redline | a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976

General

Target

a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe
Size

1.1MB
MD5

bf2d892ff6b36342ae64b4845c937931
SHA1

8149008efb88abcd0ff883229db2764c7533c91b
SHA256

a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976
SHA512

cf8d06826276ebd3224f959d3c725746d1e0013975214d268816d5e6c9b0de6db950aa5c272265c2f12276d431f55520f5d5ed82c7906db24e60c4b18d1bb0ef
SSDEEP

24576:XySyAiTZVwO0e2FUH9S+wOLAHeHzV5tzytIAIKZUrMT35F9Lou:iSwTZVx05WkyAHKZDH6Z/T+

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023cc7-19.dat	family_redline
behavioral1/memory/3604-21-0x0000000000670000-0x000000000069A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x0000395.exex2742442.exef7173001.exe

pid	Process
4608	x0000395.exe
1844	x2742442.exe
3604	f7173001.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exex0000395.exex2742442.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0000395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2742442.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exex0000395.exex2742442.exef7173001.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0000395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2742442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7173001.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exex0000395.exex2742442.exe

description	pid	Process	procid_target
PID 1756 wrote to memory of 4608	1756	a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe	83
PID 1756 wrote to memory of 4608	1756	a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe	83
PID 1756 wrote to memory of 4608	1756	a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe	83
PID 4608 wrote to memory of 1844	4608	x0000395.exe	84
PID 4608 wrote to memory of 1844	4608	x0000395.exe	84
PID 4608 wrote to memory of 1844	4608	x0000395.exe	84
PID 1844 wrote to memory of 3604	1844	x2742442.exe	86
PID 1844 wrote to memory of 3604	1844	x2742442.exe	86
PID 1844 wrote to memory of 3604	1844	x2742442.exe	86

C:\Users\Admin\AppData\Local\Temp\a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe
"C:\Users\Admin\AppData\Local\Temp\a4ba884cdf5dcfb4a0d7f880af416dd5c2c4f9a7dcd1c524b78a3363001ab976.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0000395.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0000395.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2742442.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2742442.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7173001.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7173001.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0000395.exe

Filesize
749KB

MD5
aca27b6be1eab17359dbd90aabad11b2

SHA1
d454763f11ac436bb8d166769c14faf565613372

SHA256
b5b25e1a5d8bac0f1cdbacfc5acd8df9d5e3f8a72f53f5b60c30e2642090a07d

SHA512
dcb5a037c5ef33ecbc4d48c51b733da81e63ac22883ca6cf9b579f2154cacabec51ce8e56439d694b73bac98cd4f20d2e0672fe1fe72199a3c65eff93f4c5f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2742442.exe

Filesize
304KB

MD5
42b0f763dc542291534537277c749c7a

SHA1
7197f3e8f934612237b66de8a4f2c0484ff87e40

SHA256
f03697ed9fba6b334b7430257df0ac4ae886971f90cdc2954bb451bf3af922a2

SHA512
9abba54cc5752e1eb63c1843a1ddfc688861388fdf894f9528b3ee62113d17664fefd674298e70765bf31fab8f1393f6e10162ca50369a8797cc40872b6f467a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7173001.exe

Filesize
145KB

MD5
f90bd75d4c882119f69cd8e3ebde509d

SHA1
3a38d800455db74fc16575ef4a5ee5c609fefb1e

SHA256
17b07c13016e4f2459e0ff26036045eea56e3eb38111745b9f4fe6ac345f0c90

SHA512
9516effcb4ac3a1ef102f7c8109d6992752c4efd2e18e8c2eb135136b0543f086b82344b6f39811fb763ee1c85ff7ebd44565e15a46362dd3354e18bb037f68e

Download Submit
memory/3604-21-0x0000000000670000-0x000000000069A000-memory.dmp

Filesize
168KB

Download
memory/3604-22-0x00000000055E0000-0x0000000005BF8000-memory.dmp

Filesize
6.1MB

Download
memory/3604-23-0x0000000005140000-0x000000000524A000-memory.dmp

Filesize
1.0MB

Download
memory/3604-24-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/3604-25-0x00000000050D0000-0x000000000510C000-memory.dmp

Filesize
240KB

Download
memory/3604-26-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads