redline | 34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769

General

Target

34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe
Size

1.1MB
MD5

f74c3ab777531e28bcaec0a9169e7245
SHA1

6aa4d109ca99a9dfeef6746b45a7fecfd3cf5e79
SHA256

34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769
SHA512

10623bc8550ab302a56d45193c05fcf49233363425abdf98e80059bebbc62b7f078128cce9f7f01b33f6987a1dbdd0ce56b982860d0859977d45e48081602147
SSDEEP

24576:SysADYIY53rJpoZRoM+QXc43ac+i72Z0KO9ZpzGe6pnPEJP131he:59DYIs3rJy3nJcOGZABGeDvh

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9029106.exe	family_redline
behavioral1/memory/412-21-0x00000000000B0000-0x00000000000DA000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x7325600.exex5438249.exef9029106.exe

pid process

3892 x7325600.exe
3616 x5438249.exe
412 f9029106.exe

pid	process
3892	x7325600.exe
3616	x5438249.exe
412	f9029106.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exex7325600.exex5438249.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7325600.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5438249.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x5438249.exef9029106.exe34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exex7325600.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5438249.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9029106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7325600.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exex7325600.exex5438249.exe

description	pid	process	target process
PID 4736 wrote to memory of 3892	4736	34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe	x7325600.exe
PID 4736 wrote to memory of 3892	4736	34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe	x7325600.exe
PID 4736 wrote to memory of 3892	4736	34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe	x7325600.exe
PID 3892 wrote to memory of 3616	3892	x7325600.exe	x5438249.exe
PID 3892 wrote to memory of 3616	3892	x7325600.exe	x5438249.exe
PID 3892 wrote to memory of 3616	3892	x7325600.exe	x5438249.exe
PID 3616 wrote to memory of 412	3616	x5438249.exe	f9029106.exe
PID 3616 wrote to memory of 412	3616	x5438249.exe	f9029106.exe
PID 3616 wrote to memory of 412	3616	x5438249.exe	f9029106.exe

C:\Users\Admin\AppData\Local\Temp\34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe
"C:\Users\Admin\AppData\Local\Temp\34759e50df262be35ceec8ca34e2805537027ea5c27779e4cc1052d402e53769.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7325600.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7325600.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5438249.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5438249.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9029106.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9029106.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7325600.exe

Filesize
748KB

MD5
63c42afbc647cb61a718b1dc673003a6

SHA1
fa2414287761c764c94de9febcd5a106c3a2fe59

SHA256
85385f6b991ec34a84de75508afeb3934ed5608e2ec1d4515280b1e6e62293a4

SHA512
a7bbc6d6539c6cb47c1a8777d82b60e9ac6d0ec3a39ec0afa655c3e794accb8470a5384b653ffe288882580b214d8023ff96f700f2f8979e90d55cadc47b9fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5438249.exe

Filesize
304KB

MD5
75a28701daf6aefe9f5e3765dbfa90c6

SHA1
91feb832613025d52446f42d017d6631cf861a72

SHA256
51ec8a8329de6e6613c69f42f06f9c9613c4854f05af79b317da4da9819dce3e

SHA512
1a54214f8ac997aea966214b4c13019dd67939698da19df27edb2e48b6ba2eaafbc91bca4c94e77c8b9d8f8cb9f2b704f15e652ee77fd6ad7aa8ed084afdaaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9029106.exe

Filesize
145KB

MD5
d6355a9220ac7122227b1329bd15f52d

SHA1
60304f7ea0d417d33355985d7f7fdcbbdce14d3e

SHA256
7e35e534fb78f4ca88bd694a1173c30f737f0bc02ed80fec3350d72febdb1a13

SHA512
87d81dcdcef13927b6852d23e96ff65cdf1f19af2674c7616de1eb0abef57a6dd17ea70d516602a5fd43782f015109104918bdaca570017406d60b6db93c5035

Download Submit
memory/412-21-0x00000000000B0000-0x00000000000DA000-memory.dmp

Filesize
168KB

Download
memory/412-22-0x0000000005020000-0x0000000005638000-memory.dmp

Filesize
6.1MB

Download
memory/412-23-0x0000000004B80000-0x0000000004C8A000-memory.dmp

Filesize
1.0MB

Download
memory/412-24-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/412-25-0x0000000004B10000-0x0000000004B4C000-memory.dmp

Filesize
240KB

Download
memory/412-26-0x0000000004C90000-0x0000000004CDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads