redline | 41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2

General

Target

41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe
Size

1.1MB
MD5

5ba63058be4eed1201e25ca2e1612fbc
SHA1

9951f59134ea0d0eefea782717f47048c6de8c3d
SHA256

41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2
SHA512

6ed4fe0f8412904ff33366b2ce32e983a399ad820299bc8a0023d0faac97d783b728124eceb7d30dd5177bac124a22f64b7dcaa1636b2b4ebad1d9522d33e0d4
SSDEEP

24576:Ay9Juhj4vFY8N0lFm7hURvITRDl9P1Myc1F5Swgf:H3ejkYAR1U1ITzJ1I1Dg

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cbf-19.dat	family_redline
behavioral1/memory/1672-21-0x0000000000D30000-0x0000000000D5A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4436	x7826818.exe
2044	x2785547.exe
1672	f6197228.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7826818.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2785547.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7826818.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2785547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6197228.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4436	1648	41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe	83
PID 1648 wrote to memory of 4436	1648	41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe	83
PID 1648 wrote to memory of 4436	1648	41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe	83
PID 4436 wrote to memory of 2044	4436	x7826818.exe	84
PID 4436 wrote to memory of 2044	4436	x7826818.exe	84
PID 4436 wrote to memory of 2044	4436	x7826818.exe	84
PID 2044 wrote to memory of 1672	2044	x2785547.exe	85
PID 2044 wrote to memory of 1672	2044	x2785547.exe	85
PID 2044 wrote to memory of 1672	2044	x2785547.exe	85

C:\Users\Admin\AppData\Local\Temp\41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe
"C:\Users\Admin\AppData\Local\Temp\41fa7d7f76bc6b6cc8c1be637f314df8e3dfae9562d285f91b20ab9a3a6a3dd2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7826818.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7826818.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2785547.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2785547.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6197228.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6197228.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7826818.exe

Filesize
749KB

MD5
25d2a7efd5dbf094e70073c5cfcebb6a

SHA1
a71c154bce95def209c3101645970b2df224b728

SHA256
9839e1df114bc3fa97c4239735b0680bba8c0f8eb6c10205a9d028e860884071

SHA512
4b30d04060b5f51ed613e1e92c1b722df4b56349c7f306319276fba47965829407a72eb4503e04c6812bb4e6c0f60c9e22a9a7a517f1f64102f164dc631e526c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2785547.exe

Filesize
304KB

MD5
e7139612cc5de6395ac8af750f7cfb6b

SHA1
fd911803e35553a056ba3703fe35c168bbf862ea

SHA256
93ec2502cea0727113ca125d61d26edd9818931e181bab1570778794635128bc

SHA512
3622d29a88bb9dd7d098795772b347a991d254e99add27796b03922148dda021332506bf78f8368e6da92985adee504d479d8d395223f607221719efbf61b946

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6197228.exe

Filesize
145KB

MD5
9b6e7adc007c184dcea5abbfeea2e417

SHA1
ed79c77a3af6f4076e3c9500cf5839ac949d8206

SHA256
4a2e14ee0e7948ed789b5483fda02453332cf1293f182c56f0da20e870689563

SHA512
81686f660d0b871dd3f31b621944d58ef75e847f7714114b10f7ec83dfd79efc97e6e507904093fca5d9ba9305d40dce90d32a741014625b9597ab10efe1da04

Download Submit
memory/1672-21-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/1672-22-0x0000000005CD0000-0x00000000062E8000-memory.dmp

Filesize
6.1MB

Download
memory/1672-23-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/1672-24-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/1672-25-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/1672-26-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads