redline | 70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d

General

Target

70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe
Size

1.1MB
MD5

60ca2b87497dc324e68102e6846114e6
SHA1

4954b3b4592e655f86c395b5f2ac7f1d2d821f62
SHA256

70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d
SHA512

46c098d602372565df3a341391cddcc64307c9a57dcd46244d565c00e8cf748931a8971830f7217ac9365ebbf2759f511b1ece1497eff4274ebc930bd3cb4321
SSDEEP

24576:7ytnQksIWHqfGKZ9Z2BH2ig8qj4r+K3qEaqZ3hLtqq:uxTsIWW0Zcl0r+4gwptq

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b79-19.dat	family_redline
behavioral1/memory/4420-21-0x0000000000BE0000-0x0000000000C0A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4808	x5123939.exe
1792	x5883903.exe
4420	f8894251.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5123939.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5883903.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5123939.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5883903.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8894251.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4808	4220	70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe	84
PID 4220 wrote to memory of 4808	4220	70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe	84
PID 4220 wrote to memory of 4808	4220	70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe	84
PID 4808 wrote to memory of 1792	4808	x5123939.exe	85
PID 4808 wrote to memory of 1792	4808	x5123939.exe	85
PID 4808 wrote to memory of 1792	4808	x5123939.exe	85
PID 1792 wrote to memory of 4420	1792	x5883903.exe	86
PID 1792 wrote to memory of 4420	1792	x5883903.exe	86
PID 1792 wrote to memory of 4420	1792	x5883903.exe	86

C:\Users\Admin\AppData\Local\Temp\70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe
"C:\Users\Admin\AppData\Local\Temp\70cd79fee56fb2cf0859899d87e308eeb7a17650f23430cf97446fe4fc6b141d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5123939.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5123939.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5883903.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5883903.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8894251.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8894251.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5123939.exe

Filesize
752KB

MD5
9058106f9bcf84cea1023ac091d44934

SHA1
8c33a6ee4229b7717788cf5f1ea1f69b8224f828

SHA256
5b5ec3934b8df1c797fa48f35a285cf189dcb68fc7389d59ae5dedd30824842d

SHA512
04746d76128c914b637ce4e2f0c4fa4121765acf69c0cdfd49b92b41ea93b5ab7146372d230e9427dc558ffaa0766af936b9bd77608cf5ed376ce4131281409e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5883903.exe

Filesize
304KB

MD5
23288fe508799760028cc36e855b0e4b

SHA1
6c931bc8c84c7f62dca7134492f22a37df267356

SHA256
b9d78dd0f263af31b26d736d6af2dd87e86b75896032e614eb40b8d1e6f6d728

SHA512
bc4e0344009ff352222fb85af70a634e993c2e28ec31e1dbe2317f160a8afc1e895baadf64af10c0ddad51db797476b9e28e7728342810ccc274bc5571315468

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8894251.exe

Filesize
145KB

MD5
510a0df9fb539ef6650a20d7418493bf

SHA1
439c5ccf2a1fbf76eb8ed42190741fd94dc0b1f9

SHA256
455c495a0fbb7605417246181cd3af02c85167bb8c27c2e5eb9c88763b98d8dc

SHA512
1be0b46d07d7479bccce64592f4ab552038fad0adb730fa0556715819eb059a48e99700282eb672e25181c0792ad2a3d1a3555bd69f93726acdf78b9815c1584

Download Submit
memory/4420-21-0x0000000000BE0000-0x0000000000C0A000-memory.dmp

Filesize
168KB

Download
memory/4420-22-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/4420-23-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/4420-24-0x00000000054D0000-0x00000000054E2000-memory.dmp

Filesize
72KB

Download
memory/4420-25-0x0000000005530000-0x000000000556C000-memory.dmp

Filesize
240KB

Download
memory/4420-26-0x00000000056B0000-0x00000000056FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads