redline | 99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b

General

Target

99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe
Size

1.1MB
MD5

b768953f9f90e4326fb9aa2706cfb59b
SHA1

810bb97f485c25e1c77650edb6af2f6d562ed9b8
SHA256

99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b
SHA512

a03ca0be11c9163d072cfb4adcd6a45d43a764f23d5a29df128fd3c2c8834c1088544725e15b1651b91a9d82cc78905ef23ac0d0dfc31b14a9d10fbf3425e5be
SSDEEP

24576:/y7qWViUlIz7aiuPbecANOWEQMpkCosfUuPtaQEE4PePbbr:K7qHUlIzNuPbuEtmKfUQ7b

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4740002.exe	family_redline
behavioral1/memory/1796-21-0x00000000003B0000-0x00000000003DA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x3005076.exex9081269.exef4740002.exe

pid process

2588 x3005076.exe
2032 x9081269.exe
1796 f4740002.exe

pid	process
2588	x3005076.exe
2032	x9081269.exe
1796	f4740002.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exex3005076.exex9081269.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3005076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9081269.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exex3005076.exex9081269.exef4740002.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3005076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9081269.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4740002.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exex3005076.exex9081269.exe

description	pid	process	target process
PID 1692 wrote to memory of 2588	1692	99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe	x3005076.exe
PID 1692 wrote to memory of 2588	1692	99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe	x3005076.exe
PID 1692 wrote to memory of 2588	1692	99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe	x3005076.exe
PID 2588 wrote to memory of 2032	2588	x3005076.exe	x9081269.exe
PID 2588 wrote to memory of 2032	2588	x3005076.exe	x9081269.exe
PID 2588 wrote to memory of 2032	2588	x3005076.exe	x9081269.exe
PID 2032 wrote to memory of 1796	2032	x9081269.exe	f4740002.exe
PID 2032 wrote to memory of 1796	2032	x9081269.exe	f4740002.exe
PID 2032 wrote to memory of 1796	2032	x9081269.exe	f4740002.exe

C:\Users\Admin\AppData\Local\Temp\99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe
"C:\Users\Admin\AppData\Local\Temp\99f37d30fd14da3f0a86dd987648f08d14f66c8b308adb692258444c868ff70b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005076.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005076.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9081269.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9081269.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4740002.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4740002.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3005076.exe

Filesize
748KB

MD5
2d396b88f8f1c2c1b15e110323083e18

SHA1
814d5304ba2ef1a0ec44745bbc3c338d996bff57

SHA256
fc728fd5dfd49feaa2193f6fcbc552181bf57a5559936b4e5a767632fbe02b2a

SHA512
298ca461fc7499d71f7b3b7a5fc95f471e6b7711a7d7ff822fc68ccde0d5ac65602544351c3f15424fd249708df85162ab5d75d3b40834f26d8cb409feaefca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9081269.exe

Filesize
304KB

MD5
206f7775943e55b08a6d42a725e8e47c

SHA1
42e0101dd1f158b055c0fb49ec3cd84e64244a94

SHA256
aae93e80c25f21f2cdf5581605a95273e32a6f03a7f668f7dc0ada3149c53a30

SHA512
93b714a5c45e789b3de9b623ee73be07c29965d634ef4d49bc7f5ebf25f969cb4f1a04964bf1bf6456dbf97b622312ad8e144908fe9be450611388de6de9cea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4740002.exe

Filesize
145KB

MD5
098b1ce415015ba427699012a3c3b740

SHA1
de6ae63e6ca3a9678180b69d37372041daf76068

SHA256
3fdbd66ca7ae218fe7c741237e147d6f463b9f09c1e130914a69ef7e6c14835b

SHA512
1b3bb0d69a923bb5ea1ca8be6b5036ea51b34018f0fbf4e6033225ef9393bd79a4fa96a6a738bde4fe1f672d6164110d80c862f97609f950c0706ba11d706006

Download Submit
memory/1796-21-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1796-22-0x00000000051E0000-0x00000000057F8000-memory.dmp

Filesize
6.1MB

Download
memory/1796-23-0x0000000004D40000-0x0000000004E4A000-memory.dmp

Filesize
1.0MB

Download
memory/1796-24-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1796-25-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/1796-26-0x0000000004E50000-0x0000000004E9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads