redline | b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892

General

Target

b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe
Size

1.1MB
MD5

8025d020d53f9b9a9be068c4eff68a63
SHA1

9443bdb281cf6d0283849424925edcc3191d2f3e
SHA256

b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892
SHA512

25569ea9f6038d41bd9eaea2bef03299063a5ae2f51ffc8e23275ee25a67fd8bbc5edc240b7ebdb0325499bb1905b00fe9c4679ef6292cd820546ae8b91f6fa1
SSDEEP

24576:jyhyhMDsP+AaWED/w5fV6swX3722U1mxGeYC:2hU+vpWErgN6t61mxV

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c8c-19.dat	family_redline
behavioral1/memory/3184-21-0x0000000000B50000-0x0000000000B7A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
444	x6398460.exe
1120	x8428208.exe
3184	f9080171.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6398460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8428208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6398460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8428208.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9080171.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 444	4396	b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe	83
PID 4396 wrote to memory of 444	4396	b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe	83
PID 4396 wrote to memory of 444	4396	b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe	83
PID 444 wrote to memory of 1120	444	x6398460.exe	84
PID 444 wrote to memory of 1120	444	x6398460.exe	84
PID 444 wrote to memory of 1120	444	x6398460.exe	84
PID 1120 wrote to memory of 3184	1120	x8428208.exe	85
PID 1120 wrote to memory of 3184	1120	x8428208.exe	85
PID 1120 wrote to memory of 3184	1120	x8428208.exe	85

C:\Users\Admin\AppData\Local\Temp\b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe
"C:\Users\Admin\AppData\Local\Temp\b29ab8b4027063f1877f1816d69fd37740df11488ec7f0dbdc77595464afa892.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6398460.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6398460.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8428208.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8428208.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9080171.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9080171.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6398460.exe

Filesize
749KB

MD5
9e9e8c54b717802afcc4f0d0a432fbf9

SHA1
86c3d3d9a8e9170ff2df910c823943d3a7c7efdb

SHA256
1bf50e84d2f62716d0f4bf74f52489ef4f02911aa7b135546b906aec7fb3d216

SHA512
e5aa88173b4e6c63c4035d93b2695b90186fe716b45b8a71fd913fa81cd0435f699252d7dead5e8ff9e2d6eb65d268447c34a679c5a83874fd64f72ea0c4d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8428208.exe

Filesize
304KB

MD5
5b9cc9b8805990a89e2eeb08cf1b908c

SHA1
0502e3f7b57a41b6a67d2a78d692fec2a109340e

SHA256
fd7013971646042d1b10435e876aff007ba6c0772672e319a7e5ea06701521ce

SHA512
be1413df3df343ff6c2de21ac2bc7a9bc656584d9014fdc2c327ffa713ca272ff366fb47dec894d312bc5d4c2a203e3055efdc7e8a450caa98fa4e22b63ecbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9080171.exe

Filesize
145KB

MD5
3b62f0cd29787db35b4cbf300ff0dc89

SHA1
0f47a10e50e6babe3d61928088aa7148c68231f2

SHA256
9fea53d63a9b56acaf6241ff75671c1e7e8582e0c56dd0fd83bb6ca74638ab5b

SHA512
d924fd9fab3f1e47db603cdceb0ea1e961fe457896e77378d84bd16c105398ccb69c869634b4768c6dc0c3259ae022c0a268e898af9c6b9c28f065e97848bdb1

Download Submit
memory/3184-21-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/3184-22-0x0000000005980000-0x0000000005F98000-memory.dmp

Filesize
6.1MB

Download
memory/3184-23-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/3184-24-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/3184-25-0x0000000005480000-0x00000000054BC000-memory.dmp

Filesize
240KB

Download
memory/3184-26-0x00000000055F0000-0x000000000563C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads