redline | b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14

General

Target

b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe
Size

1.1MB
MD5

78d37943a245561c3c02011634759050
SHA1

97df305cff2c744d56b448449973199d41e074c7
SHA256

b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14
SHA512

c6dbacc0c7a2c129c4966379ad59ad4a42aa2549244fcd6e324d6935b4e9e57e879dc49a7e8b31cd0ba2272ab2c9bb39bd45604c673254dda2ed92a3c0a1bac8
SSDEEP

24576:pyjl33dpMErnoClPBf7aDx/b/+4KHGbiMXIrMOfngtMM5:cjl3r7lPxaDlpKHGGhr7gtM

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca8-19.dat	family_redline
behavioral1/memory/464-21-0x0000000000720000-0x000000000074A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3448	x5426629.exe
4596	x2493616.exe
464	f8690601.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5426629.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2493616.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5426629.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2493616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8690601.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3448	1572	b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe	84
PID 1572 wrote to memory of 3448	1572	b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe	84
PID 1572 wrote to memory of 3448	1572	b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe	84
PID 3448 wrote to memory of 4596	3448	x5426629.exe	85
PID 3448 wrote to memory of 4596	3448	x5426629.exe	85
PID 3448 wrote to memory of 4596	3448	x5426629.exe	85
PID 4596 wrote to memory of 464	4596	x2493616.exe	86
PID 4596 wrote to memory of 464	4596	x2493616.exe	86
PID 4596 wrote to memory of 464	4596	x2493616.exe	86

C:\Users\Admin\AppData\Local\Temp\b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe
"C:\Users\Admin\AppData\Local\Temp\b985b473c9b5cd81bc0f216ec9d72f321c8d1a0991035c86954a5b4ac5aa6d14.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5426629.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5426629.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2493616.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2493616.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8690601.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8690601.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5426629.exe

Filesize
748KB

MD5
81affd34ecb79d0c163bf5c60171cc5f

SHA1
ba72cd87ae30cf5b8eaeb036f5b47c47aa1d35fb

SHA256
273c61ed20d4bb8981c2d9fcee74d886cc20808e60b8646c9b5caf9fe1066a49

SHA512
76269734fe5e2718c1a45231bc6c1f9af8c749e033c1c60d07263cb6caa9af79b0012084e908d4d803bbaabba7b6d5fcb746629587d5c0074c6677ba3be5d644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2493616.exe

Filesize
305KB

MD5
38adb758409d2f6fd6cccb94ca5ea0fd

SHA1
be14221a86db5796a31eca29df0d21bcfa6ff9e8

SHA256
718f2071cb03447db57ac289987a7ee92dd7aa0eef7b5a5e9924deaed1e2f625

SHA512
6ee8f44c2d2f9bdd4268ae59e2d698f3ec9ed39c6b91ff4f9c69c10087e6bc0518c073bf4f42c81edcb18732a8de27d6e4a3e6fbd6f3d926762ca0fe216455ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8690601.exe

Filesize
145KB

MD5
58da1db0c73862d2a20cc9431a7771b4

SHA1
3d776134cda0755e261f68453e36774488e7306b

SHA256
b8e5b10a720206e1e01775a72c98629b1840bd4e8de8006881d7c621159f4423

SHA512
95603373c90060f746fe90e2a9e50db38d1d20e91d7a95e4c5c70c73d4df15d6664bcb11251bd9642cc1c602f952df5116552feb42694074d660f87d67316bb6

Download Submit
memory/464-21-0x0000000000720000-0x000000000074A000-memory.dmp

Filesize
168KB

Download
memory/464-22-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/464-23-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/464-24-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/464-25-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/464-26-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads