redline | 5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428

General

Target

5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe
Size

1.1MB
MD5

acd37f485fb48c160af06750e9f517f2
SHA1

c9477322f2aee3a78a4f4ca15f42333e529615f0
SHA256

5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428
SHA512

2743bf165984e7e859d80f7366f1794f863654f48e2e0f0b69c303ecd9388137284ddaac96afc1c3ad08d70d73bd0ff46ab19ff74365042c51a3016ecf40bd46
SSDEEP

24576:ryrmSSsjn1hA5Dhl6nDf3qhdwa5gvJiDHqQf1LP9dX938AGj:eLbnAED/IKJiDH/f1LlDw

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca4-19.dat	family_redline
behavioral1/memory/4592-21-0x0000000000920000-0x000000000094A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4596	x9460198.exe
904	x3200877.exe
4592	f7770487.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9460198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3200877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9460198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3200877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7770487.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4596	4844	5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe	84
PID 4844 wrote to memory of 4596	4844	5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe	84
PID 4844 wrote to memory of 4596	4844	5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe	84
PID 4596 wrote to memory of 904	4596	x9460198.exe	85
PID 4596 wrote to memory of 904	4596	x9460198.exe	85
PID 4596 wrote to memory of 904	4596	x9460198.exe	85
PID 904 wrote to memory of 4592	904	x3200877.exe	86
PID 904 wrote to memory of 4592	904	x3200877.exe	86
PID 904 wrote to memory of 4592	904	x3200877.exe	86

C:\Users\Admin\AppData\Local\Temp\5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe
"C:\Users\Admin\AppData\Local\Temp\5dc51ec618df43ed6fc824ec30c25e83727b037b45d1fda300163fbe443c6428.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9460198.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9460198.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3200877.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3200877.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7770487.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7770487.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9460198.exe

Filesize
749KB

MD5
5e1366e9c327856737cdba06f16c8ab0

SHA1
9a37473e9eadd2c85b35913f9c8e0a9bd914798e

SHA256
dd6fe4d1bf07cbd11cbdf9640912da80a1290960a42dbb0c90e21ec157336511

SHA512
98d1566d8533036b1e7e7181a9e973b801dac32f984cd473490b42b8fed52568ba3e91aaa4c7bcfabca8e68f46363d26f8dfde7be0dc47362b3cfd9b545b98c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3200877.exe

Filesize
304KB

MD5
776cc2491f0123df2a991567a4025bb2

SHA1
192878c75ed0dbda955a7eec3caf2a5a93be59d7

SHA256
55ddebc6bb2da47a7b31df7c5eb1c93de9d207bed46b9dc7839ab88b846e069a

SHA512
aca7b987f54aa8aeccc140f735b480196a54532c3ca6104a39598801ff134d1a160074e29f3c00bdd856bf876edf48b20ab57b69713937a78248d7078260daa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7770487.exe

Filesize
145KB

MD5
ec425b0cfdaf23366ddc384bc3c8d3c1

SHA1
0fce48a7383819c00c404d58440d607dc0d8eeb6

SHA256
3c1f6bd70ca8e6311453fd8ba2212dabd046d79e6cf2553abcc261f851cbd2ae

SHA512
78f3cb134544505f228ac9baf2065dcf06c03faf309fdb94b8acd2726843ced4bfd06feffb152027c5d413bebe2350b2afc0b43c63a6250792fd30c9deeb973a

Download Submit
memory/4592-21-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/4592-22-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/4592-23-0x00000000053F0000-0x00000000054FA000-memory.dmp

Filesize
1.0MB

Download
memory/4592-24-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/4592-25-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/4592-26-0x0000000005500000-0x000000000554C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads