redline | 3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0

General

Target

3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe
Size

1.1MB
MD5

14ce8a77326e6cc70b0ab8a8f0224c37
SHA1

2009104fb47889a381e36338c0b490297bee5e47
SHA256

3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0
SHA512

8b668c06aac09fef727275ffd719476aebc87f42c7124c62067e1161f910b6873a109987e546633cd43aaabeeaaedac9fb45e918f0d22e337a518af11595edc2
SSDEEP

24576:Gyrj5LntbCLl50cgCHxlpJLKMJ27865r1noHB4NI80Or3+Wk1DKWD:VX5tCLf0cgOwnBoh4NXL+F3

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b92-19.dat	family_redline
behavioral1/memory/5100-21-0x00000000002E0000-0x000000000030A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1836	x9163292.exe
2692	x3020903.exe
5100	f7566925.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9163292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3020903.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3020903.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7566925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9163292.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1836	1660	3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe	83
PID 1660 wrote to memory of 1836	1660	3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe	83
PID 1660 wrote to memory of 1836	1660	3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe	83
PID 1836 wrote to memory of 2692	1836	x9163292.exe	84
PID 1836 wrote to memory of 2692	1836	x9163292.exe	84
PID 1836 wrote to memory of 2692	1836	x9163292.exe	84
PID 2692 wrote to memory of 5100	2692	x3020903.exe	85
PID 2692 wrote to memory of 5100	2692	x3020903.exe	85
PID 2692 wrote to memory of 5100	2692	x3020903.exe	85

C:\Users\Admin\AppData\Local\Temp\3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe
"C:\Users\Admin\AppData\Local\Temp\3e2b758d672a00ebe6779a0022edc6d90e5deba8f17e75dffb8229b730c0b4d0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9163292.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9163292.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3020903.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3020903.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7566925.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7566925.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9163292.exe

Filesize
749KB

MD5
030a743dfbf8e0aab9c95168f50c2df0

SHA1
df1352002affb6183680ce51b95c11e1e25a66a9

SHA256
6760e5b99df41af63eb28f725007362fe57c365a78781d1daa1acb7fcc73ce36

SHA512
3887fca04ef70129464fed644545c701c2918b213f889eb41a8ded8889960140636f9dd8f9a805f0d02c3510705c1d5e63c054ab899e52549179b8918d1ca13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3020903.exe

Filesize
305KB

MD5
a47d8a5afb5bff1faaf749c62e7c8b18

SHA1
fd29a4cbfce33c4e2fb889a95c602fef73c65c81

SHA256
2dd9f56e9da606bdf94520e3ad3457865b37fe3a5d08ad83abc8c9cc32eaf423

SHA512
dd7658124829eb876ad02aa378e92fb5a8cb948efdacb33fdc7bc7f0789d288570c6dbca3845c79f62b1f9a29f177d624013dcef490308526060b76459c07cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7566925.exe

Filesize
145KB

MD5
f1a0c5fe34ae28d4541f12ec522edeaf

SHA1
5d80bc8976ee9a25be70627693a0eff1150d9ea5

SHA256
67283d9fbbfbb76319092b83cb503b920ef5262633e9ed47bbd916f8a7daffaf

SHA512
a1e319354ce88f2b4854b9b12db22eae68f9b3d250548070b48d63ecf91382dd09c607ba73966874c4fb82635bd2568360374b3fa86e36689ce8e426b8f2e3f8

Download Submit
memory/5100-21-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/5100-22-0x0000000005100000-0x0000000005718000-memory.dmp

Filesize
6.1MB

Download
memory/5100-23-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/5100-24-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/5100-25-0x0000000004C00000-0x0000000004C3C000-memory.dmp

Filesize
240KB

Download
memory/5100-26-0x0000000004D80000-0x0000000004DCC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads