redline | 7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5

General

Target

7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
Size

469KB
MD5

fef3d12a1fe20fced05419512b510cbb
SHA1

269939fd78d1d8878ce10dc36c7920a4174cba8d
SHA256

7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5
SHA512

cd14a90731676b3ac9ba9028bb61f499c61984e193898bdcb4245e7185edbf58a7efd5f275ef07045a815b279c7f940878a4dceaefadbbdf9a60117884b125a6
SSDEEP

12288:dMrky90oZ78lEyTm+95+gWZr7Vi3Sgvq9qRnXQ:xy/1y/sgWjvOSqRnXQ

Score

10^/10

redline fukia discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b7a-12.dat	family_redline
behavioral1/memory/3568-15-0x0000000000B00000-0x0000000000B32000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1660	nNt12.exe
3568	bfe83.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nNt12.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nNt12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfe83.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1660	1784	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	84
PID 1784 wrote to memory of 1660	1784	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	84
PID 1784 wrote to memory of 1660	1784	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	84
PID 1660 wrote to memory of 3568	1660	nNt12.exe	85
PID 1660 wrote to memory of 3568	1660	nNt12.exe	85
PID 1660 wrote to memory of 3568	1660	nNt12.exe	85

C:\Users\Admin\AppData\Local\Temp\7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
"C:\Users\Admin\AppData\Local\Temp\7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe

Filesize
202KB

MD5
18b1cdf6eaf473705d5000e53498dfb2

SHA1
6f83716fce0220d269945e82e078204a175992c5

SHA256
dea78dc80a8dcc645701763858eeee0ce38bcc16641a0bbfd4e104b06adafb5d

SHA512
c39ea7b3e3535b4d2c2ce281a0af21b338cbe0d06bb4a144ab43a6eab93777c97994b5dbb1c97a838e9d2bfb8f83f17bddcf5a6aca0aa65d5d9f7e6a1ec79d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
memory/3568-14-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/3568-15-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/3568-16-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/3568-17-0x00000000055E0000-0x00000000056EA000-memory.dmp

Filesize
1.0MB

Download
memory/3568-18-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/3568-19-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/3568-20-0x00000000056F0000-0x000000000573C000-memory.dmp

Filesize
304KB

Download
memory/3568-21-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads