redline | fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b

General

Target

fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe
Size

1.5MB
MD5

36e99f18e054464b82a9364c07e68f2c
SHA1

e1c1274a0d6056247093d937cc878f8f02ad378b
SHA256

fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b
SHA512

23c35cf7b231d5c2c53ea3405dc8e3ceb5dc03f63039c07385d88e235dd43f3d00079ec58e10cba9b0633a2e84540a2b5799cf42f5f3e7c2b95603a41a3b9675
SSDEEP

24576:OyoL0lawCioVC30r/yd2yhLfsU4KPrluslSh/dPdX8qnm3fhfBnaq52ygASA8bkX:dw33x2ZlsHKPrlrIVFX8qnm33adgU1

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc0-33.dat	family_redline
behavioral1/memory/1236-35-0x0000000000E40000-0x0000000000E70000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
920	i32334905.exe
2904	i83474618.exe
4124	i78900770.exe
996	i31990444.exe
1236	a33623661.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i32334905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i83474618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i78900770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i31990444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i32334905.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i83474618.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i78900770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i31990444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a33623661.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 920	4152	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe	83
PID 4152 wrote to memory of 920	4152	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe	83
PID 4152 wrote to memory of 920	4152	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe	83
PID 920 wrote to memory of 2904	920	i32334905.exe	84
PID 920 wrote to memory of 2904	920	i32334905.exe	84
PID 920 wrote to memory of 2904	920	i32334905.exe	84
PID 2904 wrote to memory of 4124	2904	i83474618.exe	86
PID 2904 wrote to memory of 4124	2904	i83474618.exe	86
PID 2904 wrote to memory of 4124	2904	i83474618.exe	86
PID 4124 wrote to memory of 996	4124	i78900770.exe	88
PID 4124 wrote to memory of 996	4124	i78900770.exe	88
PID 4124 wrote to memory of 996	4124	i78900770.exe	88
PID 996 wrote to memory of 1236	996	i31990444.exe	89
PID 996 wrote to memory of 1236	996	i31990444.exe	89
PID 996 wrote to memory of 1236	996	i31990444.exe	89

C:\Users\Admin\AppData\Local\Temp\fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe
"C:\Users\Admin\AppData\Local\Temp\fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe

Filesize
1.3MB

MD5
cf02fa4c8b776da5c5c2bb967d4c18bd

SHA1
cfd6e6c1080b4b21b2ad41c6a3e18742455f7d15

SHA256
d1808821150f1a2910771076feee5b0315c476a6e6aa1ced398465052a76a835

SHA512
bca6010b4d3aa7526e958f04548dda0cb4a2ace9ee18cc6e6ac889f2f9f80d5259b09db91d5274ec6e378540276c08bc0a391313fed04b438db19b86110ef9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe

Filesize
1015KB

MD5
e7db3c84a75c277f839dc012e14a591f

SHA1
b44fad91426fbb6c7375b77e71678c122b5d3b0c

SHA256
faef8199ce1935e6f5b5ced784a0d1a7559ca3fe13055cd1367389b185ab197e

SHA512
385e4c059313028aa524b045df0d922830fa5514a1a4d97886223bcb41dbed206658b28945dcd0ade859e9d07a178b7f1522887b6691de588cc1d1cc52ea1239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe

Filesize
843KB

MD5
ecab5091774e3a225fb03fd5a0d7fa93

SHA1
0c2a44e41d5397aa0b3672ab9855104febbf7f38

SHA256
7b003153cac976428660ebfa8d19f79e21ef1241b017e7ff1bf616cc31efa4af

SHA512
009606c7df24bd1f6d9e10e745f9b1029019879d6d03e16d43ebea46f310d5aa3b9437969d66bb019191607d7cd9efd8043b4e15bee5677f4cbe529c37feefe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe

Filesize
371KB

MD5
35a3f331c92dbc4f52998795d213b92b

SHA1
6f6317f72c5df565113587b2bcae76eab297b4dd

SHA256
12bcd9dc1883d7a96a5b9817e72811ee6a0052af10d3f8faa638a0d81fe5b53d

SHA512
bcbda413da7f5e92d4e69b34fb238a487366e2636449161c01977d1a1739f3e6113b30dde9d46b8115b3e00fb0637872ee4cbed426bacd57b7755d4e10251cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe

Filesize
169KB

MD5
3034ee8e226ab293e8b9f13121434465

SHA1
45c328ac9268cbb76c1d37044d581fd40e902585

SHA256
25c6e1a35c12fd504218a30db9b522f729441f2780273b3834d54ec28e9ecc07

SHA512
a6d095a405ffa3ba354b7642af0d56957ccf905702be2843573684ac29edcb84700f2436c71008ee0aa7b64b292ef3d56484268e86907ed7a3ac30bb4a01fe99

Download Submit
memory/1236-35-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/1236-36-0x0000000003130000-0x0000000003136000-memory.dmp

Filesize
24KB

Download
memory/1236-37-0x000000000B210000-0x000000000B828000-memory.dmp

Filesize
6.1MB

Download
memory/1236-38-0x000000000AD00000-0x000000000AE0A000-memory.dmp

Filesize
1.0MB

Download
memory/1236-39-0x000000000ABF0000-0x000000000AC02000-memory.dmp

Filesize
72KB

Download
memory/1236-40-0x000000000AC10000-0x000000000AC4C000-memory.dmp

Filesize
240KB

Download
memory/1236-41-0x0000000005190000-0x00000000051DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads