redline | 601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8

General

Target

601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe
Size

1.1MB
MD5

8c78214a404307bdcd333e019e6a9ee1
SHA1

8204844251327933f5a3ea4137050e5c488b4095
SHA256

601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8
SHA512

b1492ca1d585662f8b3eb43206078dc3edc59024bf0798d4e7f72f57ea940c99ff746ebdcd794bfde74256a023fd6420b2066d033b4157aaaccecad9a63ba187
SSDEEP

24576:JyYbF1kKTPvtwrzb6kKKh9ZVcG1FAF3mRE7pCfke4HBKXlmOPYBOw:8SXLknEIVf3AF3mRE1Cfa0VmOw

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca1-19.dat	family_redline
behavioral1/memory/4424-21-0x0000000000930000-0x000000000095A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3112	x3679908.exe
1132	x9926164.exe
4424	f6830709.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3679908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9926164.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3679908.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9926164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6830709.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 3112	996	601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe	83
PID 996 wrote to memory of 3112	996	601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe	83
PID 996 wrote to memory of 3112	996	601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe	83
PID 3112 wrote to memory of 1132	3112	x3679908.exe	84
PID 3112 wrote to memory of 1132	3112	x3679908.exe	84
PID 3112 wrote to memory of 1132	3112	x3679908.exe	84
PID 1132 wrote to memory of 4424	1132	x9926164.exe	86
PID 1132 wrote to memory of 4424	1132	x9926164.exe	86
PID 1132 wrote to memory of 4424	1132	x9926164.exe	86

C:\Users\Admin\AppData\Local\Temp\601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe
"C:\Users\Admin\AppData\Local\Temp\601594bf04fcf12ea9de2717aff39d39ce0b8dca13765964caf24289c7a358a8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3679908.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3679908.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9926164.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9926164.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6830709.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6830709.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3679908.exe

Filesize
748KB

MD5
45d4d191494c55946d04dff31dc3b719

SHA1
0dcb51ae355dcd7a48ed5e3291896a07f877b68d

SHA256
f72c9a9f306cc2b4cad3313096e35fd7bd99fc2e391ef860b877e8bed4d6e304

SHA512
ae9d5b814585d72aac423a9ff54e5cf8acbad50681bb42482e4bcb66d7272f5560d084d6e77e604937bf25a2790e67f63bb6f266459c149523c9e5976c796798

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9926164.exe

Filesize
304KB

MD5
9e8c6b37e42d5cce144f4fa6c5c6b1a4

SHA1
42b2a414345efeb312cbefc98ae70a7fc0e36fa5

SHA256
a5398dd4c241ad07b34011bc96cb1bd289d42fe3fd26f26d3d77fc50d76b30dd

SHA512
f85a90e6dbbd3ba50cf163379475c849e006176066252d8574542cb6ee0c422155603001399d527579452ed86b0d4b730389fafd04750d89fb137901557385c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6830709.exe

Filesize
145KB

MD5
c37ba0d287be33cf32d5390452ba5dfd

SHA1
c7ff50eee674caa44d321032660fe020f54b35c9

SHA256
0e58f8052b38f730671284d9de2a40b81df6367c4d253c7d90839e7a06d3f5de

SHA512
d7e8f2c1951b19feb11ce0aea8a1307b7c2fdf582b6e96c64313a08b28c644fa3b6dd30ffe43c465989347fa74725c799dc1023e0243c050374889a21cb0995b

Download Submit
memory/4424-21-0x0000000000930000-0x000000000095A000-memory.dmp

Filesize
168KB

Download
memory/4424-22-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/4424-23-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/4424-24-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/4424-25-0x00000000053D0000-0x000000000540C000-memory.dmp

Filesize
240KB

Download
memory/4424-26-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads