redline | 6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6

General

Target

6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe
Size

1.1MB
MD5

36ca21c7d9cb5be1f760f18fe03cea45
SHA1

0e6c664f24b45a93439de75095880a0dc359dc10
SHA256

6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6
SHA512

df06e3d4ac2eff13396428a9814c1d7bfdf0afe950700d53681568ec23805cf52600e67fcb99e7d5e5f4ef53bce5b7914e312a47068f892d0f018764084e593c
SSDEEP

24576:hyc0XduWmKJRjRgcGC5aWw5DhNH4dl+8drV5jsXwqnx/pkKfTIH3anxC:UNdBjOa7eNH4v+8dYXw8qKfTIH3anx

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2525584.exe	family_redline
behavioral1/memory/1604-21-0x0000000000DA0000-0x0000000000DCA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x3003111.exex7376323.exef2525584.exe

pid process

2012 x3003111.exe
1612 x7376323.exe
1604 f2525584.exe

pid	process
2012	x3003111.exe
1612	x7376323.exe
1604	f2525584.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x3003111.exex7376323.exe6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3003111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7376323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f2525584.exe6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exex3003111.exex7376323.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2525584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3003111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7376323.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exex3003111.exex7376323.exe

description	pid	process	target process
PID 4408 wrote to memory of 2012	4408	6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe	x3003111.exe
PID 4408 wrote to memory of 2012	4408	6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe	x3003111.exe
PID 4408 wrote to memory of 2012	4408	6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe	x3003111.exe
PID 2012 wrote to memory of 1612	2012	x3003111.exe	x7376323.exe
PID 2012 wrote to memory of 1612	2012	x3003111.exe	x7376323.exe
PID 2012 wrote to memory of 1612	2012	x3003111.exe	x7376323.exe
PID 1612 wrote to memory of 1604	1612	x7376323.exe	f2525584.exe
PID 1612 wrote to memory of 1604	1612	x7376323.exe	f2525584.exe
PID 1612 wrote to memory of 1604	1612	x7376323.exe	f2525584.exe

C:\Users\Admin\AppData\Local\Temp\6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe
"C:\Users\Admin\AppData\Local\Temp\6faa06391c695659f013700d1169f15b2505524e6b52b2d4db03a4541daec5f6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3003111.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3003111.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7376323.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7376323.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2525584.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2525584.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3003111.exe

Filesize
748KB

MD5
166db464e7e9b1e6072d91f0928f1dae

SHA1
bb0a4934efd1dd51c928de196992c4c1759ea8a0

SHA256
176c69396e78b8a3ef095ea35f3a8097a4e4c4a9c2040b91bb00613906981ad7

SHA512
e84c9580d83496d10d3258c1c8d2dd8f7ff233ab6df8a13fe2d7159aef17c4cf526bd2648f53ff41595e803fdc3d74f4ca90c2f084d3a6cbdbe0268ab6c7f874

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7376323.exe

Filesize
304KB

MD5
518fbabdd1c66711935a6943ff6e9d52

SHA1
1bba27345a670b9e3bb2563614505a5ef3805cf8

SHA256
12e3d964d8c2bd0407e20ed622831b14ad56fe61879590368f513b38f3fa5b05

SHA512
fe5ed4b6b3baba4e57327a5a1b23892b920eaeb2ab87a4c3b9889b76a9c8f9d4e12781b729e3b443eb95f9d8745b2d3188e4408477c9b107e318986628b4f41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2525584.exe

Filesize
145KB

MD5
29f5a5754fafe43ece85ef7fabd8b537

SHA1
817e4a2a3501761c57e68f4cc1b279119ab4ba40

SHA256
9d11ef9f2e42299033d4751b9603fcdb2fc7f2d77c9f486fe6ad5b07da8529d6

SHA512
3ed0bb49da43c2c1c8e64de8785ab68dffe1e9380e83dd2da9e9b62f2d90359c3e68ea6d36a8fd7069127b7310f5cdbf8c8f928d1935bde7797f55748de5d0f4

Download Submit
memory/1604-21-0x0000000000DA0000-0x0000000000DCA000-memory.dmp

Filesize
168KB

Download
memory/1604-22-0x0000000005D80000-0x0000000006398000-memory.dmp

Filesize
6.1MB

Download
memory/1604-23-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/1604-24-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/1604-25-0x0000000005800000-0x000000000583C000-memory.dmp

Filesize
240KB

Download
memory/1604-26-0x0000000005980000-0x00000000059CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads