redline | c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd

General

Target

c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe
Size

580KB
MD5

0906a476f2e35e38ab1eeaa9e3fdea8e
SHA1

c4975ea86cd75c8d863ffda65b9d4fb8240e73dd
SHA256

c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd
SHA512

05af396811a093b504b90c9fc9f5a1c7172bddf2339f94052f25a74f022d0c5b1981db691d43506f54540299168c280a3b5b3ee26b7eba488aa53f9b10d18412
SSDEEP

12288:9Mrty90r4p80i9B+uBWfUNm3QtShk1sz59YVBlPCrKQDs:UyE4p8X+uBWz38niy/6rKEs

Score

10^/10

redline fukia discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b7b-19.dat	family_redline
behavioral1/memory/1892-21-0x0000000000ED0000-0x0000000000F02000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4196	nei81cG.exe
5020	nNy13HL.exe
1892	bWs94.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nei81cG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nNy13HL.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nei81cG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nNy13HL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bWs94.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4196	4812	c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe	87
PID 4812 wrote to memory of 4196	4812	c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe	87
PID 4812 wrote to memory of 4196	4812	c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe	87
PID 4196 wrote to memory of 5020	4196	nei81cG.exe	88
PID 4196 wrote to memory of 5020	4196	nei81cG.exe	88
PID 4196 wrote to memory of 5020	4196	nei81cG.exe	88
PID 5020 wrote to memory of 1892	5020	nNy13HL.exe	89
PID 5020 wrote to memory of 1892	5020	nNy13HL.exe	89
PID 5020 wrote to memory of 1892	5020	nNy13HL.exe	89

C:\Users\Admin\AppData\Local\Temp\c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe
"C:\Users\Admin\AppData\Local\Temp\c74cab24d2486de1e6cf4ecb8991afee3db04bdc5ecbd192179640f3430cfabd.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nei81cG.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nei81cG.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNy13HL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNy13HL.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bWs94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bWs94.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nei81cG.exe

Filesize
476KB

MD5
cceb18b35123b70c8b7a0bc12db8e128

SHA1
fe8412032a3bda4bcdec4381646ded543b9c6dd1

SHA256
1c177dda7f876c0f936b5617fef0d6ac7b2580dfe752e23f200cb6ecfc548c4c

SHA512
036901a0dd94d5636cde28659cd114992ad6e81e410725ec04d7967fa9bb4605517e183213d120789f158232c562941a6e43c37fec6c3e3b2ba5965f585492e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNy13HL.exe

Filesize
202KB

MD5
316bfffc32c9aaaf413a40f644832f0e

SHA1
b542b08dad3dc43bf6871621d89eef816c4e9036

SHA256
ded6829b9178714f71bbe880dc0674cfe33f924452fb9885c38acd044ebda375

SHA512
2cb37457e3bedd237a0e54de557b1f5c8ef1eb4e915c8d36e30d009baa6f176429e823f5eb70ceebce3ab12242ebc76884bab789c417e62401a7d876413c9f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bWs94.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
memory/1892-21-0x0000000000ED0000-0x0000000000F02000-memory.dmp

Filesize
200KB

Download
memory/1892-22-0x0000000005E30000-0x0000000006448000-memory.dmp

Filesize
6.1MB

Download
memory/1892-23-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/1892-24-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/1892-25-0x0000000005950000-0x000000000598C000-memory.dmp

Filesize
240KB

Download
memory/1892-26-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads