redline | a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e

General

Target

a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe
Size

1.1MB
MD5

707f44af2cebbc7d86bb4ab761c76544
SHA1

6fef1f5cf566c3e243d55fc0db22960c98931356
SHA256

a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e
SHA512

43b02d6cf12a5222923a785c8a63d0741e85403e296dd99ca12d22dbe5f56e2bc14b5e128ae8dd012f152917a73c1074bfba281fa38ad301e6b7168b9383e809
SSDEEP

24576:Iy1A0uzpB4KVk+GXb5kaKH4sjeIlcFYuOVEJwSP4q:PS0uFBT14b5NpsjeIbEJwSQ

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c66-19.dat	family_redline
behavioral1/memory/2180-21-0x00000000002B0000-0x00000000002DA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x7330746.exex0629803.exef7659457.exe

pid	Process
3776	x7330746.exe
4528	x0629803.exe
2180	f7659457.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exex7330746.exex0629803.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7330746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0629803.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exex7330746.exex0629803.exef7659457.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7330746.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0629803.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7659457.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exex7330746.exex0629803.exe

description	pid	Process	procid_target
PID 116 wrote to memory of 3776	116	a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe	85
PID 116 wrote to memory of 3776	116	a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe	85
PID 116 wrote to memory of 3776	116	a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe	85
PID 3776 wrote to memory of 4528	3776	x7330746.exe	86
PID 3776 wrote to memory of 4528	3776	x7330746.exe	86
PID 3776 wrote to memory of 4528	3776	x7330746.exe	86
PID 4528 wrote to memory of 2180	4528	x0629803.exe	87
PID 4528 wrote to memory of 2180	4528	x0629803.exe	87
PID 4528 wrote to memory of 2180	4528	x0629803.exe	87

C:\Users\Admin\AppData\Local\Temp\a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe
"C:\Users\Admin\AppData\Local\Temp\a4d66fce0c5d7dccb3d986e8240da2959efbe9642cd35f4b47ab6160930c5d8e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7330746.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7330746.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0629803.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0629803.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7659457.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7659457.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7330746.exe

Filesize
747KB

MD5
546a3a9492769ad064420e1cd08b83fe

SHA1
0d9b99351fd00ac403910604146153d3588aefa2

SHA256
9e750575e442500e492a1001f344e24008f2fb5d5d18d2cfd9340bd1e9f4177e

SHA512
98beb98e6a8bf387c37574201226718332d2bd6feb4297b17e4e228d6c9881d87b55d0aebfe7e01dde4ed8b565c9837c97cf8ab6f2ab370743a33c4e9303368e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0629803.exe

Filesize
305KB

MD5
ff991df402a7a3f3cd356fb4a2063fe6

SHA1
499a14c6c8cb6a896636ae13eb09bab3e2e23a89

SHA256
a5e929cdf24ec5456a72b72ebd75261403021e8df4878c7d339e88cd66ae62a6

SHA512
7afb918450c53cbca7f4eaba54004c9496800e2dde90ae22a67fed0baea2847a8e61755c5e7776493ada305005ca6d54041bc2edaa506abfb887008783283c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7659457.exe

Filesize
145KB

MD5
1c3f4e00682ef5b2dcfe219aeb7b63e9

SHA1
8536668b0987c350616a6fb96cea4ed351127af8

SHA256
9a8893e7e6db9fa73a9815f9cfcec4a9def7c258cb9a174bd013591e48f52400

SHA512
0456c803c3321b55f6b42067b687b8f55f21d11285ac43f760e5ed68bd7eb22d56754bcba13d01d91516cfa3bab886d209ceae39d9074561e3762c7a40b96590

Download Submit
memory/2180-21-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2180-22-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/2180-23-0x0000000004C30000-0x0000000004D3A000-memory.dmp

Filesize
1.0MB

Download
memory/2180-24-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/2180-25-0x0000000004BC0000-0x0000000004BFC000-memory.dmp

Filesize
240KB

Download
memory/2180-26-0x0000000004D40000-0x0000000004D8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads