redline | 32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94

General

Target

32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe
Size

1.5MB
MD5

ecc1a1c330b4d00bc87ca7e665b3c994
SHA1

8824454ec2b84a819e9922f4567f5ee417ad173f
SHA256

32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94
SHA512

e3b866008310b792919c739639ebeaff3c66a1f32e80d97ace07a6a81348424a40f506edbe8ed5124a30575682cb4d986b8cb5ee7ac2a8a66256d6f8e9ef1918
SSDEEP

24576:7yqRVcR4vmP8iFmRlEJevuQI02vrQM2CdaDQg84fbx74JZ3xJTNfLJ5+Ey0ezj3:uJnDwRlKe20C/4kg8PJJTNz2Pzj

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c47-33.dat	family_redline
behavioral1/memory/3672-35-0x00000000003E0000-0x0000000000410000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1308	i14741827.exe
3124	i18088815.exe
4364	i03463397.exe
1208	i58147010.exe
3672	a75157439.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i58147010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i14741827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i18088815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i03463397.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i03463397.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i58147010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a75157439.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i14741827.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i18088815.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1308	4852	32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe	83
PID 4852 wrote to memory of 1308	4852	32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe	83
PID 4852 wrote to memory of 1308	4852	32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe	83
PID 1308 wrote to memory of 3124	1308	i14741827.exe	84
PID 1308 wrote to memory of 3124	1308	i14741827.exe	84
PID 1308 wrote to memory of 3124	1308	i14741827.exe	84
PID 3124 wrote to memory of 4364	3124	i18088815.exe	85
PID 3124 wrote to memory of 4364	3124	i18088815.exe	85
PID 3124 wrote to memory of 4364	3124	i18088815.exe	85
PID 4364 wrote to memory of 1208	4364	i03463397.exe	86
PID 4364 wrote to memory of 1208	4364	i03463397.exe	86
PID 4364 wrote to memory of 1208	4364	i03463397.exe	86
PID 1208 wrote to memory of 3672	1208	i58147010.exe	87
PID 1208 wrote to memory of 3672	1208	i58147010.exe	87
PID 1208 wrote to memory of 3672	1208	i58147010.exe	87

C:\Users\Admin\AppData\Local\Temp\32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe
"C:\Users\Admin\AppData\Local\Temp\32356cb8c3457617573a8fd3d166eff5dc4a379d43171b8e92d86ea33cc42c94.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i14741827.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i14741827.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i18088815.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i18088815.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03463397.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03463397.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58147010.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58147010.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a75157439.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a75157439.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i14741827.exe

Filesize
1.3MB

MD5
09d839cf92f52071e3d85b2df1b7ec23

SHA1
173fd58f8f1aee88e2da475fba77e3d979ccc33d

SHA256
c6e8c15dcd9d4f545f270a4db26916899e0f8c6cebd81f81fea06a5d8a07ba95

SHA512
afa9ee2128aa4829e4d77f0092ebeec47da656b1cbde117b64082f8c089729c44442e1651526607ba83d084348ec22a7f26dfe48e9505558d061d44f1d9f988e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i18088815.exe

Filesize
1015KB

MD5
02b53dc947060ef19f0386114d83e053

SHA1
a6e2cbdba94f033c4a499e06713b07fb72c56f90

SHA256
6306841ce9e3a24e40a84d8f1486f8649e3c992006727ef1dfbcffa35ff1ecba

SHA512
4978ee69260d1d0d74520140c593fde0e5a92209fd3f6bca4cbbf750b874aa5830b3221e7bba19c5101327e8c12096766d93dd3fcb6541fbfafd9bd6e107468d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03463397.exe

Filesize
843KB

MD5
ca1cc4ad932147f0acdd1f71c2ab1948

SHA1
6b42510092f0498c0d41b6fd1ebb06a6690d9e1b

SHA256
a5f8e81e3b3df57c1075dffc46dd8361c127e892bd881c5e16ee4e2d68f4dfeb

SHA512
bde804fbc675c2eda739a5277755fa8eb6f177d553fbdf8c743bb582c62678df998ee294ce5265fb684b493b9859c6d46e1abc5af22f601d50b8f5926bc68871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58147010.exe

Filesize
371KB

MD5
01f3d21a7083559d8300e6ac6beb6f8e

SHA1
9f28fb6d0cd5384e185885c43b9ce0a12a01ab0f

SHA256
88e37b9fa890c092157d82f85c0d3e8a1c23f20a83748e7449c726b6f58ebf19

SHA512
d8cf021552d97fb740a091cc21d8cb04de3866511e568c3448c206b801bb4b78ab3625176382397bd64569f4cb424bcbb7b72dda985f00e6265344857d982667

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a75157439.exe

Filesize
169KB

MD5
1092e96a294621b3fb36167ec9f113c8

SHA1
e0049f557b1ed1fe89cb7bdba93a6c3301a84ddb

SHA256
862126a49c60b1cc14fbb1f653125a57d60d32038513284b0bda9e379eab8007

SHA512
4951e222614de9128d19c0ad8503fcff030e2d07a2d269dbd9dbd60505bdf343675ab76c1691eb0ecf2a06a171cad2bf26128dc7c82fbef7fe297ae68d55f337

Download Submit
memory/3672-35-0x00000000003E0000-0x0000000000410000-memory.dmp

Filesize
192KB

Download
memory/3672-36-0x0000000002710000-0x0000000002716000-memory.dmp

Filesize
24KB

Download
memory/3672-37-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/3672-38-0x0000000004F00000-0x000000000500A000-memory.dmp

Filesize
1.0MB

Download
memory/3672-39-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/3672-40-0x0000000004DF0000-0x0000000004E2C000-memory.dmp

Filesize
240KB

Download
memory/3672-41-0x0000000004E30000-0x0000000004E7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads