redline | f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38

General

Target

f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe
Size

1.1MB
MD5

68e4b5f9a26d9deaf59293bf5baf942b
SHA1

dcc09c67b342cd251895fad598a491ab56fac8e2
SHA256

f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38
SHA512

58a8b47c6ef099be08446c2dc651dd143f8634c97eeb58ee885a41f3b3313f1a9deda124c689ce90c78327b49980c87b242b5ef12e83e289858d0a61595807b0
SSDEEP

24576:ty6uPVh+0/qN/6jQi7Fa75GKIhL3KD1VgirpcdThBpFs6eYY:I6uPVh+0lp7A9tMirY9xs6eY

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5662936.exe	family_redline
behavioral1/memory/2020-21-0x0000000000070000-0x000000000009A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1349921.exex4195911.exef5662936.exe

pid process

5060 x1349921.exe
2952 x4195911.exe
2020 f5662936.exe

pid	process
5060	x1349921.exe
2952	x4195911.exe
2020	f5662936.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x1349921.exex4195911.exef7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1349921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4195911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x1349921.exex4195911.exef5662936.exef7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1349921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4195911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5662936.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exex1349921.exex4195911.exe

description	pid	process	target process
PID 2024 wrote to memory of 5060	2024	f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe	x1349921.exe
PID 2024 wrote to memory of 5060	2024	f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe	x1349921.exe
PID 2024 wrote to memory of 5060	2024	f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe	x1349921.exe
PID 5060 wrote to memory of 2952	5060	x1349921.exe	x4195911.exe
PID 5060 wrote to memory of 2952	5060	x1349921.exe	x4195911.exe
PID 5060 wrote to memory of 2952	5060	x1349921.exe	x4195911.exe
PID 2952 wrote to memory of 2020	2952	x4195911.exe	f5662936.exe
PID 2952 wrote to memory of 2020	2952	x4195911.exe	f5662936.exe
PID 2952 wrote to memory of 2020	2952	x4195911.exe	f5662936.exe

C:\Users\Admin\AppData\Local\Temp\f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe
"C:\Users\Admin\AppData\Local\Temp\f7c4a23bb2afbf1363b07c8752ff9000c589d779c52e68d2b957935d50d97d38.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1349921.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1349921.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4195911.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4195911.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5662936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5662936.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1349921.exe

Filesize
749KB

MD5
7531cc2e8cdd2f9b79de5a898bcbd24e

SHA1
03758fc4b29be39d028aeba2d08809748d32fc4d

SHA256
4fcacd6c0c7975d1330bc8f2b401f1c0da20c8fd88c59fb59b0eacbb0f59a282

SHA512
a754951d012ea850864b49ad9a7647e87db2812a790a2700e963a9f7fcb2b1a2c6728808ed85b11a2cbaabf7b1f97402e923dbb196beb1a502de4aa995a6c5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4195911.exe

Filesize
304KB

MD5
af62aeaa251b864dba576ed1b356ae30

SHA1
cad7fc68f003479e02b61d94273e9bf1ffe56bf8

SHA256
3f123e9e2fd58189112361daf35187405ab40fbbb463cac97607e2b4546ed09b

SHA512
a6be6819e966bf945019382b2d8d2f9841b6e5d2e5cf7c7f3012afeda449ec033b8b1545688ce83acc4547b70f8a350c46bd341560707a55f8aec1b55fd721e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5662936.exe

Filesize
145KB

MD5
92d50b88b1c9c9b05cf1ff8209956fcd

SHA1
2f892f89ead71c231859840189091750e5aa7e56

SHA256
15d7864cbe3bcd014a1c35b9cf69beee9818e07a6ec04be2ca0a5a7bf2915c17

SHA512
ee7226d6fc7510e1b98825747234288f72442b4f3482d7ff1f3a96a6d80fa78f487313fffbcc4b2d9d3beda070270c6ad6bfb7a3292bbb7231443289c42841a2

Download Submit
memory/2020-21-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/2020-22-0x0000000004EB0000-0x00000000054C8000-memory.dmp

Filesize
6.1MB

Download
memory/2020-23-0x0000000004A00000-0x0000000004B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2020-24-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/2020-25-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2020-26-0x0000000004B10000-0x0000000004B5C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads