redline | 0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3

General

Target

0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe
Size

1.5MB
MD5

10538d393fbf8780fec5f8f64aad11f2
SHA1

3377ccc77422ae101f24db4ad3fc484e4331f687
SHA256

0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3
SHA512

80433d12c46b36b8354a08b8cb203f4c0a660d7035400f0f3239c75c610f76b45462446ae5064d9f5889f7c7284b14caf8b5d7c5565581e324ccc01b770dd3d5
SSDEEP

24576:cy+aJmNIXU6Lwd+/Jj1mm/KEp81o4XdtC109Syo1q5/h56jFHiGxvc2JISkA5uej:L+aJGh68AJU64xx68/h56jFCOkqggB

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca2-32.dat	family_redline
behavioral1/memory/2736-35-0x0000000000D70000-0x0000000000DA0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1192	i84252694.exe
1248	i64847815.exe
4800	i54724992.exe
1588	i59287992.exe
2736	a07746007.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i64847815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i54724992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i59287992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i84252694.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i59287992.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a07746007.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i84252694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i64847815.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i54724992.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1192	2204	0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe	83
PID 2204 wrote to memory of 1192	2204	0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe	83
PID 2204 wrote to memory of 1192	2204	0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe	83
PID 1192 wrote to memory of 1248	1192	i84252694.exe	84
PID 1192 wrote to memory of 1248	1192	i84252694.exe	84
PID 1192 wrote to memory of 1248	1192	i84252694.exe	84
PID 1248 wrote to memory of 4800	1248	i64847815.exe	85
PID 1248 wrote to memory of 4800	1248	i64847815.exe	85
PID 1248 wrote to memory of 4800	1248	i64847815.exe	85
PID 4800 wrote to memory of 1588	4800	i54724992.exe	86
PID 4800 wrote to memory of 1588	4800	i54724992.exe	86
PID 4800 wrote to memory of 1588	4800	i54724992.exe	86
PID 1588 wrote to memory of 2736	1588	i59287992.exe	88
PID 1588 wrote to memory of 2736	1588	i59287992.exe	88
PID 1588 wrote to memory of 2736	1588	i59287992.exe	88

C:\Users\Admin\AppData\Local\Temp\0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe
"C:\Users\Admin\AppData\Local\Temp\0d8cd6d2aac71c427ab05fdd478929d15dc1caf9e374a6b2d08a784ea81fa0e3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i84252694.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i84252694.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i64847815.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i64847815.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i54724992.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i54724992.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i59287992.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i59287992.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a07746007.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a07746007.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i84252694.exe

Filesize
1.3MB

MD5
3335f8da00fcffe2a83797ed94362d12

SHA1
539b1771115ecd3293affc3b67af1cc653302181

SHA256
36ae534525351c8d51f314ed8dc5afeba636a09c7e4a2581cee7c6ca29e04a9f

SHA512
f6061a56f1b127db90ec5d074a2a3e5eceacfe8b40cab0e0d180376032d7cfa697079292a454b565fe4c7a688cdd1c25e2961031f34daaf6da4e763e0421f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i64847815.exe

Filesize
1014KB

MD5
7bc5251fea645908aec34965e0a03822

SHA1
a3fb76ac522033fecf92db32f08953b03ae63a31

SHA256
7582def2f1a2817437ab3e8ebc1d19849187a1131a84ab6ed610d8f0d786c64b

SHA512
925ca1147a6f52078753d152d971c1ee83c46df4a682993e65a4ad5bdf68cd1f1df0a1a764c4ecd3485009655cb4555c17a86538d3cfca841d19cb5592b33204

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i54724992.exe

Filesize
843KB

MD5
34382e2d448b8317672d0e584f34d0b8

SHA1
04a812479d1fe6f39d858a4776b1aea3c81c53c4

SHA256
912936a7b3beaa93ca9a0bc652ab856a65a49e1a5edeb289459dbef617d398a5

SHA512
3326af9d429322f48ec31804ba6dda9dc188ae61466c46787b4f4a987afeb8388f282ce23d7bc3d05e82b937b9eb127b59442ccda4ba696ab4e6e93741392577

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i59287992.exe

Filesize
371KB

MD5
67ca88e669ce9c5582b682a333084e2d

SHA1
588ced40e8149a2b94a7c6c53f51bb7c8a74368d

SHA256
72dd0b7ae9a5ae0337fd78c3b0ef144a7382c427e4f8a392fa62bfc664b41786

SHA512
1cda233b12464f9595361136645af0ab08e87991f7e2b4db95640ea5cc8baeae6a0e316057929a1f1f0105ac78e833ccf694cf0504fe104e58daf734f057f678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a07746007.exe

Filesize
169KB

MD5
d37e27de16526c9782ce97a71eb311d9

SHA1
f2a0297d1b2f9ec7ad82b49c31795ce98f174505

SHA256
bd4d773f3bff99458659cf58292a127b0190a23739ed85b21829cbc470943e56

SHA512
c7362e7a03a4d8461c87e50698b4584c2d5512f9af1ae39c102d0c5d5862d78bdbd60f9638b8b13fa48a800988673b68e10515cadc6e3494daa0278652c24c7c

Download Submit
memory/2736-35-0x0000000000D70000-0x0000000000DA0000-memory.dmp

Filesize
192KB

Download
memory/2736-36-0x0000000005650000-0x0000000005656000-memory.dmp

Filesize
24KB

Download
memory/2736-37-0x000000000B080000-0x000000000B698000-memory.dmp

Filesize
6.1MB

Download
memory/2736-38-0x000000000ABE0000-0x000000000ACEA000-memory.dmp

Filesize
1.0MB

Download
memory/2736-39-0x000000000AB10000-0x000000000AB22000-memory.dmp

Filesize
72KB

Download
memory/2736-40-0x000000000AB70000-0x000000000ABAC000-memory.dmp

Filesize
240KB

Download
memory/2736-41-0x0000000002F00000-0x0000000002F4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads