redline | 11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9

General

Target

11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe
Size

1.1MB
MD5

56ef3ad7e2f5d400c057efefab02ef39
SHA1

8d97f2aaa01c447e088b6ba34beef8defd6e79ad
SHA256

11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9
SHA512

239c688ecb9bb8adf5844e9348bccfc735772e9531647047f49f2c23e65a583777789e8ac5ac7ceda54540f35b3573735cb8cdc7a2712738f626764a75ef2d26
SSDEEP

24576:byzzkEILlL0Tsm6BlV86jxDOIgOdJK4H5:OzzkEM0rKlV/1VTbK4H

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b60-19.dat	family_redline
behavioral1/memory/4156-21-0x00000000008C0000-0x00000000008EA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3044	x6545948.exe
724	x4611341.exe
4156	f5501944.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6545948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4611341.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6545948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4611341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5501944.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 3044	4060	11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe	84
PID 4060 wrote to memory of 3044	4060	11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe	84
PID 4060 wrote to memory of 3044	4060	11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe	84
PID 3044 wrote to memory of 724	3044	x6545948.exe	86
PID 3044 wrote to memory of 724	3044	x6545948.exe	86
PID 3044 wrote to memory of 724	3044	x6545948.exe	86
PID 724 wrote to memory of 4156	724	x4611341.exe	87
PID 724 wrote to memory of 4156	724	x4611341.exe	87
PID 724 wrote to memory of 4156	724	x4611341.exe	87

C:\Users\Admin\AppData\Local\Temp\11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe
"C:\Users\Admin\AppData\Local\Temp\11c066031a844570529c69f5876ff855d9025ceae1a9028350f02bcea08ea5a9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6545948.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6545948.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4611341.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4611341.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5501944.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5501944.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6545948.exe

Filesize
748KB

MD5
900431e42af42fa0bec70a654d94d1cd

SHA1
472d8ab42297698b122e8506de6003288d7fda39

SHA256
48f9cdca36be35901e2a271e280d7367631543aca24885c34177fdf4af903952

SHA512
9f2cf10ae668f9248f8edf3351edb528c78e687fbae844f48bbf264eb10c79972883c324f7b48b9846c44f982d2718be9f7c13158e0fa6af8e62d059e973f5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4611341.exe

Filesize
304KB

MD5
26dafc67bc9acbb902050c1ce6a15f2c

SHA1
f10b8843d26cc7cba51bb13085780d424198f6ab

SHA256
de6d4b8fb4efae1ba9a8b10240452192d029a9fd1a07f02bb98c73e2d23cdf71

SHA512
824968bee624073bbf19b7c82a046adecaa4ddf2b3324c966c868b894e127bff15ec8880f0e292ab664e49ce7dfa59cfce19a1ba0dfc682f1e45b29aa2e07fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5501944.exe

Filesize
145KB

MD5
c19c093d57570085fb1b8bb2600f00c8

SHA1
d159bc5ef29eeca5f1c00347d031f1b4c2553e85

SHA256
bc68b5ed006e3ee2c079553129230d35121683067ea813d121c9d87d5cf5d81a

SHA512
bf53ea1dfb562b86b664ef06bb2d414e4d1ad86f95b1501a6866e91a2c419f4394e8792a1a01ac95bf2a465ee072fb0a74a3fd7ba7bba2a805986a93f61851d2

Download Submit
memory/4156-21-0x00000000008C0000-0x00000000008EA000-memory.dmp

Filesize
168KB

Download
memory/4156-22-0x0000000005840000-0x0000000005E58000-memory.dmp

Filesize
6.1MB

Download
memory/4156-23-0x0000000005380000-0x000000000548A000-memory.dmp

Filesize
1.0MB

Download
memory/4156-24-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/4156-25-0x0000000005310000-0x000000000534C000-memory.dmp

Filesize
240KB

Download
memory/4156-26-0x0000000005490000-0x00000000054DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads