redline | 8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f

General

Target

8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe
Size

1.1MB
MD5

df0f3fb3a8fb6639a7329977ea32af42
SHA1

80e68d826be72655bbfa82a391ba612c6847390a
SHA256

8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f
SHA512

a80a96946e567a1852d859b6aa2c90e1654a281d5179fa3e5ba005e59d17900d3122e5706bfd87478628a6cfcf41dba27f76bc3673d4a3bb97bb8a200adb86dc
SSDEEP

24576:FyBT97g4GCwELk0GDKsVo2B3R3KOD1gQ7ZjKtXtoo9MVJ+I/xeIS:gBT984pdhGDKEHR6OyQ6GFJ3II

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b98-19.dat	family_redline
behavioral1/memory/1228-21-0x00000000006A0000-0x00000000006CA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x5106801.exex9085002.exef1977707.exe

pid	Process
412	x5106801.exe
436	x9085002.exe
1228	f1977707.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x5106801.exex9085002.exe8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5106801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9085002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x9085002.exef1977707.exe8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exex5106801.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9085002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1977707.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5106801.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exex5106801.exex9085002.exe

description	pid	Process	procid_target
PID 1888 wrote to memory of 412	1888	8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe	83
PID 1888 wrote to memory of 412	1888	8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe	83
PID 1888 wrote to memory of 412	1888	8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe	83
PID 412 wrote to memory of 436	412	x5106801.exe	84
PID 412 wrote to memory of 436	412	x5106801.exe	84
PID 412 wrote to memory of 436	412	x5106801.exe	84
PID 436 wrote to memory of 1228	436	x9085002.exe	86
PID 436 wrote to memory of 1228	436	x9085002.exe	86
PID 436 wrote to memory of 1228	436	x9085002.exe	86

C:\Users\Admin\AppData\Local\Temp\8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe
"C:\Users\Admin\AppData\Local\Temp\8ac1e207ff73adb7ee954d484cc9c98c434026802e3a8157629ac331ea40df1f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5106801.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5106801.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9085002.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9085002.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1977707.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1977707.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5106801.exe

Filesize
748KB

MD5
7626dbcf98302b9d91bad9d4d4b7b246

SHA1
660ee5167b62d0ee6c807ec8995a9fdf428710c6

SHA256
764a9fc62e2a6239a6022b1e66c4ae65558d462f0fd528e55e7d800a61187845

SHA512
3bc74c43e2a39328683c1a9c7f3deae3615ba0bd6082b0f839105c785a84beb60bd876d70ee372eec986441be2e72e8589c96afaf790a60db8542ec080982e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9085002.exe

Filesize
304KB

MD5
7909ad91d3de307b8244ab971257c3c1

SHA1
23e3589793834ab1835e32311ea33d3580ab219a

SHA256
34765db7e574bbde8dff8d8f4c5f07b7539b5757887d11f9796442152ca4f38b

SHA512
64446c25b9f737926d89aae2ca72fad78933d1f15a91436a32a2079bf6a7545f6e283bbeb567c42557d11ac9ebd4d1d393763a5373008b0d5698141b4ceb0d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1977707.exe

Filesize
145KB

MD5
8a5f0ded08819583364d28a60d8bcb4a

SHA1
1d86185895d3a9a1359be096fcc78ad4ad660490

SHA256
b95dc28ca63cef8297b0c546224c1a3941db66f569a27d3c5a647afb746623fd

SHA512
7013f34476862fd841c45bbc72d33d994459b2b2b19377986e15e22dd20a5041255e696cc58807b8d1640461f3db6e2243bb37e0de13dc1269e2b688ecd77dac

Download Submit
memory/1228-21-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/1228-22-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/1228-23-0x0000000005030000-0x000000000513A000-memory.dmp

Filesize
1.0MB

Download
memory/1228-24-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/1228-25-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

Filesize
240KB

Download
memory/1228-26-0x0000000005140000-0x000000000518C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads