redline | c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

General

Target

c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe
Size

12.1MB
MD5

e94abe514202de0a3e24c0f45ccea8a6
SHA1

27770fa35ea2ca6e1cd87f669e21f5e29cfaa381
SHA256

c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606
SHA512

1fe72a35e6e0da642c42848d5009538ab97d5e833466abd25f2aa03e96f8b637a2a9a30054c8ebdf4cdf80570e39f387c9b6a535105a3e9b36b846570114c0d3
SSDEEP

196608:bI14Cek0gfc3haxZH+fiE1jlKkbSPSvFWuFBGFV42uL7e:bKekhfcuZH+XKgHFW+BGFVE7e

Score

10^/10

redline rhadamanthys discovery infostealer stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://95.214.55.177:2474/fae624c5418d6/black.api

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3424-21-0x0000000000970000-0x00000000009C6000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3664 created 2832	3664	main.exe	50

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Eclipse.exe

Executes dropped EXE 3 IoCs

pid	Process
3424	build.exe
2872	Eclipse.exe
3664	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3664	main.exe
3664	main.exe
2760	dialer.exe
2760	dialer.exe
2760	dialer.exe
2760	dialer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 3424	1420	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe	86
PID 1420 wrote to memory of 3424	1420	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe	86
PID 1420 wrote to memory of 3424	1420	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe	86
PID 1420 wrote to memory of 2872	1420	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe	88
PID 1420 wrote to memory of 2872	1420	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe	88
PID 1420 wrote to memory of 2872	1420	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe	88
PID 2872 wrote to memory of 3664	2872	Eclipse.exe	89
PID 2872 wrote to memory of 3664	2872	Eclipse.exe	89
PID 2872 wrote to memory of 3664	2872	Eclipse.exe	89
PID 3664 wrote to memory of 2760	3664	main.exe	90
PID 3664 wrote to memory of 2760	3664	main.exe	90
PID 3664 wrote to memory of 2760	3664	main.exe	90
PID 3664 wrote to memory of 2760	3664	main.exe	90
PID 3664 wrote to memory of 2760	3664	main.exe	90

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2832
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

C:\Users\Admin\AppData\Local\Temp\c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe
"C:\Users\Admin\AppData\Local\Temp\c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3424
- C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
  "C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

Filesize
11.6MB

MD5
d1b974d3816357532a0de6b388c5c361

SHA1
fef9e938027e649ebbcffb074c65d46b2d0a1621

SHA256
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

SHA512
c4025fd2cc9c08c7319fc9574913d793954ba93b01288a5f03cf12beeaa40617c182f850ab40c1be434c80024632f395a355622f1bc4d0ce4dae987d43868f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
448KB

MD5
e1e28c3acf184aa364c9ed9a30ab7289

SHA1
1a173a6f4ec39fe467f1b4b91c9fad794167ac1c

SHA256
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306

SHA512
e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

Download Submit
memory/1420-18-0x0000000000400000-0x0000000001020000-memory.dmp

Filesize
12.1MB

Download
memory/2760-49-0x0000000000420000-0x0000000000429000-memory.dmp

Filesize
36KB

Download
memory/2760-55-0x0000000077480000-0x0000000077695000-memory.dmp

Filesize
2.1MB

Download
memory/2760-53-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

Filesize
2.0MB

Download
memory/2760-52-0x0000000000B30000-0x0000000000F30000-memory.dmp

Filesize
4.0MB

Download
memory/2872-36-0x0000000000400000-0x0000000000F9C000-memory.dmp

Filesize
11.6MB

Download
memory/3424-25-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3424-37-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3424-41-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/3424-42-0x0000000005500000-0x000000000553C000-memory.dmp

Filesize
240KB

Download
memory/3424-43-0x0000000005570000-0x00000000055BC000-memory.dmp

Filesize
304KB

Download
memory/3424-57-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3424-40-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/3424-56-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3424-21-0x0000000000970000-0x00000000009C6000-memory.dmp

Filesize
344KB

Download
memory/3424-39-0x0000000005B70000-0x0000000006188000-memory.dmp

Filesize
6.1MB

Download
memory/3664-50-0x0000000000370000-0x00000000003F8000-memory.dmp

Filesize
544KB

Download
memory/3664-38-0x0000000000370000-0x00000000003F8000-memory.dmp

Filesize
544KB

Download
memory/3664-46-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

Filesize
2.0MB

Download
memory/3664-48-0x0000000077480000-0x0000000077695000-memory.dmp

Filesize
2.1MB

Download
memory/3664-45-0x00000000035D0000-0x00000000039D0000-memory.dmp

Filesize
4.0MB

Download
memory/3664-44-0x00000000035D0000-0x00000000039D0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing