redline | 3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd

General

Target

3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe
Size

1.1MB
MD5

8b635a98bee9f5ff1feaf61fedbd51a9
SHA1

dd6f2bbc263fcdbf6c6223c1049251b65f93b53b
SHA256

3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd
SHA512

4065e99292fae75eef6de1c339fc7952db4dbd700e45ef26f1ebb97566453b6dc1c2673821a77f20746e88d229304a80e6cfbc896d1a281cd070374a32e54c6d
SSDEEP

24576:ay4OUxPGTzsQ3ia11r8wadcU6xnDELRZIrQM1kRXWNFUDentRwt4Fa:h4KPn3iaDgLRZAQxRXW3UIwSF

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb9-19.dat	family_redline
behavioral1/memory/1224-21-0x0000000000530000-0x000000000055A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1380	x7798655.exe
2640	x4129282.exe
1224	f9972881.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4129282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7798655.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4129282.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9972881.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7798655.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1380	916	3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe	83
PID 916 wrote to memory of 1380	916	3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe	83
PID 916 wrote to memory of 1380	916	3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe	83
PID 1380 wrote to memory of 2640	1380	x7798655.exe	84
PID 1380 wrote to memory of 2640	1380	x7798655.exe	84
PID 1380 wrote to memory of 2640	1380	x7798655.exe	84
PID 2640 wrote to memory of 1224	2640	x4129282.exe	85
PID 2640 wrote to memory of 1224	2640	x4129282.exe	85
PID 2640 wrote to memory of 1224	2640	x4129282.exe	85

C:\Users\Admin\AppData\Local\Temp\3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe
"C:\Users\Admin\AppData\Local\Temp\3df76763e02b01e49120b4185262a82e3b25d312f8180422aeb64da832f6d1dd.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7798655.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7798655.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4129282.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4129282.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9972881.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9972881.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7798655.exe

Filesize
748KB

MD5
85fad15ca4f0bd90ce43c58ff98a4ed8

SHA1
930f090fa0c0ef6ee425321b16f9fe513c9a5d3e

SHA256
1166d5f4213b8864cf1880a4ffec56fff387c27379d71aab0412f1e1dca40eb0

SHA512
f74bfcd89607f845c9fcad95cf39fe91baa7b640b1cd92e1f86ca9b919f60419d9e2f7c11fde9b48a76e7b349db64b364b3b6699f7bf3911785daeb71233d97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4129282.exe

Filesize
304KB

MD5
50a7165814e25af726ada6673155faac

SHA1
53b2ae536565b1d8a6f0a8688d21715529a3d1dc

SHA256
6e456a4379cdbc7a0bf24ecc41fe8678697ff0e1127d97f64720d5f39405361d

SHA512
21ee36cc46f4c0ea8abe978ce44f67df345f8988305eac51daf00696cb8f96270d6bc7f6fa81229780bb386078f1c77d93bde337310c0fc3a6e0bd9087324102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9972881.exe

Filesize
145KB

MD5
c4e363b81e212fb7f427855321524202

SHA1
17e4420180035ca3fdfc278e903ab9da2b181fc0

SHA256
896acc843c6222b496511442e729a4688c79347d0e9bd73997cfb2f0445eac15

SHA512
cfc4a21cbef0d75ea6f9a47fd6fcc8da78d7adfd01d3b65be688ceeec745667f14327ba209e0fa6d19a8b4f7655081e4399d6b353290cee73ab5f528722daf9a

Download Submit
memory/1224-21-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/1224-22-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/1224-23-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/1224-24-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/1224-25-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/1224-26-0x0000000005110000-0x000000000515C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads