redline | 50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549

General

Target

50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe
Size

1.1MB
MD5

69f3eba07ae9d75b6d85a54416640df9
SHA1

6cd2c8bcbcaacbc43306495e168902c10d6c1247
SHA256

50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549
SHA512

b0e971d16b6c2ec6aa540ee2f41f62f8ae2592c37143d5c6f5f537dbb1a3ef0cd4b1450ba7362cf9ba546e8cfb263341ee0bcb2cf5c3b26afd2c92e6e30f9762
SSDEEP

24576:QyCNEhZPJnnCM1BWyqV2x13b+fwDi0X3OGanIHkr4nq:XoEhlUMzWyqEcqi0u7nBs

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2125428.exe	family_redline
behavioral1/memory/4384-21-0x0000000000A90000-0x0000000000ABA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x4086394.exex3318044.exef2125428.exe

pid process

4020 x4086394.exe
5072 x3318044.exe
4384 f2125428.exe

pid	process
4020	x4086394.exe
5072	x3318044.exe
4384	f2125428.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exex4086394.exex3318044.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4086394.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3318044.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exex4086394.exex3318044.exef2125428.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4086394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3318044.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2125428.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exex4086394.exex3318044.exe

description	pid	process	target process
PID 1780 wrote to memory of 4020	1780	50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe	x4086394.exe
PID 1780 wrote to memory of 4020	1780	50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe	x4086394.exe
PID 1780 wrote to memory of 4020	1780	50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe	x4086394.exe
PID 4020 wrote to memory of 5072	4020	x4086394.exe	x3318044.exe
PID 4020 wrote to memory of 5072	4020	x4086394.exe	x3318044.exe
PID 4020 wrote to memory of 5072	4020	x4086394.exe	x3318044.exe
PID 5072 wrote to memory of 4384	5072	x3318044.exe	f2125428.exe
PID 5072 wrote to memory of 4384	5072	x3318044.exe	f2125428.exe
PID 5072 wrote to memory of 4384	5072	x3318044.exe	f2125428.exe

C:\Users\Admin\AppData\Local\Temp\50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe
"C:\Users\Admin\AppData\Local\Temp\50f3c4092e3eb22b023ceaf68457c0f068d106cc6779fb7b8b639c4bdee92549.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4086394.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4086394.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3318044.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3318044.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2125428.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2125428.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4086394.exe

Filesize
748KB

MD5
830f32e884b77651a99e597331f993c6

SHA1
bbf3dbbabf7f57867e929f8286c761a699e445c6

SHA256
6cbcd18291937a28f5dc29d4fec9cfa2c5ca7ddecd0ae3f567943d5c930067db

SHA512
713c5d1b990f4da0ba27fcb3ade1e7399725cedd0c5df5b2a8220b8b619fbefe330777502603e04a47a2564430e44656a68ad7c8c01e3ed7ad91d2b136a3ba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3318044.exe

Filesize
304KB

MD5
875aff43887daac16933d649078d7970

SHA1
6d97d900d7d42e598918b8855e434183b6899226

SHA256
0c612748e50d936da88f3323b113f9f3f625f721a4af9c75d8f5cc5948f7b15e

SHA512
bf8078c0139d275c955f7886329cd5ae1411fe8f17cc2fb78be8359577dc6a15163fe24647231e2bec237b610b63045b33e8c3c52283cce5dd24233a77fe39ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2125428.exe

Filesize
145KB

MD5
d70a368d231e6cb12d2897968c92b548

SHA1
836d3fc83ee77fe4f49e75ea0dee5edfd1823c74

SHA256
4de0d05b6fc4681c258f004cdaa1c816c59b8aa8690c7d7ae0b97f8c5597d8ae

SHA512
6b54fe1b7c77f924d6f781735d719d7bc18008356f7a842e45967c2bd7cbfa4ce20b62bccbfd516effbfbaa0b606c1a6c459ad2706714e1b08e834347515896a

Download Submit
memory/4384-21-0x0000000000A90000-0x0000000000ABA000-memory.dmp

Filesize
168KB

Download
memory/4384-22-0x0000000005A50000-0x0000000006068000-memory.dmp

Filesize
6.1MB

Download
memory/4384-23-0x0000000005560000-0x000000000566A000-memory.dmp

Filesize
1.0MB

Download
memory/4384-24-0x0000000005490000-0x00000000054A2000-memory.dmp

Filesize
72KB

Download
memory/4384-25-0x00000000054F0000-0x000000000552C000-memory.dmp

Filesize
240KB

Download
memory/4384-26-0x0000000005670000-0x00000000056BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads