process

2292 11ri7807.exe
1676 12Iz401.exe

pid	process
2292	11ri7807.exe
1676	12Iz401.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

11ri7807.exe

description pid process target process

PID 2292 set thread context of 1220 2292 11ri7807.exe AppLaunch.exe

description	pid	process	target process
PID 2292 set thread context of 1220	2292	11ri7807.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe11ri7807.exe

description	pid	process	target process
PID 5020 wrote to memory of 2292	5020	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	11ri7807.exe
PID 5020 wrote to memory of 2292	5020	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	11ri7807.exe
PID 5020 wrote to memory of 2292	5020	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	11ri7807.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 2292 wrote to memory of 1220	2292	11ri7807.exe	AppLaunch.exe
PID 5020 wrote to memory of 1676	5020	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	12Iz401.exe
PID 5020 wrote to memory of 1676	5020	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	12Iz401.exe
PID 5020 wrote to memory of 1676	5020	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	12Iz401.exe

C:\Users\Admin\AppData\Local\Temp\40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe
"C:\Users\Admin\AppData\Local\Temp\40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ri7807.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ri7807.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Iz401.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Iz401.exe
  2⤵
  - Executes dropped EXE
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ri7807.exe

Filesize
414KB

MD5
5592f560af7cf807f386cc2bcf7dd61a

SHA1
b7bacf3b630c0486730d72622ce954b90a13a74d

SHA256
d1bfce6063fdd6011206e564ed01459896f5f2e94c4e5bbe4b97df932aa9d8fc

SHA512
2463518147071915c525f4e9cf51666e9a50730bd112bd57be56e0bd3cc4bd882355fd993ad4b3ae92648a4d1ddca30553f1ee4aec473f2a60fca456743a20f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Iz401.exe

Filesize
1.5MB

MD5
11107949a3fced3a4c0f62bccc004af1

SHA1
045df927d159ce822c8a9c04dce66542e004cf37

SHA256
261eb037ab92209308d1e9fd0ca115f7b5d1e0b6571af9451b29e59a6e0bfe97

SHA512
778512c0c15f38b14cab2712dd212e8d72f7784327def19f41e72b858c301fe2a141f86297e7b201b4d77e70fd4847c7a34bd341794ba2242b470e2fb40ee790

Download Submit
memory/1220-15-0x0000000004660000-0x000000000466A000-memory.dmp

Filesize
40KB

Download
memory/1220-10-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

Filesize
4KB

Download
memory/1220-12-0x00000000075B0000-0x0000000007B54000-memory.dmp

Filesize
5.6MB

Download
memory/1220-13-0x0000000007100000-0x0000000007192000-memory.dmp

Filesize
584KB

Download
memory/1220-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-14-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/1220-16-0x0000000008180000-0x0000000008798000-memory.dmp

Filesize
6.1MB

Download
memory/1220-17-0x0000000007480000-0x000000000758A000-memory.dmp

Filesize
1.0MB

Download
memory/1220-18-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/1220-19-0x00000000073B0000-0x00000000073EC000-memory.dmp

Filesize
240KB

Download
memory/1220-20-0x00000000073F0000-0x000000000743C000-memory.dmp

Filesize
304KB

Download