redline | 02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb

General

Target

02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe
Size

1.1MB
MD5

43a5c88009ee032e8317ab577840691d
SHA1

02c24e59294ded9f72d0e47fd481de3df60f0ad6
SHA256

02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb
SHA512

ac35f925c94acfd4e4660f23fcd69f301c1e4fb9906b2d573ad1c736cc233fed275c5a9f91968070f052fe0db52a1f5e4dfe817a53a529448dc088f1bbbfc1b0
SSDEEP

24576:py1zwUae8aAp0WN1rYDwYP1yLZ8HNM4VluZ2MoaSp80na:c19Ljs0+u9yN8tMqzaSfn

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9304641.exe	family_redline
behavioral1/memory/1352-21-0x0000000000610000-0x000000000063A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x4013719.exex8368435.exef9304641.exe

pid process

4780 x4013719.exe
2324 x8368435.exe
1352 f9304641.exe

pid	process
4780	x4013719.exe
2324	x8368435.exe
1352	f9304641.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exex4013719.exex8368435.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4013719.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8368435.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exex4013719.exex8368435.exef9304641.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4013719.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8368435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9304641.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exex4013719.exex8368435.exe

description	pid	process	target process
PID 1088 wrote to memory of 4780	1088	02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe	x4013719.exe
PID 1088 wrote to memory of 4780	1088	02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe	x4013719.exe
PID 1088 wrote to memory of 4780	1088	02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe	x4013719.exe
PID 4780 wrote to memory of 2324	4780	x4013719.exe	x8368435.exe
PID 4780 wrote to memory of 2324	4780	x4013719.exe	x8368435.exe
PID 4780 wrote to memory of 2324	4780	x4013719.exe	x8368435.exe
PID 2324 wrote to memory of 1352	2324	x8368435.exe	f9304641.exe
PID 2324 wrote to memory of 1352	2324	x8368435.exe	f9304641.exe
PID 2324 wrote to memory of 1352	2324	x8368435.exe	f9304641.exe

C:\Users\Admin\AppData\Local\Temp\02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe
"C:\Users\Admin\AppData\Local\Temp\02dcceb14ac0b91c46f900cec9361c6930c111a06396f761f3f0e99bd476befb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4013719.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4013719.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8368435.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8368435.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9304641.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9304641.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4013719.exe

Filesize
749KB

MD5
4a9806d6d6e413898f16420a073e3243

SHA1
e816e651e7f9b758fcbc10cc66e60e31794fb25f

SHA256
f69fe1b1a3779f5d82f9aa5aafd84217ee17fb26aac33ac25c87ca9a26605e39

SHA512
aca1796cac6811373c17fbe65af7d3eb96d484db1838c44f8314d2e71702860c4f9a2da36466b6234fbe6f080e8919594d4a4f749f7d453afe0278bdcc7681ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8368435.exe

Filesize
304KB

MD5
78980feea57405e81bdbea696a9be308

SHA1
e19c3c032213b0a56391fce9e4e86ea7b4e8475f

SHA256
b6b86063cf821bf06d878e0677dbf0101eb094196164b4c8be0d6358fc8abc31

SHA512
06b1b76b1e875f5ad9638e8411c6079959036907e911d14daa1fe1388d59b032f1ef0c277a9a99614abc7431ddc130bf3faa0106ab3da15b76cfddc55721a0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9304641.exe

Filesize
145KB

MD5
74828298fb286813f4ac2796ff5ea6e3

SHA1
abed917d3697b97c611b8faf85725373ee017692

SHA256
412b7c8565516a1013f4da9dad170c775ab48c5790b7e7bbf78d02e0e08a7b47

SHA512
e83ddc808cd0a8b5f32013893a94eae2bc25b53c251e1b81f3a9caddacb749ab32ac944dff5942373e1787b2bfb918b9b512727de269e95a51c25c4f14821ff6

Download Submit
memory/1352-21-0x0000000000610000-0x000000000063A000-memory.dmp

Filesize
168KB

Download
memory/1352-22-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/1352-23-0x0000000004FA0000-0x00000000050AA000-memory.dmp

Filesize
1.0MB

Download
memory/1352-24-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/1352-25-0x0000000004F60000-0x0000000004F9C000-memory.dmp

Filesize
240KB

Download
memory/1352-26-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads