redline | 423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7

General

Target

423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe
Size

1.1MB
MD5

325fdd6ab163573076def370b57efcbb
SHA1

ddfaaeab80038d461c66a792b13257b26b299714
SHA256

423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7
SHA512

4c95326396a01e72c8828e4b8ebc08fd7a22eabd30fbdaf927337c76f81a27cb709f4a5822a51d0787de801147f46dced26a82abe5863d6ef03e500a3695edd6
SSDEEP

24576:DyCqg4uVZaJDPfJZYUQdKrMsf9Sxuu9WIjmbU:WCqkPaJTfqdKH9SxNWQ

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4547813.exe	family_redline
behavioral1/memory/1376-21-0x0000000000FD0000-0x0000000000FFA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1153738.exex6301022.exef4547813.exe

pid process

4028 x1153738.exe
4728 x6301022.exe
1376 f4547813.exe

pid	process
4028	x1153738.exe
4728	x6301022.exe
1376	f4547813.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exex1153738.exex6301022.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1153738.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6301022.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x1153738.exex6301022.exef4547813.exe423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1153738.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6301022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4547813.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exex1153738.exex6301022.exe

description	pid	process	target process
PID 216 wrote to memory of 4028	216	423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe	x1153738.exe
PID 216 wrote to memory of 4028	216	423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe	x1153738.exe
PID 216 wrote to memory of 4028	216	423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe	x1153738.exe
PID 4028 wrote to memory of 4728	4028	x1153738.exe	x6301022.exe
PID 4028 wrote to memory of 4728	4028	x1153738.exe	x6301022.exe
PID 4028 wrote to memory of 4728	4028	x1153738.exe	x6301022.exe
PID 4728 wrote to memory of 1376	4728	x6301022.exe	f4547813.exe
PID 4728 wrote to memory of 1376	4728	x6301022.exe	f4547813.exe
PID 4728 wrote to memory of 1376	4728	x6301022.exe	f4547813.exe

C:\Users\Admin\AppData\Local\Temp\423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe
"C:\Users\Admin\AppData\Local\Temp\423e0de5ca1b91251de96f06caad1ebacad7559314477ab6b5c698c096b09be7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1153738.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1153738.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6301022.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6301022.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4547813.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4547813.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1153738.exe

Filesize
749KB

MD5
2facfd5ca895bae868eccab373bb65b9

SHA1
e0c4cdcb11cf902770e3455977cfd24e2fb2d02a

SHA256
261669e9e288cf1dc7f38be1eab1f2bf04340928a2e492659e821e9ca670e121

SHA512
1ff8ec2ba6adde97b677c38e3ae0f9f508f9d01fc4bb0cba49cb260668590ec911aabcd8953eedb80dd79b1a32aeb975f791973333b74d4e4f4dcf424bdced4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6301022.exe

Filesize
305KB

MD5
31f8a1c2a51cd7b552c6cbdb14065221

SHA1
09b6e8ba8b1666a90502e805cdc6a3ac80954edb

SHA256
bad2676184a9c9ec9e6407050232c2b787c81e0502bf8d7b4d3075fc8d00aaeb

SHA512
b180e5707b1b3a763555049b436e42d89313329eadac05546b7583daa90be4c808f35674e3a3e9848c7b0be34ca5a8c5dbe4c9ef867e59f3d8ea6e194246adeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4547813.exe

Filesize
145KB

MD5
329aacb2126f25bc4bc57927acdb38bb

SHA1
010c6cc3f73b261836dee97f76b7dad2e31de947

SHA256
91e016c4a1d65c5907329ad10d8c4f72c85af230792fbef25ca84eee37615ef8

SHA512
b9070c7c57b16ba4bfe3d11800f7bf6c2e511261b31c8baf6c0ae07fd45c94d71375dc3d3103e86d5af67e89dd9fc7ad73f6b3001df80ea3d183385fcff4bf18

Download Submit
memory/1376-21-0x0000000000FD0000-0x0000000000FFA000-memory.dmp

Filesize
168KB

Download
memory/1376-22-0x0000000005F20000-0x0000000006538000-memory.dmp

Filesize
6.1MB

Download
memory/1376-23-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

Filesize
1.0MB

Download
memory/1376-24-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/1376-25-0x0000000005A50000-0x0000000005A8C000-memory.dmp

Filesize
240KB

Download
memory/1376-26-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads