redline | 6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0

General

Target

6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe
Size

1.1MB
MD5

309cf5923c4a940653e69b8b3a8e5a4a
SHA1

8c132d041544f1513c670deec063ccc7e005ccb4
SHA256

6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0
SHA512

3673798a8c3368ea2cc095ba207e79ee6104eb51978feb3ed1e8ee09a36046fdbac0fb7bcc2da7264fc23d71c26d9b93669148ae5b1d455903db22e4a2c4de73
SSDEEP

24576:qyqxVqt0z8UkztKQGuyBhOYRvSMMubGY4E932:x6qt0zOvGlBhxmo9

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023ce6-19.dat	family_redline
behavioral1/memory/1128-21-0x0000000000180000-0x00000000001AA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x5238168.exex2588130.exef4988354.exe

pid	Process
1144	x5238168.exe
1100	x2588130.exe
1128	f4988354.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exex5238168.exex2588130.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5238168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2588130.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exex5238168.exex2588130.exef4988354.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5238168.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2588130.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4988354.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exex5238168.exex2588130.exe

description	pid	Process	procid_target
PID 2800 wrote to memory of 1144	2800	6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe	86
PID 2800 wrote to memory of 1144	2800	6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe	86
PID 2800 wrote to memory of 1144	2800	6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe	86
PID 1144 wrote to memory of 1100	1144	x5238168.exe	88
PID 1144 wrote to memory of 1100	1144	x5238168.exe	88
PID 1144 wrote to memory of 1100	1144	x5238168.exe	88
PID 1100 wrote to memory of 1128	1100	x2588130.exe	90
PID 1100 wrote to memory of 1128	1100	x2588130.exe	90
PID 1100 wrote to memory of 1128	1100	x2588130.exe	90

C:\Users\Admin\AppData\Local\Temp\6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe
"C:\Users\Admin\AppData\Local\Temp\6e329000eece1180da5a7308a126a45a54e80577b5fabdcaaa41df975e3df7f0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5238168.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5238168.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2588130.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2588130.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4988354.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4988354.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5238168.exe

Filesize
748KB

MD5
5b5d9aad035ee636d05e2804a39e3902

SHA1
7e02b3bb648abf390270f1589ece3996b9c0f818

SHA256
62b535119fb02776ef6ca877c7a4464396c59b6821d9406293856fe06e0d783a

SHA512
ff64736fd8f8b453e54f994943a344727a0f909f715f3249f1a9760e09a2d0bc6322702a7736369206882b07fc246d65441f44e3fa67f979f6cbab3a71538337

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2588130.exe

Filesize
304KB

MD5
a3b53df7db00e0a1cfbe1bdcab107c23

SHA1
896382fe6673a34236d25f2e3abfa3d29645e05e

SHA256
e694a4ab90082e4c88489620b35797a9a9fff29c036b279c220da87225b18e25

SHA512
6bf7c6ba368d96419ce5df853ad1dff38a6fb01d0a8aa321c482ec462b28a172407a0f644bc790f250a1fb94332dbe48deb88f9f517e43e1d85a2961c962c8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4988354.exe

Filesize
145KB

MD5
baeb29a5c0ae3096e4e27a4ee8d62be6

SHA1
22019ae69d131c6957bcec7eb740e67c7829d76e

SHA256
8df4de10413baa0c9d556ccb0f0413216b380b92b5ba359509e5934a82dc591f

SHA512
96d2508873261dab0c1aa6aa0b202ef90f73337ecf2511bc9be1da21ec26f5d7f626854fedf040410f0d08f6a943f031f29ac34d3b8a64f366ece63c1fe5fcf7

Download Submit
memory/1128-21-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/1128-22-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/1128-23-0x0000000004C50000-0x0000000004D5A000-memory.dmp

Filesize
1.0MB

Download
memory/1128-24-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1128-25-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/1128-26-0x0000000004D60000-0x0000000004DAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads