redline | 3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050

General

Target

3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe
Size

1.1MB
MD5

5eac764cd59b0ffe14dce4da3f2e696d
SHA1

30884d3e6789ee73497c41cf21a3138cb363af5c
SHA256

3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050
SHA512

da5d0ced74e194d543f79af1fb362a14d7c4c47e0c9665cd63dc10c70d86195a7fcb2ffefb6621ee74aac9e2d8684cb22aec2025a5c506fb7843a52657e051bf
SSDEEP

24576:YyteWMO9I0RVGY0VixSA3LKD6pZJmAM3lz+BDXJtf4mC159lA56x:fcWMT0RVGY0VixSSWD86Nqjrf4dT9eA

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3397233.exe	family_redline
behavioral1/memory/2808-21-0x0000000000170000-0x000000000019A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1409335.exex4136118.exef3397233.exe

pid process

5080 x1409335.exe
2188 x4136118.exe
2808 f3397233.exe

pid	process
5080	x1409335.exe
2188	x4136118.exe
2808	f3397233.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exex1409335.exex4136118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1409335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4136118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exex1409335.exex4136118.exef3397233.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1409335.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4136118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3397233.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exex1409335.exex4136118.exe

description	pid	process	target process
PID 4420 wrote to memory of 5080	4420	3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe	x1409335.exe
PID 4420 wrote to memory of 5080	4420	3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe	x1409335.exe
PID 4420 wrote to memory of 5080	4420	3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe	x1409335.exe
PID 5080 wrote to memory of 2188	5080	x1409335.exe	x4136118.exe
PID 5080 wrote to memory of 2188	5080	x1409335.exe	x4136118.exe
PID 5080 wrote to memory of 2188	5080	x1409335.exe	x4136118.exe
PID 2188 wrote to memory of 2808	2188	x4136118.exe	f3397233.exe
PID 2188 wrote to memory of 2808	2188	x4136118.exe	f3397233.exe
PID 2188 wrote to memory of 2808	2188	x4136118.exe	f3397233.exe

C:\Users\Admin\AppData\Local\Temp\3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe
"C:\Users\Admin\AppData\Local\Temp\3831ed6401db49d4e4294d6889376f76915b71483a33e0ef302b334c1a6d0050.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1409335.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1409335.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136118.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136118.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3397233.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3397233.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1409335.exe

Filesize
748KB

MD5
4a07ee5e5952e40d9032faab7988ffef

SHA1
18ba2903e9be7c709d4b219e0a3266e0dbfe302c

SHA256
9826f0a37320a2854877a94546eea5433a7170e874b9057efe9377c25d26bb32

SHA512
a019600371e3156a284c61160ecb02db142507c1a6c4fa942155142549348080720a04e580454f7db622c1e30b89b8e953770bd09793b84103e6b8bf93a928f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136118.exe

Filesize
304KB

MD5
3e0483c21bece79ea5520ca2c3bc03ef

SHA1
ef4aceb541fcb88b4ab587ce3526564bd67d2b70

SHA256
507ff302d0285dd5f8b40021d089a0cc449900576d04a614495d180a9b13f1b1

SHA512
75abed8d8c4742ab049af3ca8fbee8a85a0e59292a45a31667fe5db598b425e2826c8788e406b1dbaecbc7b06e1cacfcd0f7b0c74b6db395ba18481da6d0e7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3397233.exe

Filesize
145KB

MD5
bc999ad37831041833ae4441104cf64c

SHA1
3b3f9c6b002f60b9fa6f78558b7e480690d1fe23

SHA256
30016f0c659371772703cb20b81fbcd996e6d7830398afb8827cafd4f1ffd073

SHA512
5181bc8f78c3c2838f8dd8fc9f01399822f3dd91977ab92d731a027491cb146c629503550602f0542835ca2259324944d609fa1ce9a1d0a91721f862e410853c

Download Submit
memory/2808-21-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/2808-22-0x0000000004F90000-0x00000000055A8000-memory.dmp

Filesize
6.1MB

Download
memory/2808-23-0x0000000004B00000-0x0000000004C0A000-memory.dmp

Filesize
1.0MB

Download
memory/2808-24-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/2808-25-0x0000000004A90000-0x0000000004ACC000-memory.dmp

Filesize
240KB

Download
memory/2808-26-0x0000000004C10000-0x0000000004C5C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads