redline | cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c

General

Target

cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe
Size

1.1MB
MD5

443aecae87130944d95885b139900702
SHA1

c908b5f3bb1dc54153a9abd5a524f3e0c5af4e9f
SHA256

cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c
SHA512

9f04e61d40c15ed0d8f6fdca5f37e2d10f4066ed7a9003755807685ad30bbc1afa4ffb46015a8b0ba1e3ba7a952e326d8320384f48588f499e3382534cc29b47
SSDEEP

24576:6y79cLvRRp8CfVbbXzObXYdtVmM7EmykoJfvw:BpiJrzbbXvdt8MYTJv

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c8d-19.dat	family_redline
behavioral1/memory/2764-21-0x0000000000FC0000-0x0000000000FEA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x0761818.exex0898432.exef3963997.exe

pid	Process
2300	x0761818.exe
912	x0898432.exe
2764	f3963997.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exex0761818.exex0898432.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0761818.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0898432.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exex0761818.exex0898432.exef3963997.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0761818.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0898432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3963997.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exex0761818.exex0898432.exe

description	pid	Process	procid_target
PID 3920 wrote to memory of 2300	3920	cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe	83
PID 3920 wrote to memory of 2300	3920	cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe	83
PID 3920 wrote to memory of 2300	3920	cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe	83
PID 2300 wrote to memory of 912	2300	x0761818.exe	84
PID 2300 wrote to memory of 912	2300	x0761818.exe	84
PID 2300 wrote to memory of 912	2300	x0761818.exe	84
PID 912 wrote to memory of 2764	912	x0898432.exe	86
PID 912 wrote to memory of 2764	912	x0898432.exe	86
PID 912 wrote to memory of 2764	912	x0898432.exe	86

C:\Users\Admin\AppData\Local\Temp\cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe
"C:\Users\Admin\AppData\Local\Temp\cf1cfb5184665225519a3f31bbcd2d9f38f60a2798f52cdcfb11b9e98051d78c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0761818.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0761818.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0898432.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0898432.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3963997.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3963997.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0761818.exe

Filesize
748KB

MD5
608c128589e1766440be3eac3f6fcf5b

SHA1
d11e2dc5f2070a4d761b2bff485a71f3a77868cb

SHA256
a8ede8f98752e451673e27a44fb6657506133ea5445bb9c25aeab1979a8fb20a

SHA512
309fd23d3239150326c6aa8c5b31dde38e02a3701334d45196e8cfdbf26890391f6881fbd63dcf4f15fa97b3833e3eadb4b71b6c7f5827ccf82fc8c18c8c66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0898432.exe

Filesize
304KB

MD5
d199fb419ed5f07f8aebea2553878ee8

SHA1
ad32f6551a684fa88f41049e4276c86553fd2150

SHA256
0869ffc645309abbca3a0fbe01efa0b0132f7604165843e9a10e837c6236dc05

SHA512
f486175dc808eb3dd0b86eddff333485b5fd5e107bc36a94ec302153b866e8846e9c541b67f0d1c9887a54591564669ce8c9c98bcc06ce812953b7d406e47e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3963997.exe

Filesize
145KB

MD5
d9cc373a20db71e6a5f90d096b82e515

SHA1
6082ae6667ab48b4a181f8553cb00e322521a199

SHA256
5ad51b850bcfccd98fd3d8a85884826773434ae6aa55eb75f3978868714e6fc1

SHA512
f1b8c3d140fa032cfbe31660ab6ebdfefedfd4b602aedaa294a7f44c1defa59e6ea8112f32bcf54140d7c2503d331c9499cb81239d739a5e3282684212823463

Download Submit
memory/2764-21-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

Filesize
168KB

Download
memory/2764-22-0x0000000005DD0000-0x00000000063E8000-memory.dmp

Filesize
6.1MB

Download
memory/2764-23-0x0000000005950000-0x0000000005A5A000-memory.dmp

Filesize
1.0MB

Download
memory/2764-24-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/2764-25-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/2764-26-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads