redline | 1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149

General

Target

1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe
Size

1.1MB
MD5

717cb965297e8422867936184fdda328
SHA1

30f46a92c83c1308bddd17acf7b667d74219a823
SHA256

1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149
SHA512

2f97643ef608211e5031c1e9c83fc29478f83dc4f6806f01b0bf4ee4dc5e847d6c0f4a02cd026026dc999e639fe838ed05d2a473d6172d4baf778f5d734f507e
SSDEEP

24576:Ty/GP5U0RRKPZvcyYdS/u9NQhFU07Ww0scderHx9Ix+DSK8i:m/GP/KCHSFUJw0d2Ix+DSK8

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0939954.exe	family_redline
behavioral1/memory/5000-21-0x0000000000B40000-0x0000000000B6A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1867944.exex8221404.exef0939954.exe

pid process

4640 x1867944.exe
2100 x8221404.exe
5000 f0939954.exe

pid	process
4640	x1867944.exe
2100	x8221404.exe
5000	f0939954.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exex1867944.exex8221404.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1867944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8221404.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x1867944.exex8221404.exef0939954.exe1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1867944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8221404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0939954.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exex1867944.exex8221404.exe

description	pid	process	target process
PID 1880 wrote to memory of 4640	1880	1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe	x1867944.exe
PID 1880 wrote to memory of 4640	1880	1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe	x1867944.exe
PID 1880 wrote to memory of 4640	1880	1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe	x1867944.exe
PID 4640 wrote to memory of 2100	4640	x1867944.exe	x8221404.exe
PID 4640 wrote to memory of 2100	4640	x1867944.exe	x8221404.exe
PID 4640 wrote to memory of 2100	4640	x1867944.exe	x8221404.exe
PID 2100 wrote to memory of 5000	2100	x8221404.exe	f0939954.exe
PID 2100 wrote to memory of 5000	2100	x8221404.exe	f0939954.exe
PID 2100 wrote to memory of 5000	2100	x8221404.exe	f0939954.exe

C:\Users\Admin\AppData\Local\Temp\1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe
"C:\Users\Admin\AppData\Local\Temp\1dbcf9f48347579ef514c4c70c8e4bdc03ef98a9be2e38fddb12b093dbaf1149.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1867944.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1867944.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8221404.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8221404.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0939954.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0939954.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1867944.exe

Filesize
748KB

MD5
d93412eb51e223ae1f926d96ac9a0f25

SHA1
49412060a4692ea2e67b738bbcbb98b425d2a519

SHA256
b3eb199a7364e1e7d60cf65de31da1d237f1c1bc28d01a68dd739ace4fd66d17

SHA512
74e2306db2c9b4d81df41d960dc019c4febc07168dc1151fa398bb9266bef7c959a3b5091e6ff56bd0950c41e029914771693235fd6f2014ea7c7b96b61b3fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8221404.exe

Filesize
304KB

MD5
f91aa55e724310157fcb193b868ebf6e

SHA1
b360b094810da1a1c7fe1dd24d5c35712c5580c2

SHA256
8717dda7121277864eafc09ebc69560ce1054bd5d1dd280e8b1a51723695470c

SHA512
e10795cff7d63cbec5ab9ddd2ce0900fa14b2bc5c3b59e8d4c6343de91fabb2e710e637f0bc54422cb55ac97e37cb560d4fad1a9aa9fd43f2e342404fc20e28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0939954.exe

Filesize
145KB

MD5
8aef1bce35e9a693a7da570b8f23f810

SHA1
f8f6b0ac8198b2f82d36351479bbb46c928d1ca0

SHA256
38de00eb0ebf79ad9268e1b333e2a62312d86090208856647696eaa0c968d2e5

SHA512
8b4ec23a4c46ac14019f3f5010b7704c4c4987f1576790374a914b2a4ce441f7bff519eebd90914c2657b3cda8225b7097452ab1523e9f4e47c3ca807a4d5a16

Download Submit
memory/5000-21-0x0000000000B40000-0x0000000000B6A000-memory.dmp

Filesize
168KB

Download
memory/5000-22-0x0000000005960000-0x0000000005F78000-memory.dmp

Filesize
6.1MB

Download
memory/5000-23-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/5000-24-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/5000-25-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/5000-26-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads