redline | 21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9

General

Target

21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe
Size

1.1MB
MD5

fa5bebac4b4c77b743eef2081c8a2877
SHA1

2407d00dcffd6260f94fe1cbc19ae4d7687c1d2f
SHA256

21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9
SHA512

3a1e3f9110267f7757149928ab6c55959d2374279111ea91a538333e6371d8bd6f74d08259cda71314f61ddf2abe0c549ac1c02f93a8b5dc8af45ba2265c1972
SSDEEP

24576:PysL1s11Yerqr8YeZv28EDYHXEtEeq+YHL1WFTUThrF:asL1qYe/pQY3le/YHhWFT0

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0745017.exe	family_redline
behavioral1/memory/640-21-0x0000000000E40000-0x0000000000E6A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1383108.exex0190430.exef0745017.exe

pid process

3120 x1383108.exe
3284 x0190430.exe
640 f0745017.exe

pid	process
3120	x1383108.exe
3284	x0190430.exe
640	f0745017.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exex1383108.exex0190430.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1383108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0190430.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exex1383108.exex0190430.exef0745017.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1383108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0190430.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0745017.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exex1383108.exex0190430.exe

description	pid	process	target process
PID 5048 wrote to memory of 3120	5048	21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe	x1383108.exe
PID 5048 wrote to memory of 3120	5048	21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe	x1383108.exe
PID 5048 wrote to memory of 3120	5048	21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe	x1383108.exe
PID 3120 wrote to memory of 3284	3120	x1383108.exe	x0190430.exe
PID 3120 wrote to memory of 3284	3120	x1383108.exe	x0190430.exe
PID 3120 wrote to memory of 3284	3120	x1383108.exe	x0190430.exe
PID 3284 wrote to memory of 640	3284	x0190430.exe	f0745017.exe
PID 3284 wrote to memory of 640	3284	x0190430.exe	f0745017.exe
PID 3284 wrote to memory of 640	3284	x0190430.exe	f0745017.exe

C:\Users\Admin\AppData\Local\Temp\21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe
"C:\Users\Admin\AppData\Local\Temp\21c9f6b362d2208ebb34a35ba58d66e6c4211f6941bd0eafc647f593e70e4dd9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1383108.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1383108.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0190430.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0190430.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0745017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0745017.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1383108.exe

Filesize
748KB

MD5
86fd4a34303f3fb88b90568f428280a5

SHA1
6dd93ae0b9b0f1a2a1b39733fd28c6940ec84d0b

SHA256
e4057284fafeb66c11885e03cf15ca05514813f110c112de83d3dfab825a5777

SHA512
0fe26110afaa8b195bd1d27380fcb5809bc917066209a6e55aa61b5552a859fe9314f5dc57df770da946de6080c6323e4c2c2470a4900faf09d73b016216673a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0190430.exe

Filesize
304KB

MD5
d18ce66d421f35062a0748c80d158821

SHA1
fa266b13588a4c5c7e8d8c9d2075b8f40ec81bb7

SHA256
cf516a17ce422bf665750230442005c5dc43b7fd6674093765d6c0c28f4ef5c5

SHA512
49ea891c6612dff300fb14bc836f7815b40be22c883773c03f9ffca53420702f63a75851b5888ca4d9631d0208ce5546f27750350511b5742e1866f48a274ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0745017.exe

Filesize
145KB

MD5
a333ef5b08b00d28a92ae8d299c535f0

SHA1
a2136926d72b273a361c3fdbf04231426eda0e03

SHA256
4cf544f7deeda33c24219eec69e9b1326853fef8410a3f82f2e66a6922dd37a1

SHA512
0e589d1d23992ebb599fb08cfdb5dfa82b4acfaeee3f4a13ff3bc60e05ca77241184c69b7076c7c481b956228661ade97d39aa354c0297f0542abaf28eab372b

Download Submit
memory/640-21-0x0000000000E40000-0x0000000000E6A000-memory.dmp

Filesize
168KB

Download
memory/640-22-0x0000000005C90000-0x00000000062A8000-memory.dmp

Filesize
6.1MB

Download
memory/640-23-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/640-24-0x0000000005700000-0x0000000005712000-memory.dmp

Filesize
72KB

Download
memory/640-25-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/640-26-0x00000000058E0000-0x000000000592C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads