redline | 204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1

General

Target

204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe
Size

1.1MB
MD5

b82cce803d0ff0752b2858f42216a916
SHA1

a837ddf1c64d83e7bd31db63ddca7be02a1da5c9
SHA256

204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1
SHA512

27eb040b3233088b45b7e33c47501b41e8ed0e3d52b6c344d33332a1cbf0a56bcde6422a8072beb1e4abc925d9e6c023e0e1df2365c3ce2a04e6ac1bdef18cc2
SSDEEP

24576:4yS73Ehpoh0scJz4UYD2HygOfLMlh0vp7XpCNVQB:/S70bE0YdwhXVQ

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8316415.exe	family_redline
behavioral1/memory/3632-21-0x00000000004A0000-0x00000000004CA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x9674479.exex3988907.exef8316415.exe

pid process

4756 x9674479.exe
3604 x3988907.exe
3632 f8316415.exe

pid	process
4756	x9674479.exe
3604	x3988907.exe
3632	f8316415.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exex9674479.exex3988907.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9674479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3988907.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x3988907.exef8316415.exe204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exex9674479.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3988907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8316415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9674479.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exex9674479.exex3988907.exe

description	pid	process	target process
PID 4204 wrote to memory of 4756	4204	204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe	x9674479.exe
PID 4204 wrote to memory of 4756	4204	204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe	x9674479.exe
PID 4204 wrote to memory of 4756	4204	204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe	x9674479.exe
PID 4756 wrote to memory of 3604	4756	x9674479.exe	x3988907.exe
PID 4756 wrote to memory of 3604	4756	x9674479.exe	x3988907.exe
PID 4756 wrote to memory of 3604	4756	x9674479.exe	x3988907.exe
PID 3604 wrote to memory of 3632	3604	x3988907.exe	f8316415.exe
PID 3604 wrote to memory of 3632	3604	x3988907.exe	f8316415.exe
PID 3604 wrote to memory of 3632	3604	x3988907.exe	f8316415.exe

C:\Users\Admin\AppData\Local\Temp\204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe
"C:\Users\Admin\AppData\Local\Temp\204b491f08dbd4f6f8c6c2e0a96ef3ffbc49ef5ae65156781e99b59233ac3dc1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9674479.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9674479.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3988907.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3988907.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8316415.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8316415.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9674479.exe

Filesize
748KB

MD5
a8106e0ab83562e108cd4c8ec709b66c

SHA1
a0e639f19bceea9fe69671b6c0e2f11331919c64

SHA256
61aa5a84536a31d1f0c99284a1ddd5ed79d71e5d24a806903db9b6bf219ef8e6

SHA512
0ed08a618f5abff2ef2b92c6a0b83046c8ff47276a74d23d2ec7e762996edac9152fb447870e6ac46f8b01d69784b5cc77ceec52bbb5df55eb666cb745c6b310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3988907.exe

Filesize
304KB

MD5
ede68575363d44a50e4824c72bb93514

SHA1
5c7cadd6d9d3d8ff4ad135f376cf4de97f82240e

SHA256
118e05440a92e4cefd186dcccc5222ec97a9edaaeb891541065eb99adaa19005

SHA512
e020ed55c068ec0281f2158b53f02220f53abf8a0e78b634116cfbfcfd45d9b263b1725cc5df4080c79814ec8dc664258e103ac53445eb57a4b292f79ee712db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8316415.exe

Filesize
145KB

MD5
93ab375ba7e517d23fce629901cda9b8

SHA1
27fe90c6b81504fcca3d5718802bf086bc1cb801

SHA256
dc56e7090a6e60fef1c25be4c007ba0233471486d0a0177938075cfc136af84f

SHA512
e2f3d4d38ababebd39c88bdc7947d3268118e92ffbe8b8da0903e6afde8795d28cce82bd10b5fec7e1b8d704425687f6d0c5e18bcda74987e028728fb20014b8

Download Submit
memory/3632-21-0x00000000004A0000-0x00000000004CA000-memory.dmp

Filesize
168KB

Download
memory/3632-22-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/3632-23-0x0000000004F70000-0x000000000507A000-memory.dmp

Filesize
1.0MB

Download
memory/3632-24-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/3632-25-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/3632-26-0x0000000005080000-0x00000000050CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads