redline | d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1

General

Target

d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe
Size

1.1MB
MD5

19ffd96c3f9769a63bf51f054f84ff11
SHA1

5dc32a68fa39d4015f3bbce517716ad7aadda58f
SHA256

d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1
SHA512

c6b54fca2010be5da406dd5013c6fb4d0f05ca4b779d3279e40027774cf6e5719f82eed3beafce235fa6aa32e22ac8743dc1c258fafa904ed79e779a923775ba
SSDEEP

24576:gyTwNJfldbBnTK6yKLYaeqTeXy8ZmvomTEWqu41YV:nAtTBTK65LYJHXCo

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1198842.exe	family_redline
behavioral1/memory/2624-21-0x0000000000A30000-0x0000000000A5A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x6795313.exex0818237.exef1198842.exe

pid process

4304 x6795313.exe
3160 x0818237.exe
2624 f1198842.exe

pid	process
4304	x6795313.exe
3160	x0818237.exe
2624	f1198842.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x6795313.exex0818237.exed3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6795313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0818237.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f1198842.exed3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exex6795313.exex0818237.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1198842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6795313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0818237.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exex6795313.exex0818237.exe

description	pid	process	target process
PID 4496 wrote to memory of 4304	4496	d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe	x6795313.exe
PID 4496 wrote to memory of 4304	4496	d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe	x6795313.exe
PID 4496 wrote to memory of 4304	4496	d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe	x6795313.exe
PID 4304 wrote to memory of 3160	4304	x6795313.exe	x0818237.exe
PID 4304 wrote to memory of 3160	4304	x6795313.exe	x0818237.exe
PID 4304 wrote to memory of 3160	4304	x6795313.exe	x0818237.exe
PID 3160 wrote to memory of 2624	3160	x0818237.exe	f1198842.exe
PID 3160 wrote to memory of 2624	3160	x0818237.exe	f1198842.exe
PID 3160 wrote to memory of 2624	3160	x0818237.exe	f1198842.exe

C:\Users\Admin\AppData\Local\Temp\d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe
"C:\Users\Admin\AppData\Local\Temp\d3c063d5bd02d0cbbb199eb4108f15785e46eaf8aa981948439d785c77b374d1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795313.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795313.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0818237.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0818237.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1198842.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1198842.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795313.exe

Filesize
748KB

MD5
b36661622798c6e500240b1778937688

SHA1
519ff91aa7ba164651c69b9d9b175e74cf73bae2

SHA256
1a1fbfa8af8c4135c310e3a4eacbb70ecf490843649cf5de4fc519d9bc908b6f

SHA512
d0f3009f498ff3ceee3d7a0f86adabbe5687f2fc042599287aa05902ec1951aff2ecb9958cda050f15b8246af4cb0024ca6b514e02bde1e07a687507417d4dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0818237.exe

Filesize
305KB

MD5
0d33c43cb1fe3938b8e03d829d72b66f

SHA1
25b481a137244e9c94a1722b21f26973fd0958bc

SHA256
5e467d161392f06d7a20dbdc47843d6af1c25710aa60e7bb4d96d1782f68dbad

SHA512
02ceadefa20b7f9cf3843b15393f6cf68ebc70cafba1ba72bd422cd29be1b89d662bc1c44af3a74a308b2490316243ceb6c13bc655304759c9812002009cbe4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1198842.exe

Filesize
145KB

MD5
11208493d6668ee6e5484d54feeaf2db

SHA1
69f67a5d9f8ec91411bb6ebafd34c3164194eb3f

SHA256
9145b43453dcb2bb6231d3ec50fc8ad55326645ff8d0be1a754deba4b16c6336

SHA512
a6bcf8d6b56fe47e9c51cda70d9c9fb4bbc670eef738f2824db8d9498e6cb7ef6fe681226e9dfa83156e57cf023b74c80b8df8bfe43f1592eb2ccae7e43d3572

Download Submit
memory/2624-21-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/2624-22-0x0000000005A10000-0x0000000006028000-memory.dmp

Filesize
6.1MB

Download
memory/2624-23-0x0000000005500000-0x000000000560A000-memory.dmp

Filesize
1.0MB

Download
memory/2624-24-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/2624-25-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/2624-26-0x0000000005610000-0x000000000565C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads