redline | 57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed

General

Target

57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe
Size

1.1MB
MD5

c8263970a498e3750ac32af591f46ac0
SHA1

c24d0ab19a5fc9f6982c27eb54a255364e47f1a1
SHA256

57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed
SHA512

8a11111f03a5889bb9debda8f2fdbc9143b1ab7da8ca0e359536f2ae60f2e7282fd96e6b7d3908bfaacdb16dc9afc37e49431844ee00a51909135438c61146f7
SSDEEP

24576:6y//cCEDrXJG2YhCr4R9S/958BDqzz097kbWUg/10+dlxqy6kLyHo8n:BnrEDY22Cp58B6097QWUc0+d/G0yHo

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4720792.exe	family_redline
behavioral1/memory/3264-21-0x0000000000B80000-0x0000000000BAA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x5192885.exex8027367.exef4720792.exe

pid process

4148 x5192885.exe
2732 x8027367.exe
3264 f4720792.exe

pid	process
4148	x5192885.exe
2732	x8027367.exe
3264	f4720792.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exex5192885.exex8027367.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5192885.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8027367.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x5192885.exex8027367.exef4720792.exe57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5192885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8027367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4720792.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exex5192885.exex8027367.exe

description	pid	process	target process
PID 1796 wrote to memory of 4148	1796	57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe	x5192885.exe
PID 1796 wrote to memory of 4148	1796	57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe	x5192885.exe
PID 1796 wrote to memory of 4148	1796	57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe	x5192885.exe
PID 4148 wrote to memory of 2732	4148	x5192885.exe	x8027367.exe
PID 4148 wrote to memory of 2732	4148	x5192885.exe	x8027367.exe
PID 4148 wrote to memory of 2732	4148	x5192885.exe	x8027367.exe
PID 2732 wrote to memory of 3264	2732	x8027367.exe	f4720792.exe
PID 2732 wrote to memory of 3264	2732	x8027367.exe	f4720792.exe
PID 2732 wrote to memory of 3264	2732	x8027367.exe	f4720792.exe

C:\Users\Admin\AppData\Local\Temp\57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe
"C:\Users\Admin\AppData\Local\Temp\57ffe96eb28bac0644d8439350edd3095e89c726562f58e12f3a2cb2db61cfed.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5192885.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5192885.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8027367.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8027367.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4720792.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4720792.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5192885.exe

Filesize
748KB

MD5
f0f7e27186478519cb511ae39cb7910a

SHA1
157ec8229a1b7dae885d78061a92a5b4c500e8a4

SHA256
b4e94759584a3247384a77d2e410b79cac1c2747da2bd9f21852f9f4b251d707

SHA512
b0058762e05ba1fc8207d8af5fcf2705127fc7305ca49368a942a40a148df09209499b59f16ab4052b8ded51ade7f059397a2f2dc1218b36327adaf12fbe8036

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8027367.exe

Filesize
304KB

MD5
706d3db391d0298b75426e4b38cc15ff

SHA1
4ae902e7cf9eb82148b3f6e31ac128a9dd496461

SHA256
40e2db24c98fc92c73f07632d3a0c179461cdab49b67c17bf4d61084d7efdfd0

SHA512
235eb84d5e9412839b49753d205fa3e8e895405a1cbc299908fb1a40ae23f62dd74b5de03c82d71e25cd08f39b8c91ea65125fa39803369e8ed19216614efec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4720792.exe

Filesize
145KB

MD5
409550470b0212d23c25c6deffcd6307

SHA1
b923569683f24eabfadb9227f0567e6378ef3f20

SHA256
fcddf8b8ce8d4f3406770fb1df42e082ccbfc148d636536f5d4cdf96df0c868c

SHA512
1b556f7ae558342fe1561254df6e0d8513a53e3fe1a7f4db2b0955d8fb7094843ea6888d3a41c12c7809339a38a29183881186ea0b46775a441c3aaf02978367

Download Submit
memory/3264-21-0x0000000000B80000-0x0000000000BAA000-memory.dmp

Filesize
168KB

Download
memory/3264-22-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/3264-23-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/3264-24-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/3264-25-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/3264-26-0x0000000005760000-0x00000000057AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads