redline | 3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3

General

Target

3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe
Size

1.1MB
MD5

f2803445c1165f9394777236f6d411b5
SHA1

023fe7a106f67a95e480baf368ebaa75727f0ee0
SHA256

3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3
SHA512

d1e139ec01e7cc60aa865d83d0d0b4263ec9462d0a313807737665369e75afe81db1cf6adcdda2a730af6389e19b14e8c43e5550e266a1b82720d6af4eab592f
SSDEEP

24576:tymuHepAdq+FW983FSJ/YvP2bCNgsa5howEQVmLEQjNmS:It+HsWqAYXDNOhfEPQ

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c7c-19.dat	family_redline
behavioral1/memory/2824-21-0x0000000000990000-0x00000000009BA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4912	x4901190.exe
3132	x2219524.exe
2824	f1082261.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4901190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2219524.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2219524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1082261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4901190.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4912	4340	3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe	84
PID 4340 wrote to memory of 4912	4340	3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe	84
PID 4340 wrote to memory of 4912	4340	3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe	84
PID 4912 wrote to memory of 3132	4912	x4901190.exe	85
PID 4912 wrote to memory of 3132	4912	x4901190.exe	85
PID 4912 wrote to memory of 3132	4912	x4901190.exe	85
PID 3132 wrote to memory of 2824	3132	x2219524.exe	86
PID 3132 wrote to memory of 2824	3132	x2219524.exe	86
PID 3132 wrote to memory of 2824	3132	x2219524.exe	86

C:\Users\Admin\AppData\Local\Temp\3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe
"C:\Users\Admin\AppData\Local\Temp\3825cc07186a641a5224c53459c2c4523965dac3fccb200e1e4772e57e8a87d3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4901190.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4901190.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2219524.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2219524.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1082261.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1082261.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4901190.exe

Filesize
749KB

MD5
87e9e15ac6756611d0bfbfb0d263d20b

SHA1
07773a631cd64271a884f87c82e5d3496c1fd4d9

SHA256
5d982edc5a4627b5d241c0864a54d6feb2e4ce263da56844482db87b2e185829

SHA512
989b1427cac4427bcb8c5a70ac29cb321d7f1860b32525ab20452aa5fe3d94435eaf9f27079f808a9843a87b73d2959370fcf7aeb538c8c5070a29c23b6e1129

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2219524.exe

Filesize
305KB

MD5
e2e6b23785b1e06eec6a9263861d8d8a

SHA1
151396cf5dbd22f96be5deef9fe73b96b7ad4456

SHA256
3c2c6158fa855ed88d6555abdaa2b0d0c415718e223366ee298d62b09bb1d19e

SHA512
ea2ab26b8e05826adc9fb32e7b277778493121346c7a0a8b6325fd6b8b1d71267f220bdf734fa2c4bbe81a6c2ea8bd26291f181ea23e3d081ba364977f926e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1082261.exe

Filesize
145KB

MD5
8ac554bb74e92fe3b48327e41005affe

SHA1
13c7815e7b8d2a8568cb4c7a295e5a014dc12626

SHA256
c3aadf1206ed089469a7639e61c3ec6e1595f05a8e882b434bafdd3c7074a779

SHA512
97295c291236b4f6693259bd422bae86a3fc411b8180496ff9d9101b51cca419a02564dbd045e73e935088bd2f7b944858e34972b429dec6fdfc6a1eea650f6f

Download Submit
memory/2824-21-0x0000000000990000-0x00000000009BA000-memory.dmp

Filesize
168KB

Download
memory/2824-22-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/2824-23-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/2824-24-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/2824-25-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/2824-26-0x0000000005570000-0x00000000055BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads