redline | 3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a

General

Target

3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe
Size

1.1MB
MD5

355021505b5621ae11fc22b99e7ab815
SHA1

e10083d354bab8099189c57f2909c542cbd70880
SHA256

3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a
SHA512

464342dc8a2685eef57d45e9128e9e682f08491a8a8121f121f78f948d1b5fd81fac63e01c20a7b7e092a8b1d86bda8b4d460fad24c77814c590fbb80e2330d4
SSDEEP

24576:myDnZED4PH34z8vJpgV+zuPlbJK9kcl0ST4:1DPPXW8vJpgV+zCbJTcD

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b77-19.dat	family_redline
behavioral1/memory/3852-21-0x0000000000170000-0x000000000019A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4008	x2408953.exe
4956	x8972074.exe
3852	f0809313.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2408953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8972074.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2408953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8972074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0809313.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4008	1876	3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe	84
PID 1876 wrote to memory of 4008	1876	3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe	84
PID 1876 wrote to memory of 4008	1876	3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe	84
PID 4008 wrote to memory of 4956	4008	x2408953.exe	85
PID 4008 wrote to memory of 4956	4008	x2408953.exe	85
PID 4008 wrote to memory of 4956	4008	x2408953.exe	85
PID 4956 wrote to memory of 3852	4956	x8972074.exe	86
PID 4956 wrote to memory of 3852	4956	x8972074.exe	86
PID 4956 wrote to memory of 3852	4956	x8972074.exe	86

C:\Users\Admin\AppData\Local\Temp\3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe
"C:\Users\Admin\AppData\Local\Temp\3bff47b7e9871173cacf46d1e228b7aa6d08bc8c273210009e23b70707ccbb9a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2408953.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2408953.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8972074.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8972074.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0809313.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0809313.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2408953.exe

Filesize
749KB

MD5
ad48c216b49fd36ae81fc0436209b08f

SHA1
76483ac7a5935eb636c3f1acd1465cfd6708b3b1

SHA256
9878547d79c37f2b844702b4da83a5a4652fbfe8b37d07b2dba07f423d997402

SHA512
798e9f68b272ec427e5bbedfb74c3a6bfbd97080b82ddfdefaef71b7a241c5f637f221d4785fa2e529bd6f68cf95a75d25aa4dd06d86ce374ccbe0bcda4580bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8972074.exe

Filesize
305KB

MD5
392ffd5b3ab08599af1e0af2d0c5ca8e

SHA1
2aa2bdbdb36b7e02a0d6c3e1bbdd628a2a638efd

SHA256
155a7b457141792a81ed08370ac636d15dbd4399014d57f50fd7eface8bfcc4d

SHA512
e10bcf9397323532bb607693f92b1f5e93fcdd4199b91d787c73efe75c45f1ad75b2d403ed6c3f86e175f65c2a698e45f70d28a9d47414ce4c3b4f30debebd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0809313.exe

Filesize
145KB

MD5
8aa26161ff012220fcbf103092cd8dba

SHA1
8e29fc73b41f92c3e8698cecd60b4a0ff232d0a0

SHA256
0db1d684cbcd72be0ff7a45c65837bcff73ccec4175f3ac17be76d15d528017d

SHA512
273a854f06cbb737cfe6675fa1b1e793ad497ff6f09c57d0c41ba486d90964c91f40388bb885aa148246709243ce129fc440ddd133b29a5abf4e3c0a14e5c412

Download Submit
memory/3852-21-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/3852-22-0x0000000004F80000-0x0000000005598000-memory.dmp

Filesize
6.1MB

Download
memory/3852-23-0x0000000004B00000-0x0000000004C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3852-24-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3852-25-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

Filesize
240KB

Download
memory/3852-26-0x0000000004A50000-0x0000000004A9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads