redline | 7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e

General

Target

7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe
Size

1.1MB
MD5

77e05b07f8e1e2b52ac576885fe7ea93
SHA1

6949b0a758e32cd52cbc2a81c157855a5dee6960
SHA256

7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e
SHA512

9b86e0a178b4e7dcf0e585c745f94dae35142c230b2305d8210f42e0343ce9dc083774c37e2152d5db62036fcae7f7d71f551ad88b2b8ac2fb4482de24ef56f4
SSDEEP

24576:Ly3aC6bUXWQiXKtDJzlfBmb0s4m3gAi/FTdqtD0e9BGXVelLAuzl:+3qbUoXEQbsm3g5oljkCM

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b7f-19.dat	family_redline
behavioral1/memory/744-21-0x0000000000D90000-0x0000000000DBA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x9481933.exex2967758.exef2348142.exe

pid	Process
3224	x9481933.exe
4992	x2967758.exe
744	f2348142.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x9481933.exex2967758.exe7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9481933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2967758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exex9481933.exex2967758.exef2348142.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9481933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2967758.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2348142.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exex9481933.exex2967758.exe

description	pid	Process	procid_target
PID 2696 wrote to memory of 3224	2696	7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe	83
PID 2696 wrote to memory of 3224	2696	7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe	83
PID 2696 wrote to memory of 3224	2696	7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe	83
PID 3224 wrote to memory of 4992	3224	x9481933.exe	84
PID 3224 wrote to memory of 4992	3224	x9481933.exe	84
PID 3224 wrote to memory of 4992	3224	x9481933.exe	84
PID 4992 wrote to memory of 744	4992	x2967758.exe	86
PID 4992 wrote to memory of 744	4992	x2967758.exe	86
PID 4992 wrote to memory of 744	4992	x2967758.exe	86

C:\Users\Admin\AppData\Local\Temp\7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe
"C:\Users\Admin\AppData\Local\Temp\7e304e75970e9765fc26b74b21981ef02dc07690815e712c3a9289f7e35c311e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9481933.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9481933.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2967758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2967758.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2348142.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2348142.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9481933.exe

Filesize
748KB

MD5
ae993456e47546c50d2d521a6e09875a

SHA1
f28e9c4134393a99a2669e4c76e3fbc47c077cdd

SHA256
bcb1731d1c9a15a00be774fec91e8cbf4e4796d799b3aeba33cd67a8797a5dba

SHA512
2a41f9bfb13031d41f982f5e8b7169668e9ed211e3fba08c4b6828f98545b4a483219255173ae2bf4e4c5cbbe863acee0ea79374245dca04519d59da761d56a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2967758.exe

Filesize
304KB

MD5
868d556a36f0bb5e966df81ae8ab263b

SHA1
7fe2379e0e158bbcfc12ba716998f65832141b6e

SHA256
9efd406d954fd62be97d96da63a96afd7ac4c4c1ed8efef36ed648a2195118f0

SHA512
4d3dcf6834fe9b184430077aa9fe4208baa6fdb6b036df913babd36f0b95d37234c6136246463ddd34fbb848192b95312cc03c85694d275d96d4aee1cd9452d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2348142.exe

Filesize
145KB

MD5
19aabe11354abc21a9597165f478114d

SHA1
27846e36c2d7c204fd15a12ac3e8401d392cca7d

SHA256
2440886c357f90f1d0d2a238774f5513f6736d74163209e722df2a1d3c5776dc

SHA512
ea471137fc00dc9c36e62cb37aa9018ff7022188c137491c6a4a707c620d5d3fe1f834de4b8a37332f62c53aaed491b7c038c5aaeb4d12751e3fa9be73f842f6

Download Submit
memory/744-21-0x0000000000D90000-0x0000000000DBA000-memory.dmp

Filesize
168KB

Download
memory/744-22-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/744-23-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/744-24-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/744-25-0x00000000057F0000-0x000000000582C000-memory.dmp

Filesize
240KB

Download
memory/744-26-0x0000000005970000-0x00000000059BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads