redline | 149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24

General

Target

149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe
Size

1.1MB
MD5

7a428f5a0a64a069377d568f5011475a
SHA1

4198ea3ce7c29d42fed9fe78f1b966133175ac2b
SHA256

149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24
SHA512

0f4a2999d03695fb01bf9191c4930d663c2008eb0cf701bb2aa81627c1f89fc0b6fd4bff8cae3cb19f26ba1f3004dbc374ffe37a3939a57a8e5c1434d04a9c54
SSDEEP

24576:iygtDGiWmftoL2QtjcdlJHPrWWYfB1RJ0B0:JgtCiWmtoaQCljWWYpCB

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b6d-19.dat	family_redline
behavioral1/memory/4580-21-0x0000000000B50000-0x0000000000B7A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x9100637.exex7287088.exef8395625.exe

pid	Process
4388	x9100637.exe
3128	x7287088.exe
4580	f8395625.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exex9100637.exex7287088.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9100637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7287088.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exex9100637.exex7287088.exef8395625.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9100637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7287088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8395625.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exex9100637.exex7287088.exe

description	pid	Process	procid_target
PID 1652 wrote to memory of 4388	1652	149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe	84
PID 1652 wrote to memory of 4388	1652	149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe	84
PID 1652 wrote to memory of 4388	1652	149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe	84
PID 4388 wrote to memory of 3128	4388	x9100637.exe	86
PID 4388 wrote to memory of 3128	4388	x9100637.exe	86
PID 4388 wrote to memory of 3128	4388	x9100637.exe	86
PID 3128 wrote to memory of 4580	3128	x7287088.exe	87
PID 3128 wrote to memory of 4580	3128	x7287088.exe	87
PID 3128 wrote to memory of 4580	3128	x7287088.exe	87

C:\Users\Admin\AppData\Local\Temp\149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe
"C:\Users\Admin\AppData\Local\Temp\149c152a432c01826357b3d412a284afbd0d9431b22aedb88eb8f4a8d7a50e24.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9100637.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9100637.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7287088.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7287088.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8395625.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8395625.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9100637.exe

Filesize
748KB

MD5
14e9b0a1b5cb758f44de0d561e787c48

SHA1
bc4ce1b5a14a5daf5dcfbd86cf1d31ea04553311

SHA256
319c660aff0fd57886698d60336697b594e43921a5d02c6148bbda0e369272e6

SHA512
dc23027e624c615b764670cb1a31016515a01054a4abb1c10e7f49c5f3976393d1a13d3f1af9d2146d8160c60cf419ed285b3c14d97a7874a25bf4d160e9cd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7287088.exe

Filesize
304KB

MD5
1b97a99553140d7f52ff24c59589698f

SHA1
acc2faba6b18d41200d9aa067156ff45fe0ec8f4

SHA256
c95feb39eb406cfb6440610eb6dfe30601610c64359e291d3a26b467fd7cab8e

SHA512
5da56a2ad1cd2ed93b7ede896b86f78c6fc8007905c780ff4070f50e93888a40a75dfd9c4d914fa41ba7d34f092459e5b07a2bcaed5980f70af817a326ab714d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8395625.exe

Filesize
145KB

MD5
05311dd599059e288e33e327af178a6d

SHA1
d418593b63d7446a03b4562a90c3e718630d27cb

SHA256
c37209d2a1a29552e58c3b0c4ebca7dc2e5c3781e7ab3f183551850eb8088f23

SHA512
764e47abbd2d97580efec45e7d03f2bafc85950a70887b3036b40dcb802d9626626d3ce5f99ef8732acb9811faf30cc686b0e578abad1932bd2bd12a42ecf31f

Download Submit
memory/4580-21-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/4580-22-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/4580-23-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/4580-24-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/4580-25-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/4580-26-0x0000000005720000-0x000000000576C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads