redline | 8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6

General

Target

8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe
Size

1.1MB
MD5

90bb5937bc431586bf3e4ff619634f7c
SHA1

856259e0f67d4872767b8c3a3eef8e6561218b03
SHA256

8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6
SHA512

470127eddcf06c76128c28f9943f521ca855357da849749dc7c04cee9355fb45748ed87df134620760d90e0b6048ac066ee8fe127f71c268e5c8bcd266a53d24
SSDEEP

24576:Cy5JsHQJ/uMpRXiRyscmQ2gCeo0gpGQmdLtB/+7Np1mAFt:pIwJ/uMp9ic7CeIpXOtB/2Q

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c88-19.dat	family_redline
behavioral1/memory/3864-21-0x0000000000220000-0x000000000024A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x7859436.exex6633425.exef6900257.exe

pid	Process
3540	x7859436.exe
4712	x6633425.exe
3864	f6900257.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exex7859436.exex6633425.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7859436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6633425.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exex7859436.exex6633425.exef6900257.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7859436.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6633425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6900257.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exex7859436.exex6633425.exe

description	pid	Process	procid_target
PID 4552 wrote to memory of 3540	4552	8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe	83
PID 4552 wrote to memory of 3540	4552	8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe	83
PID 4552 wrote to memory of 3540	4552	8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe	83
PID 3540 wrote to memory of 4712	3540	x7859436.exe	84
PID 3540 wrote to memory of 4712	3540	x7859436.exe	84
PID 3540 wrote to memory of 4712	3540	x7859436.exe	84
PID 4712 wrote to memory of 3864	4712	x6633425.exe	86
PID 4712 wrote to memory of 3864	4712	x6633425.exe	86
PID 4712 wrote to memory of 3864	4712	x6633425.exe	86

C:\Users\Admin\AppData\Local\Temp\8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe
"C:\Users\Admin\AppData\Local\Temp\8b528e041b82af44915a5e1543a80475e5cfc2d654d8fc9361f658cb9c7433f6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7859436.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7859436.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6633425.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6633425.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6900257.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6900257.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7859436.exe

Filesize
749KB

MD5
4b5b073eebdab93ed2ff062e14c44b97

SHA1
14d7fe65da59bf8e5a7ff2c715d38f5f0805f9e5

SHA256
f754efa336ba85db4d9142fb6640710b9bc5f6f51eed3b70035b11bad019e4e1

SHA512
55763f61a564eabc8c91926d6966bd7ab1414f9cd28cb51c644b01cbbd19fd1479abe30e651652fd6aea017fa758b04457cd75e750950c3a19088b56d69ec671

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6633425.exe

Filesize
304KB

MD5
ad180e9e6d5f0944b37ba54998625751

SHA1
58862e6417f91019680f68791c123c98d3e544a8

SHA256
57b9f22915bc49c71d29d7e7f473ee9a55658196c95c2c66c6d6a1fda4f5c2e0

SHA512
6cda5dfded55aa52615838c14f24fd9af12b53544cfde543f897a81f67baa2924a215ee33c328d55824f5705d383cd8c74f0b36290bc4605259e8f5f8ca1d76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6900257.exe

Filesize
145KB

MD5
d4a7c189d4c9e6ddb2068a5475200142

SHA1
0fc728bb7671d51d85ec2b59585ec6795ec599f0

SHA256
89161f3aa88783295263f54b879fff31ea4e3f0fedf1836c2017efee21786b71

SHA512
6ebc7aedb425d54447b22425ebabf69f7ce197ca3d13d3a69bbb05f7a19316120825693983179f5ebf20a825ddb5db9c9c46ebef115e6ad226e943dc4f7ebc9a

Download Submit
memory/3864-21-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/3864-22-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/3864-23-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

Filesize
1.0MB

Download
memory/3864-24-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3864-25-0x0000000004C90000-0x0000000004CCC000-memory.dmp

Filesize
240KB

Download
memory/3864-26-0x0000000004E00000-0x0000000004E4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads