redline | 44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1

General

Target

44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe
Size

469KB
MD5

ac5f1170ed5bbccfc6eba263ec81d689
SHA1

3da33a726000e660e88a9443c59e828a760c86e1
SHA256

44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1
SHA512

5458a52b49b220fd182f7c0b5fe6bf76c6a09d85ef0494c56c9915a2cfcb5d993b20e6bd6a9d6eda96bf66158b3151c46ca9c1ea1f49123cb23e15f414d16dbe
SSDEEP

12288:3Mrzy901/vnsVopJxMmKjbkOm15kiWqqPvTfDONBq9KwDJGg:4yUkVWxMmKvkr1GqqPv/ONBqMuH

Score

10^/10

redline fukia discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c85-12.dat	family_redline
behavioral1/memory/5028-15-0x0000000000640000-0x0000000000672000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4196	npN06.exe
5028	bAQ76.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	npN06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npN06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bAQ76.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4196	4504	44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe	83
PID 4504 wrote to memory of 4196	4504	44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe	83
PID 4504 wrote to memory of 4196	4504	44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe	83
PID 4196 wrote to memory of 5028	4196	npN06.exe	84
PID 4196 wrote to memory of 5028	4196	npN06.exe	84
PID 4196 wrote to memory of 5028	4196	npN06.exe	84

C:\Users\Admin\AppData\Local\Temp\44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe
"C:\Users\Admin\AppData\Local\Temp\44b46ed7dce096d6ed1f6dacf848df1348e1dfe953e21bfa767419b64d8a09c1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\npN06.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\npN06.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bAQ76.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bAQ76.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\npN06.exe

Filesize
202KB

MD5
61345df6f6e0f5c15aaee9bcf0b76920

SHA1
de5c3409c634b1775c2425e30e3d405196387240

SHA256
5150a6cd722af28f792530e12c9933d78f243f8e3e3419c7f15bf326243140de

SHA512
9964ae0184335885db93a3f9ac72c84ae9801d9c3204cd4729db74040dc712d5f7c4447c069e28222c2a85457cd40c06938c3ecc1b9183aa75b85eb5962b21c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bAQ76.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
memory/5028-14-0x000000007435E000-0x000000007435F000-memory.dmp

Filesize
4KB

Download
memory/5028-15-0x0000000000640000-0x0000000000672000-memory.dmp

Filesize
200KB

Download
memory/5028-16-0x0000000005620000-0x0000000005C38000-memory.dmp

Filesize
6.1MB

Download
memory/5028-17-0x0000000005120000-0x000000000522A000-memory.dmp

Filesize
1.0MB

Download
memory/5028-18-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/5028-19-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/5028-20-0x0000000005230000-0x000000000527C000-memory.dmp

Filesize
304KB

Download
memory/5028-21-0x000000007435E000-0x000000007435F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads