redline | 2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af

General

Target

2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe
Size

1.5MB
MD5

178cb1b4414450bf5d18e704913064f0
SHA1

a7c2f71349cd25abad1c6157ebd8657b60052c9d
SHA256

2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af
SHA512

a4468f47ed5b0a67a843985d7fc915562c02dbfe1f170073bae35b0d3ef37d0527d35e40f2589a1b23d9d0aeabec12f9664181e324ec78b947272daf10b55eea
SSDEEP

24576:my3dbbnst5EOnfvDKaJ1eHrVkwEraq/0etGFD/23hUQKPbxFdD/ilVloY4v5:1t/sP5DKaJWqwyaURmK3hUQKD/JilVt4

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c1e-33.dat	family_redline
behavioral1/memory/2976-35-0x00000000002F0000-0x0000000000320000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2168	i47453246.exe
1200	i73001138.exe
1520	i77410951.exe
1544	i64106203.exe
2976	a29786768.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i47453246.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i73001138.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i77410951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i64106203.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i64106203.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a29786768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i47453246.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i73001138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i77410951.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 2168	4592	2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe	83
PID 4592 wrote to memory of 2168	4592	2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe	83
PID 4592 wrote to memory of 2168	4592	2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe	83
PID 2168 wrote to memory of 1200	2168	i47453246.exe	84
PID 2168 wrote to memory of 1200	2168	i47453246.exe	84
PID 2168 wrote to memory of 1200	2168	i47453246.exe	84
PID 1200 wrote to memory of 1520	1200	i73001138.exe	86
PID 1200 wrote to memory of 1520	1200	i73001138.exe	86
PID 1200 wrote to memory of 1520	1200	i73001138.exe	86
PID 1520 wrote to memory of 1544	1520	i77410951.exe	87
PID 1520 wrote to memory of 1544	1520	i77410951.exe	87
PID 1520 wrote to memory of 1544	1520	i77410951.exe	87
PID 1544 wrote to memory of 2976	1544	i64106203.exe	89
PID 1544 wrote to memory of 2976	1544	i64106203.exe	89
PID 1544 wrote to memory of 2976	1544	i64106203.exe	89

C:\Users\Admin\AppData\Local\Temp\2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe
"C:\Users\Admin\AppData\Local\Temp\2e043c8c5498c140ef82a76ed84f6ae4dae6e6ce6a7435bce9be10f8e5e6d7af.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47453246.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47453246.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i73001138.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i73001138.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i77410951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i77410951.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64106203.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64106203.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a29786768.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a29786768.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47453246.exe

Filesize
1.3MB

MD5
90a09556f20807559dd434dbde3c66b1

SHA1
2b1889d4c65275dd6520d99e0b4eeec2a588fe21

SHA256
fe025a6994d9e8a0f5bc76f8e385a31604ae12e0ffae03da22424fa77975acaf

SHA512
52ef31089c622034d1edf39ccf3417643c7618773e7e434eed73e1f8c85db175d4eec92ccf8b1c62dd1dde693ff13b74dfa9595671949dd2f87848f0e860b58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i73001138.exe

Filesize
1016KB

MD5
61e89c90b964568ee6035fed91128244

SHA1
363adee47688756eab7bbb4bf8c261000a335f03

SHA256
ae9203280300666eb81beff4d8e54a38003016c14aebc188aadf586f8b7f27a9

SHA512
261f5a88552fdcbd8e21dee8c091d4055fd15cd4f516d5e871eb98100fdb715686c39f165fe0e43bedad6513fbb445bda0978edcc60b37c269dbf376b6bdd0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i77410951.exe

Filesize
844KB

MD5
e0fc051ca57167cc3574ce0617b2a1c1

SHA1
c3a94a721b0a456de1e59fe2f106f1960c5f0fd4

SHA256
15bfd875a4be099804be7c7eefd30e7e394afc2cda815b3f7a53f2d2c4e9bb96

SHA512
99a595e05962cf522fbc28d04d6b80b7bad7da8d18c9168769236534eb976b4fa41972325793a6da41862f88501166c4532c8d34cdd9ce72e9eb1e225c6471bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64106203.exe

Filesize
371KB

MD5
de210257cd4902e138bab176128d3196

SHA1
02ef2f34a42c373287a777c7db75c55517363463

SHA256
0eab08198d088df7bc12a85a39d6160d90035d9d1980ea4485d1e02fc8069107

SHA512
616afa3cf679580b98053b3cc686ffcd07f67f3a43ceb665923f99149c261a2939fa62005223405cf8381d2ffd6e8302ce6e6fc54b306eed84224b2ab1a82d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a29786768.exe

Filesize
169KB

MD5
08e80194872d5f6d4ae7302a6cdfbb83

SHA1
efa41dedccea86f5f97a487dec9cdfeb8685e63f

SHA256
ad9b3c60063871ede8faa66dad1927182b13e9a4c10d2c1a4458058e90c4693a

SHA512
af42605409a43bfcf5df3122b3123c54f2e8957a98c68850d758beb91e07703f6e563a791503e4d0329f2c20dc77f4ce5cf6864163c39884557d147c522afe0e

Download Submit
memory/2976-35-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2976-36-0x00000000026E0000-0x00000000026E6000-memory.dmp

Filesize
24KB

Download
memory/2976-37-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/2976-38-0x0000000004E80000-0x0000000004F8A000-memory.dmp

Filesize
1.0MB

Download
memory/2976-39-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2976-40-0x0000000004E10000-0x0000000004E4C000-memory.dmp

Filesize
240KB

Download
memory/2976-41-0x0000000004F90000-0x0000000004FDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads