redline | 39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b

General

Target

39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe
Size

1.5MB
MD5

0d689bc34245551839c5e4a5d033df52
SHA1

189e445a3df78510fa96695378f78a650f41ee9d
SHA256

39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b
SHA512

4b0dc12033c9d81c0fb90effe380c0f95015217fe4f5ed6b5b3399228afa554eafab8aa9648f4663a33174b90d6dcb60c8153103f1b892e6b222bd02cafa8c61
SSDEEP

24576:QyBnum8fZ8oyHk5uB5ks6lij8m5TFz2q+SZ/iJS2cOZ+V+XlAyG+HXIYfAt:XBn+uBkYr6Mj8gx9vKw2Zdb3IoA

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023caf-33.dat	family_redline
behavioral1/memory/1616-35-0x0000000000970000-0x00000000009A0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
432	i54881171.exe
5080	i43818933.exe
4640	i10392783.exe
2628	i22551047.exe
1616	a45677688.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i54881171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i43818933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i10392783.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i22551047.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a45677688.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i54881171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i43818933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i10392783.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i22551047.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 432	3516	39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe	84
PID 3516 wrote to memory of 432	3516	39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe	84
PID 3516 wrote to memory of 432	3516	39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe	84
PID 432 wrote to memory of 5080	432	i54881171.exe	85
PID 432 wrote to memory of 5080	432	i54881171.exe	85
PID 432 wrote to memory of 5080	432	i54881171.exe	85
PID 5080 wrote to memory of 4640	5080	i43818933.exe	87
PID 5080 wrote to memory of 4640	5080	i43818933.exe	87
PID 5080 wrote to memory of 4640	5080	i43818933.exe	87
PID 4640 wrote to memory of 2628	4640	i10392783.exe	88
PID 4640 wrote to memory of 2628	4640	i10392783.exe	88
PID 4640 wrote to memory of 2628	4640	i10392783.exe	88
PID 2628 wrote to memory of 1616	2628	i22551047.exe	89
PID 2628 wrote to memory of 1616	2628	i22551047.exe	89
PID 2628 wrote to memory of 1616	2628	i22551047.exe	89

C:\Users\Admin\AppData\Local\Temp\39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe
"C:\Users\Admin\AppData\Local\Temp\39f557b2cb8efc0f80d31f46eb6d54e1bce78d3fcdf6084d0f22199734fe397b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i54881171.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i54881171.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i43818933.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i43818933.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10392783.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10392783.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i22551047.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i22551047.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45677688.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45677688.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i54881171.exe

Filesize
1.3MB

MD5
540a55737b7f791eb2f9b9913f8f83c0

SHA1
f2b8f9e0ff19b24bbb0f60bd097f3a612bbce943

SHA256
d7bbf9f014920b9b42583e6851b15dcaea97058b01a657326924e92df93cebce

SHA512
8407aa806527370fadab2ab562e91b4b6652e9cf5066b882ce33a85de15d4853ccfea1061ebbab458adf3f4c26d5527f2f17221fd359a7a7560539e1a2f13962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i43818933.exe

Filesize
1015KB

MD5
788aaf174a7031710bfc53a25fe357aa

SHA1
5bab00cb5dcbd884adf83ddbcc26cca2dcf7d7dc

SHA256
305986b9dc757647c1f01987352afb12b953ff8078e1259335aca1f59cabcaf6

SHA512
14a8e062aed2d99e38d4352b46bd65f549ab60f048b633616979a33555f82daef826fcb7ced6d86a4a2af64b6a8762d0b6cc887b89d2efce8976e7fb3107ead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10392783.exe

Filesize
843KB

MD5
e928f9404247bd10ad9da37b1d1e526e

SHA1
01685a1a013ea4dcb719e1f8d43dc305e843fd39

SHA256
977c1e374041061afe4aa66614d895772cd3fa0d5ba765b497cdb2df683daf39

SHA512
6aee44f191f3b1bbcd9bdc9c5fbedadbf7d559dc413dab776d8ea79f9d0de3f006f3bd8ea5a96b412f0f57a71eca912023b01ef8154f33d61b3003ceb9a77593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i22551047.exe

Filesize
371KB

MD5
341aafa8b394b74ab133729cba2d0a02

SHA1
f78b1cc9bde28944b4bcb7a110c36005ab4dc905

SHA256
ef808647e7bce6dffa560e7d4041cf04052a6ae30601fcd8ffeaec757905e482

SHA512
fbb5dfaa5e65604c48efb73a74436a504b6b7e0f67685e2138fbd483bb23831a542f8f2e4fbd473fa30a7c9d5c8854b85ee90204110cdea76fe3983924193a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45677688.exe

Filesize
169KB

MD5
34eec5b23150aaf97edf65be51737be9

SHA1
5359302cee30623b725ce4271441c9ebfaeb3b65

SHA256
45ecc1a695a5e62009e85d0acab036c572309c0cda30ac407fd0026979c0fda4

SHA512
d8ecba8fb0fc41cec9cb21ec6bed3a13976bedbe33a4950c02bca265b6922990eb2dd56a1ceee087195e5a7f01c1ce91c442a809e71aff89c603844487a8a88d

Download Submit
memory/1616-35-0x0000000000970000-0x00000000009A0000-memory.dmp

Filesize
192KB

Download
memory/1616-36-0x0000000001100000-0x0000000001106000-memory.dmp

Filesize
24KB

Download
memory/1616-37-0x000000000ADA0000-0x000000000B3B8000-memory.dmp

Filesize
6.1MB

Download
memory/1616-38-0x000000000A920000-0x000000000AA2A000-memory.dmp

Filesize
1.0MB

Download
memory/1616-39-0x000000000A850000-0x000000000A862000-memory.dmp

Filesize
72KB

Download
memory/1616-40-0x000000000A8B0000-0x000000000A8EC000-memory.dmp

Filesize
240KB

Download
memory/1616-41-0x0000000004C20000-0x0000000004C6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads