redline | a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a

General

Target

a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe
Size

1.1MB
MD5

eab500a2c4f2f4315506e82670699fec
SHA1

72bc385691c272551c332b4dd2c90b80f166b863
SHA256

a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a
SHA512

e230ff91bd67c8366d129ef637b5c5aa7320e7a2f30f35428a16e2ce065921bc4a37b69038825c730e4d71ee4bbc30a430e3e0787e5750303d24917933a9c065
SSDEEP

24576:Zy3YWEKPlf+bifFNP2Y2d8x8MPawDW596pYJry7A:MIWEKvfXL2d8x5PxDWL6Ge

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca5-19.dat	family_redline
behavioral1/memory/628-21-0x0000000000160000-0x000000000018A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1520	x3230656.exe
1340	x6882638.exe
628	f9371814.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3230656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6882638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3230656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6882638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9371814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1520	800	a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe	83
PID 800 wrote to memory of 1520	800	a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe	83
PID 800 wrote to memory of 1520	800	a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe	83
PID 1520 wrote to memory of 1340	1520	x3230656.exe	84
PID 1520 wrote to memory of 1340	1520	x3230656.exe	84
PID 1520 wrote to memory of 1340	1520	x3230656.exe	84
PID 1340 wrote to memory of 628	1340	x6882638.exe	85
PID 1340 wrote to memory of 628	1340	x6882638.exe	85
PID 1340 wrote to memory of 628	1340	x6882638.exe	85

C:\Users\Admin\AppData\Local\Temp\a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe
"C:\Users\Admin\AppData\Local\Temp\a71e4ed7f32e122f0410243a6b903fbdfadc1ea2d22a1ef469f31a0f211dc40a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3230656.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3230656.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6882638.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6882638.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9371814.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9371814.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3230656.exe

Filesize
749KB

MD5
75599a3ff8d9b65d35b4e10e8301675b

SHA1
81232f533e853421bd71abcc50b905d5a8bf408c

SHA256
79d53e7151834edd11ab5bfe7f6dcc48def2b8211c39fe32c290c894d1d2e217

SHA512
464ba7676b2c6a19164cda7ac70a380b7dde9fce30e004482a53ddae7d4a67662599a0597763920f3e5fc0b541ec474792e544e0098d0cb805c5b15c0bf42f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6882638.exe

Filesize
305KB

MD5
7e4b66ae2e92999272743c5e1347b7d7

SHA1
96355b8dc2ed9f1d2b9ef68237c69d047b9ea9ab

SHA256
ceca85a21ae3f141caeb96d480297505c8e6f029837ff24801c22938739ea200

SHA512
3c79aaaa0d130851765f5e748769659a410a7aa23fcc0eacb99e2e5e928bc2500678d2fc9757841941eeab90c84a728c6910707e4aa4f8e744be8c2173a2bbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9371814.exe

Filesize
145KB

MD5
c0eaaf81f1278e9cdf1076aa40a929b4

SHA1
433a8ffb459cc36a94f5df59bd2776317383c03c

SHA256
c84823051250f1a007dbf02f3cb0ffa8dc74b84001ed7d0d80b95e60c7c8adee

SHA512
ddb3e41f7c9b39548790ea53cb86dca1451ded2eefe1004be934363485758a3cb06c423cdac12be31309d3350bebd9528838925bdee8e015983f8e9dd400d949

Download Submit
memory/628-21-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/628-22-0x0000000004F90000-0x00000000055A8000-memory.dmp

Filesize
6.1MB

Download
memory/628-23-0x0000000004AF0000-0x0000000004BFA000-memory.dmp

Filesize
1.0MB

Download
memory/628-24-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/628-25-0x0000000004A80000-0x0000000004ABC000-memory.dmp

Filesize
240KB

Download
memory/628-26-0x0000000004C00000-0x0000000004C4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads