redline | 266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7

General

Target

266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe
Size

1.1MB
MD5

efe0e98f522ddb7825ad38ab05792650
SHA1

b983b16f98e68b7bc58492d7c392e932491699e1
SHA256

266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7
SHA512

99a5f8f0c7cefcabc1d3304e7c2ad165dd7659f008a085aa47b3ba2de5e734987148011c06e54775ee746dd99fca85f05cf03a4285d7bc8e95a21974b00e863d
SSDEEP

24576:Dyq+jEEJvyd0/N/ABxsRHqhPFASfj5yTvhvqU61fEnuIs:WqEEEkd0/N/AwqFb5qZC3U

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9537346.exe	family_redline
behavioral1/memory/1208-21-0x0000000000480000-0x00000000004AA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x8573009.exex4205326.exef9537346.exe

pid process

3648 x8573009.exe
2952 x4205326.exe
1208 f9537346.exe

pid	process
3648	x8573009.exe
2952	x4205326.exe
1208	f9537346.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exex8573009.exex4205326.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8573009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4205326.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exex8573009.exex4205326.exef9537346.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8573009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4205326.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9537346.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exex8573009.exex4205326.exe

description	pid	process	target process
PID 1272 wrote to memory of 3648	1272	266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe	x8573009.exe
PID 1272 wrote to memory of 3648	1272	266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe	x8573009.exe
PID 1272 wrote to memory of 3648	1272	266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe	x8573009.exe
PID 3648 wrote to memory of 2952	3648	x8573009.exe	x4205326.exe
PID 3648 wrote to memory of 2952	3648	x8573009.exe	x4205326.exe
PID 3648 wrote to memory of 2952	3648	x8573009.exe	x4205326.exe
PID 2952 wrote to memory of 1208	2952	x4205326.exe	f9537346.exe
PID 2952 wrote to memory of 1208	2952	x4205326.exe	f9537346.exe
PID 2952 wrote to memory of 1208	2952	x4205326.exe	f9537346.exe

C:\Users\Admin\AppData\Local\Temp\266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe
"C:\Users\Admin\AppData\Local\Temp\266f195e4d48c6f900bba776482771fc3432a829fd94c52468bc04b3b1c046a7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8573009.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8573009.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4205326.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4205326.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9537346.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9537346.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8573009.exe

Filesize
750KB

MD5
918c8bd58da9b87fa274311bf493a98f

SHA1
589a27feca9c67e3ef8871b6d20877e83cefeacd

SHA256
9a0084ff60697181c0f56c14bbfd01f87298346705243a940b150fe1c056c1d0

SHA512
e430050316321c277b5e4a097cec9c481286be215b279463140c33a00b06ad55f56c5118ad2112339a7c630f191c4b4d82b7bc09f57f0273302df5af9bd526fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4205326.exe

Filesize
304KB

MD5
dd52755d55e3356f6db30b68aebb93be

SHA1
1a88e3930076b9b90d72ddbf4b0ede267d489b75

SHA256
55e5b7a5587b68f1d896442490df7273eaa3ae58058ab9b4d7f16e305734b039

SHA512
3811acfd01749908b0963c1f653c65677056c8a8cf9d7c007bd0dc099ab5cdaacb877cb960993e0c8d8650128ee51222b63d4025fa153fdf56b71e534591ba2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9537346.exe

Filesize
145KB

MD5
e0a291a54b6295e1eafd5eb89253df81

SHA1
ae1f36763f5016c5f7417b83244dbe093e1d8f34

SHA256
d649acc6dee026e82fb379edeb6b9a7df98f867bf278ef420f21e71c6f9676fd

SHA512
6ba93b3c38346126f07214dc357fe6da4db50e9b1a6deaca877a0685b76d227bc1c561386a08a48a5aa8c99011622bcc83e52841838fe8b9cf8d6d300c2cddbf

Download Submit
memory/1208-21-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/1208-22-0x00000000053D0000-0x00000000059E8000-memory.dmp

Filesize
6.1MB

Download
memory/1208-23-0x0000000004F50000-0x000000000505A000-memory.dmp

Filesize
1.0MB

Download
memory/1208-24-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/1208-25-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

Filesize
240KB

Download
memory/1208-26-0x0000000005060000-0x00000000050AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads