redline | 046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe

General

Target

046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe
Size

1.2MB
MD5

88c34e9579d94f1ed6d575a5d3c3061e
SHA1

d18a2399b3f92b728a4b1da383c066dc3be0be38
SHA256

046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe
SHA512

0c31cb8bf189a1808d3b1f1e1e1ab42b8a7ceac3637a6b51d2888aed728be52d96c1883a5a2b9cc90c5657f10e8d11d363e5d0f96a31893abf074ada0f75b4fb
SSDEEP

24576:qySKs2Dfs1fVSlffI8jm9SkiHvjeLeROtnrqsDCg65+nhkYmp/I9:xSamI3qzkSiRORrU5+n2JJI

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cbb-19.dat	family_redline
behavioral1/memory/2844-21-0x00000000002F0000-0x000000000031A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2544	x4831046.exe
3944	x4848999.exe
2844	f9458455.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4831046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4848999.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4848999.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9458455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4831046.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 2544	3820	046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe	83
PID 3820 wrote to memory of 2544	3820	046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe	83
PID 3820 wrote to memory of 2544	3820	046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe	83
PID 2544 wrote to memory of 3944	2544	x4831046.exe	84
PID 2544 wrote to memory of 3944	2544	x4831046.exe	84
PID 2544 wrote to memory of 3944	2544	x4831046.exe	84
PID 3944 wrote to memory of 2844	3944	x4848999.exe	85
PID 3944 wrote to memory of 2844	3944	x4848999.exe	85
PID 3944 wrote to memory of 2844	3944	x4848999.exe	85

C:\Users\Admin\AppData\Local\Temp\046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe
"C:\Users\Admin\AppData\Local\Temp\046e6b3d0b2e06e3bffb97a6e4149a028878e496d5d290a9ea686371355e93fe.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4831046.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4831046.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4848999.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4848999.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9458455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9458455.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4831046.exe

Filesize
869KB

MD5
51ff3e5b54e019751d2a3b04b1513d95

SHA1
c1b24eb97571fefc06ffeb4a7827799221ab78e4

SHA256
80d63186b5a34b73fed43987fa6b7ba3d36772a901c11021975ce6722a5e16e8

SHA512
7d5e9d5b0f76c25c17c6e677b7e86cb2ea5d4b65235c60835c0d5e173a7499544340abbee1e2146d4cfda376c513560411fa3cadf79dec52a47279d9e46f9c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4848999.exe

Filesize
425KB

MD5
b17b5191be816ac8f0ba86ddc487abda

SHA1
134478f2bab23623d1c4973d9f5de55bf4bc9d45

SHA256
a1792d764b8556c15b4eee85a357c01a1fd73dfc904783ba169bf7398b5f349c

SHA512
961b88d6f26ae89fe225d2e26b4340bbf402cf58dc94948fce302a42e0d8fd350d71828a22a0390dfff6064e613fe1ba5feba66757834d33083636f29d3bee5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9458455.exe

Filesize
145KB

MD5
c25945a2fde2a3f92bb78e2e3009d0fc

SHA1
c71b7cc244cb1740508879444f111156b0ed44c5

SHA256
2bc848748b369c05480759fcfd90759565f2875bbfec8e89fa87da02d8cf6bdc

SHA512
71816e79003ab6c033dc6e0101efc37de2964728cf175a3cc89e6fd8219d80505b6c1dc1da145e47541cd02bfe4c79d3284c4d224722747df648d27697e978f8

Download Submit
memory/2844-21-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/2844-22-0x0000000005330000-0x0000000005948000-memory.dmp

Filesize
6.1MB

Download
memory/2844-23-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/2844-24-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/2844-25-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/2844-26-0x0000000004D90000-0x0000000004DDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads