redline | 1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024

General

Target

1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe
Size

1.1MB
MD5

eb1e3f021d46185f9c2872fa029807ab
SHA1

4a352d71f7556b8a845e0beca84219cbed19c0ed
SHA256

1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024
SHA512

114682609bbbe5f89b882ceb8963af36a268173d6fc80084d7425bd964eba94495bab04678f620b915caf0cbe637370a9fca2802488312056b8ba13e3f97ffaa
SSDEEP

24576:DyGugemunlXB/33SvhKSH20V3FEFYKhYgx/av3G6kDuhw:Weklx/3CpK83eCK18v3G6uuh

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1937056.exe	family_redline
behavioral1/memory/5056-21-0x0000000000E20000-0x0000000000E4A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x4712446.exex7512968.exef1937056.exe

pid process

3804 x4712446.exe
1680 x7512968.exe
5056 f1937056.exe

pid	process
3804	x4712446.exe
1680	x7512968.exe
5056	f1937056.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exex4712446.exex7512968.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4712446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7512968.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exex4712446.exex7512968.exef1937056.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4712446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7512968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1937056.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exex4712446.exex7512968.exe

description	pid	process	target process
PID 1008 wrote to memory of 3804	1008	1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe	x4712446.exe
PID 1008 wrote to memory of 3804	1008	1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe	x4712446.exe
PID 1008 wrote to memory of 3804	1008	1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe	x4712446.exe
PID 3804 wrote to memory of 1680	3804	x4712446.exe	x7512968.exe
PID 3804 wrote to memory of 1680	3804	x4712446.exe	x7512968.exe
PID 3804 wrote to memory of 1680	3804	x4712446.exe	x7512968.exe
PID 1680 wrote to memory of 5056	1680	x7512968.exe	f1937056.exe
PID 1680 wrote to memory of 5056	1680	x7512968.exe	f1937056.exe
PID 1680 wrote to memory of 5056	1680	x7512968.exe	f1937056.exe

C:\Users\Admin\AppData\Local\Temp\1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe
"C:\Users\Admin\AppData\Local\Temp\1dad1e9aceb0072f299b1be77087065e052870e3923e49f6ec86ba7bd3330024.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4712446.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4712446.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7512968.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7512968.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1937056.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1937056.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4712446.exe

Filesize
749KB

MD5
35e72ef5014c6cbf6618123d56eeb680

SHA1
f74cf7cef34e6a1fd682ec9fa635f13f3a44971b

SHA256
df5124c34a90756bbd08c8ce6aaede801482479c79d13e383d2e33ce27a26a44

SHA512
18569163ce94c748a6437be86ba293e7ae4dbb3172ea2de6ed13fb2fe90615a2475e64e8d5178d5b5689261d654f5baea6fca3b02eec242112f77b515ff29446

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7512968.exe

Filesize
304KB

MD5
11376f8e5858079735f4e14a9a5b867d

SHA1
58beb7c401d8a943fb4e81c898e85db31523aa18

SHA256
a98ccc92a446c6378777682ba436e9cf03fa8cda480abf78d2436703a1b267bb

SHA512
a2a12a2880cac9deb6f9263033429945c610054c7e3db7c05c3db9da2d4fa7fdd56fbc6fd6e484d65fb8fcd066e450d2e6e40bb5155f92f271075380bfe33e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1937056.exe

Filesize
145KB

MD5
65a06947079e5a84dc4bf344a90ffac6

SHA1
0e868980292db7a7ea5832b0c2c4f6817accb342

SHA256
40f32db48470eb1d5740e15b4b5d5e225fc62848f79ab87f437856b5f9146683

SHA512
2921c0d2448452bb0a9e5200083239eaf5ea95e8aa90835257352348a7d162fea289b5015be7478f241d6049d64ed16a2e27a81fed3b4b409d4cd9b2207f50bb

Download Submit
memory/5056-21-0x0000000000E20000-0x0000000000E4A000-memory.dmp

Filesize
168KB

Download
memory/5056-22-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/5056-23-0x00000000057B0000-0x00000000058BA000-memory.dmp

Filesize
1.0MB

Download
memory/5056-24-0x00000000056E0000-0x00000000056F2000-memory.dmp

Filesize
72KB

Download
memory/5056-25-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/5056-26-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads