redline | 16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f

General

Target

16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe
Size

1.1MB
MD5

1946c31c62492f7edbd5dbeca094a806
SHA1

65b74a2e81e372ccef0542a51e5a1dd7a87cfd36
SHA256

16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f
SHA512

8e89a200f37a89c48135f930b53148013f264c9fade89127a44579ccbb3d71b3f994a9b91cee0a6436880509d71df626aded1646129000b8adbddc3eca4950f7
SSDEEP

24576:IyNrHnIU1El8nYuR//dE+qsoMYbNR90Bb1J49hIPfUIQJRCgbYuo:PNDIU1CPmY9ub1uQFSUV

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c9d-19.dat	family_redline
behavioral1/memory/3204-21-0x0000000000DA0000-0x0000000000DCA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x8693438.exex9109766.exef0015064.exe

pid	Process
208	x8693438.exe
212	x9109766.exe
3204	f0015064.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exex8693438.exex9109766.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8693438.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9109766.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exex8693438.exex9109766.exef0015064.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8693438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9109766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0015064.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exex8693438.exex9109766.exe

description	pid	Process	procid_target
PID 3464 wrote to memory of 208	3464	16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe	85
PID 3464 wrote to memory of 208	3464	16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe	85
PID 3464 wrote to memory of 208	3464	16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe	85
PID 208 wrote to memory of 212	208	x8693438.exe	86
PID 208 wrote to memory of 212	208	x8693438.exe	86
PID 208 wrote to memory of 212	208	x8693438.exe	86
PID 212 wrote to memory of 3204	212	x9109766.exe	88
PID 212 wrote to memory of 3204	212	x9109766.exe	88
PID 212 wrote to memory of 3204	212	x9109766.exe	88

C:\Users\Admin\AppData\Local\Temp\16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe
"C:\Users\Admin\AppData\Local\Temp\16fc346b87d7e591a35d0f6aa018fdc471dc8ac6d65aaea2912d292e24a0965f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8693438.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8693438.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9109766.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9109766.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0015064.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0015064.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8693438.exe

Filesize
749KB

MD5
dffa288ee84017e2218f471ea6152ba7

SHA1
63c289b72ebd603a7b15d451b0255de2d320af66

SHA256
5c328ec383abf80e48e55303d4c0006928685ddeba12d4d6540515ba4d15b9c0

SHA512
b59b5a4374f811a78f37c4eea482538f67da38be211f23585d05f5c1b610d2b72af5588116c86539fbfa9a6a3f21811d478115eb95fc410480c986902a172ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9109766.exe

Filesize
304KB

MD5
dd6ded9131f02d18ba97ca788546d4c7

SHA1
045e7d14a83cb7bc60230a80a6a5612a496597e8

SHA256
f880a3ea2ed27f56ffc6863cb896dfa9e99949bf7b7aeeda06f38098544cc797

SHA512
aadff657e7dc2770dcf2d3f0fd48df2dbfb4688cfcc102bfa035a9364ec65627f40e48979f918b6cbc497f4e4b1fc6735dec7164518cd692b6357e176e9eb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0015064.exe

Filesize
145KB

MD5
c9dd78f206a6f4b247d6b664bcea46aa

SHA1
755e5a5aa7c4ad0342a127737895eaf19cc8f5db

SHA256
aa841c4ff82307d482172517597d007a4526c9ead1166c3059f854c4207fca63

SHA512
e20099736f1f710d8e2ccd30d8d8e8e518f2c80ea8aa4e9040bf5ba6474488e7e7210becedc692dead0daeffcefa97adbf4c4081e98ea2cdc753dd1f51f63469

Download Submit
memory/3204-21-0x0000000000DA0000-0x0000000000DCA000-memory.dmp

Filesize
168KB

Download
memory/3204-22-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/3204-23-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/3204-24-0x0000000005660000-0x0000000005672000-memory.dmp

Filesize
72KB

Download
memory/3204-25-0x00000000056E0000-0x000000000571C000-memory.dmp

Filesize
240KB

Download
memory/3204-26-0x0000000005840000-0x000000000588C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads