redline | 3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4

General

Target

3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe
Size

1.1MB
MD5

ec0cbb52d79c5fea837394962a62bae1
SHA1

8b49127e110776dab2ed11af4c731650b3c77c1e
SHA256

3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4
SHA512

7f013183ab8cb61496b3557fc09e74527189f0abe287746d7f52669b8b2c04157f94a436d67a787620745b4e9aa31c5ada52c948221065f1f934517f8fbd6730
SSDEEP

24576:kyak3M04Jya0as8CGTslhYq2HiezuGO9WuUTsmcjyg5QNv:zRMR0z8CqjdviG02cjygmN

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb1-19.dat	family_redline
behavioral1/memory/4416-21-0x0000000000BC0000-0x0000000000BEA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4328	x3445453.exe
4000	x8673879.exe
4416	f4587102.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3445453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8673879.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3445453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8673879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4587102.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 4328	1572	3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe	84
PID 1572 wrote to memory of 4328	1572	3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe	84
PID 1572 wrote to memory of 4328	1572	3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe	84
PID 4328 wrote to memory of 4000	4328	x3445453.exe	85
PID 4328 wrote to memory of 4000	4328	x3445453.exe	85
PID 4328 wrote to memory of 4000	4328	x3445453.exe	85
PID 4000 wrote to memory of 4416	4000	x8673879.exe	86
PID 4000 wrote to memory of 4416	4000	x8673879.exe	86
PID 4000 wrote to memory of 4416	4000	x8673879.exe	86

C:\Users\Admin\AppData\Local\Temp\3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe
"C:\Users\Admin\AppData\Local\Temp\3db3c33024371bb0b7b69afd7bec878c9a4b51bea86300dd2160ce8ddc5ae8c4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3445453.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3445453.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8673879.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8673879.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4587102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4587102.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3445453.exe

Filesize
748KB

MD5
6031c7786caf0bf4e16eabed010d369d

SHA1
cb750578a9a758c46963efade6b1e5638cdee533

SHA256
b5fb7c39abf944fc6c195055a3a32aea6284cd508906813a368882cd58a777de

SHA512
a395356ed409faae4f84dc08cd770b141ee4a0f6088f5023beb6b15fea0784c57856b4fa078ff68b08a327017d40366e1ca0fca9b0af0f3ce30a20b1ebf205b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8673879.exe

Filesize
304KB

MD5
0d2e6be1f9fa0d01ff6096682329528e

SHA1
306a40232ca7489690e419f8519f95a03bd947c2

SHA256
1c513605945cc9ed1a1d61b24947be8aabda6bfb946781c1dc4fd115c5a55a4a

SHA512
e7a3c5d58b14742affabe7c7d39c4f8ee77e3a7269dcb19911ff60339262e4029d26c7ff909c01f5453cb621a14c1d64da9a6969bca01688919876e94302b4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4587102.exe

Filesize
145KB

MD5
20970b9b1cf48fb14b9f6112828816dd

SHA1
833cfb786e8a0709a44ae390dc8c3d65d09fb225

SHA256
56e8997921c51c54837e0f8ad7f504de18ffe0151a21c913bcdb82f36ea2697c

SHA512
d6793226dc0da6e452c2552b56abbd2b42d16bcce4d66d9e161b6f56d09626fd778a32b4a2fb42af8df8edb26db0eeefaf10583679b79ea5e456daf5228f9c4c

Download Submit
memory/4416-21-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/4416-22-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/4416-23-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-24-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/4416-25-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/4416-26-0x00000000057A0000-0x00000000057EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads