redline | f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8

General

Target

f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe
Size

1.1MB
MD5

d880e468825c5c5fe317e41d348176d6
SHA1

6fed5eef9a6cf6d860b1f2b24017f037c7302799
SHA256

f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8
SHA512

e20c7c146dccbc58fea0cd39a71474fd4333a06fe862eac6b595951862f3456c611d376ead51184b5430a89fc7ffe50c708212474a4f9e71188290d27c7e055f
SSDEEP

24576:xy43LargLX0iTylz3BZ3tqCssI4Q3rrJCLOPD6UxxC:kEar+0iupT3LbQ7tb7

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca0-19.dat	family_redline
behavioral1/memory/2640-21-0x0000000000E40000-0x0000000000E6A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3792	x7722609.exe
3088	x8217842.exe
2640	f0691558.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7722609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8217842.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7722609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8217842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0691558.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 3792	924	f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe	83
PID 924 wrote to memory of 3792	924	f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe	83
PID 924 wrote to memory of 3792	924	f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe	83
PID 3792 wrote to memory of 3088	3792	x7722609.exe	85
PID 3792 wrote to memory of 3088	3792	x7722609.exe	85
PID 3792 wrote to memory of 3088	3792	x7722609.exe	85
PID 3088 wrote to memory of 2640	3088	x8217842.exe	86
PID 3088 wrote to memory of 2640	3088	x8217842.exe	86
PID 3088 wrote to memory of 2640	3088	x8217842.exe	86

C:\Users\Admin\AppData\Local\Temp\f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe
"C:\Users\Admin\AppData\Local\Temp\f3fdbfc6ba850090ebb43f673c7b72481b796188a38907e1390d1a906aba4fa8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722609.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722609.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8217842.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8217842.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0691558.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0691558.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722609.exe

Filesize
750KB

MD5
45f5d1d2dcbe9d4ff2a09778e3c94535

SHA1
1d3bae3019ee2f6034baf71e0745b7f843140a79

SHA256
14f45506b5fb71d3b15599737a2ad21ba1995416d42275233ec1c8064df962e1

SHA512
7ba468e2ee64aad2a568ec4477e1a190e6abf582f95658542498ef6b175aaf98b770e33b00fabeeafd30a3e49fd3a66dc1346a868e6a2ae5fe8c6a0e59802a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8217842.exe

Filesize
304KB

MD5
d1235af985218454b5788e0e7283059b

SHA1
ffd8817236c6896bb4a35661bb3518c39ad8cb29

SHA256
5531599df12aeaa570ce055b782027be37fea5dec4b50d05ee696abeb61b6875

SHA512
748a424ff71a898d7912be64f9935d57f83d9ac07aeb4f16997728d0a4389cd4dcfa399d180f3be9501821d1f9262817171528af25fe9cbbbee9b76b2f0f7079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0691558.exe

Filesize
145KB

MD5
4174f85b37a04f12efa90eda06add0ad

SHA1
6d465cb8b747f78d83462c3ba769fc5899abdf77

SHA256
74d93446b58dde7c1fab83250fe27898f2e2807d90f2c4883071f5ec81ec0c77

SHA512
5a38009f24db649d5d501335a53c80252860cca4af251fbfed6e12dc8427b61e36a09b8670d81c0f1a95e02f85f64bc55d148459aadced70d0cb113c321b9ada

Download Submit
memory/2640-21-0x0000000000E40000-0x0000000000E6A000-memory.dmp

Filesize
168KB

Download
memory/2640-22-0x0000000005DA0000-0x00000000063B8000-memory.dmp

Filesize
6.1MB

Download
memory/2640-23-0x0000000005910000-0x0000000005A1A000-memory.dmp

Filesize
1.0MB

Download
memory/2640-24-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/2640-25-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/2640-26-0x0000000005A20000-0x0000000005A6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads