redline | 3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd

General

Target

3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe
Size

1.2MB
MD5

e34168b321acfae01580660db149a321
SHA1

5b4b00315704e699353c08da34adc7722c1f7c47
SHA256

3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd
SHA512

619ed617dced9e83e68cebdb585ca1e02a71edf638b53eb2ea4cd7068f9dfe151361abd428ce97260bb61432bafcb7ce385d89793d804c8fe25331bd1c2465c2
SSDEEP

24576:nyvJFzj16EXvL4cllj7JGiSFfLe31gWTQw1C5El4vI4KaIQvPvfHxj0/:yvJD6Ez4KVG1Ffa310+C5Eqg4Xv/HR0

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c8c-19.dat	family_redline
behavioral1/memory/4672-21-0x0000000000A80000-0x0000000000AAA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2744	x6112735.exe
2040	x4519668.exe
4672	f0290617.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6112735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4519668.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0290617.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6112735.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4519668.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2744	4764	3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe	83
PID 4764 wrote to memory of 2744	4764	3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe	83
PID 4764 wrote to memory of 2744	4764	3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe	83
PID 2744 wrote to memory of 2040	2744	x6112735.exe	84
PID 2744 wrote to memory of 2040	2744	x6112735.exe	84
PID 2744 wrote to memory of 2040	2744	x6112735.exe	84
PID 2040 wrote to memory of 4672	2040	x4519668.exe	85
PID 2040 wrote to memory of 4672	2040	x4519668.exe	85
PID 2040 wrote to memory of 4672	2040	x4519668.exe	85

C:\Users\Admin\AppData\Local\Temp\3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe
"C:\Users\Admin\AppData\Local\Temp\3b477d5f39a445d0da3a0d750c5da819341b239bd3f47c402d1c6e315c9707cd.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6112735.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6112735.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4519668.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4519668.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0290617.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0290617.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6112735.exe

Filesize
869KB

MD5
f7d6f966dcbe5b391503bdff99a2aeb1

SHA1
266156f0cdce3093d2896e641bb4bb02aedad3aa

SHA256
1b5068525f5427ff0544d5d3d2d4203cd4a2c49089ca556692497ec7d7adf2e0

SHA512
07b1f8323389dd11bdf889eef65b64a2be862e00cc22a9e42888168e870112e50ea66db578538374c7008d664c38e83b1f9ba724bb55ce57b3a6f90788a5c4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4519668.exe

Filesize
424KB

MD5
cdc0c86b78e9d89bf0c5a08b2c3a74e5

SHA1
a758297bdbd94773f67c646dad9eb7788fe2c256

SHA256
87ac046584fae010a64fb7f51c80b5de913f212f55543ec811d2c77f633900fc

SHA512
c65940784d2bc17fbde96f603aac5184c96204fbd7e6143ec8eaaecc677ebb8bb116af50e13b5ba5cb0976d5b7ff9df309cb116ce6f78d09b524c1198f4e2efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0290617.exe

Filesize
145KB

MD5
ab42355a425801f827af44fff324b0b9

SHA1
07749a775b27426a193f67e62ddbe6bef51e17ba

SHA256
67373a179fad255fed77a9106067f247322bb73a33921c17eb1d8d090f3be4fd

SHA512
ebf280f779aeb6f674644af884bbc9c523264fdd61351537de43a1d806cbbd1301323087470f9088b3ac10c15d1874fd673ff8288200eb438a0920c0ad446768

Download Submit
memory/4672-21-0x0000000000A80000-0x0000000000AAA000-memory.dmp

Filesize
168KB

Download
memory/4672-22-0x0000000005930000-0x0000000005F48000-memory.dmp

Filesize
6.1MB

Download
memory/4672-23-0x0000000005420000-0x000000000552A000-memory.dmp

Filesize
1.0MB

Download
memory/4672-24-0x0000000005340000-0x0000000005352000-memory.dmp

Filesize
72KB

Download
memory/4672-25-0x00000000053A0000-0x00000000053DC000-memory.dmp

Filesize
240KB

Download
memory/4672-26-0x0000000005530000-0x000000000557C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads