redline | cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374

General

Target

cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe
Size

1.1MB
MD5

63215cb82a158960be70e97d02f46b89
SHA1

3abb0adc6c6a906b8d6593de414895726aadaaac
SHA256

cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374
SHA512

ceef62bbd511aed8f133496f9a584ae10b2ecb0ea5ac069b9b9c63fcaad4246e7aa53c5508b240e63714423597fbcff4610704b18531d47d37aeb2f16544ccfa
SSDEEP

24576:8yMFwxBigfBUFFkC/C7G+cS3ii7ex5J23nTAmex4k+qLRpnmcLcS:rMFIBigJUvk8C7GHLAebU3nTAB47qLR1

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b71-19.dat	family_redline
behavioral1/memory/2988-21-0x0000000000BC0000-0x0000000000BEA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
212	x0811739.exe
2588	x3526098.exe
2988	f8796708.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3526098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0811739.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0811739.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3526098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8796708.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 212	3976	cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe	83
PID 3976 wrote to memory of 212	3976	cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe	83
PID 3976 wrote to memory of 212	3976	cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe	83
PID 212 wrote to memory of 2588	212	x0811739.exe	85
PID 212 wrote to memory of 2588	212	x0811739.exe	85
PID 212 wrote to memory of 2588	212	x0811739.exe	85
PID 2588 wrote to memory of 2988	2588	x3526098.exe	86
PID 2588 wrote to memory of 2988	2588	x3526098.exe	86
PID 2588 wrote to memory of 2988	2588	x3526098.exe	86

C:\Users\Admin\AppData\Local\Temp\cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe
"C:\Users\Admin\AppData\Local\Temp\cbb3f407466bfc109f4993f0abde060a0603f62b35e17832ad167807160f2374.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0811739.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0811739.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3526098.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3526098.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8796708.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8796708.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0811739.exe

Filesize
748KB

MD5
0cbe00970d0e829a5456f9790a197baf

SHA1
cda5dae70cfafed5f6253dad87bea77ed5f5fa9b

SHA256
bce131e0153ea7c7438630f0f5a2f67d843fde01091d94a1146e78be19d5a450

SHA512
e757a5ef11c439f29bc0968c7ef51d2959cff42d6220261d837aa43b9b5631a9d7089f89c4da417afe9f8f54210ec90139acf3c01ea5db8f2501b5433f9369d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3526098.exe

Filesize
305KB

MD5
e24c48e4446c35be352d46d6c94c1fc8

SHA1
64f705df394c7f98a220f0e7c1166db2402837c9

SHA256
b94ffde46617b1690dbd04a0def2228eebb6a36311c590a683e0cfc985294020

SHA512
17e54d68bb141ab17b1710ca7a96b28fe9ce2a52f01efbaa610323dd2ff0f9ea387ca781af8fb9a23587d2e36d31109a2fecb9fe0a3817e2fb09e25659746994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8796708.exe

Filesize
145KB

MD5
4d53fe20558aa1ed846e1fdd898382a7

SHA1
c2fae22def60091115b586ba018862436a0623ad

SHA256
b8b60e61c5c611014f3ee1d6b0026d13d9dd9ea4a7323485bccf9a2235857b77

SHA512
7d9f71ab979a44d3902a722c01a513440230f7a0e53abd6a1bdaf67fb4cc536f9fc589bb36b8b3d9f7245d42cba6ac9971726b68608bfa722c13767b763c988f

Download Submit
memory/2988-21-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/2988-22-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/2988-23-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/2988-24-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/2988-25-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/2988-26-0x00000000057A0000-0x00000000057EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads