redline | 58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff

General

Target

58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe
Size

1.1MB
MD5

d492478f3b44e5ba12ea6be00035d31b
SHA1

49006b33b36cad08f86a21bdad44f03ea7c3b7f4
SHA256

58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff
SHA512

eaae388f5524f5ae6b33ef1120318aae71db9c07cc0019854d88e344ac46da4a735c526b17daa42db63a44928c4a6b2773dd692771867be7a20776d911fb1156
SSDEEP

24576:DyXxsgG1SIaePTCSxZhaDQo3kOUkjA17K67Pq:WPGsI3lUvUOUF7bz

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6917268.exe	family_redline
behavioral1/memory/1872-21-0x0000000000290000-0x00000000002BA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x5391012.exex1424377.exef6917268.exe

pid process

860 x5391012.exe
4904 x1424377.exe
1872 f6917268.exe

pid	process
860	x5391012.exe
4904	x1424377.exe
1872	f6917268.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x5391012.exex1424377.exe58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5391012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1424377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x1424377.exef6917268.exe58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exex5391012.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1424377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6917268.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5391012.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exex5391012.exex1424377.exe

description	pid	process	target process
PID 4340 wrote to memory of 860	4340	58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe	x5391012.exe
PID 4340 wrote to memory of 860	4340	58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe	x5391012.exe
PID 4340 wrote to memory of 860	4340	58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe	x5391012.exe
PID 860 wrote to memory of 4904	860	x5391012.exe	x1424377.exe
PID 860 wrote to memory of 4904	860	x5391012.exe	x1424377.exe
PID 860 wrote to memory of 4904	860	x5391012.exe	x1424377.exe
PID 4904 wrote to memory of 1872	4904	x1424377.exe	f6917268.exe
PID 4904 wrote to memory of 1872	4904	x1424377.exe	f6917268.exe
PID 4904 wrote to memory of 1872	4904	x1424377.exe	f6917268.exe

C:\Users\Admin\AppData\Local\Temp\58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe
"C:\Users\Admin\AppData\Local\Temp\58da13ff12b011b8697abebc81e06e4c4de0a5ccf7b79a1c890129a421e139ff.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5391012.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5391012.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1424377.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1424377.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6917268.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6917268.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5391012.exe

Filesize
749KB

MD5
0f022bd857be2eeffbf23569a473beb5

SHA1
b70850e5694bce802c3d11b486ca497dd5b22de2

SHA256
3d8d9ab9014d2b70a2f74238d364460539371f4de9fb5c128db398f3b876bfb0

SHA512
81f99a2d65341525f1f6f4c2051688e31657aeff97c6524fd0fe0a3e03c8bf056288e4b5499274958be87e26a1eda032c2177f96e703dee02d22765d65a329ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1424377.exe

Filesize
305KB

MD5
6f842158ec39510d226e0c2ba1ba17d7

SHA1
5516bfebaaccd6e3edd423ab53db5830e2b034f8

SHA256
fb0001c8183728cddb66c90494ecc194f21c9660e06b7a78d33d8361d7169d59

SHA512
7e160403f5b1101474be3a549d7efc71fa6bc5d1472a21ba64676e0cf4774a819381bd4aca37b0723d4f2d606bfa0a0666da69d1c287f0c864528661b187e225

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6917268.exe

Filesize
145KB

MD5
df7459cf1dbc0bfa826862898698adef

SHA1
a30de21805d6496887b4c487fce6757d6cd0c03f

SHA256
f3f7f3117f45d7ee872ece8e9bd5715e10ed00488777cbeddb1ab925c9ed4dd9

SHA512
d77c717b0a605427f9634a7effa3b321b72d628da8418ecf550b24ae5fd7d3195d69144dd247d40fa94399794e3da6664c8da0ea367697c659697f45b9f34d75

Download Submit
memory/1872-21-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1872-22-0x0000000005130000-0x0000000005748000-memory.dmp

Filesize
6.1MB

Download
memory/1872-23-0x0000000004C20000-0x0000000004D2A000-memory.dmp

Filesize
1.0MB

Download
memory/1872-24-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/1872-25-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/1872-26-0x0000000004B70000-0x0000000004BBC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads