redline | 9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e

General

Target

9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe
Size

1.1MB
MD5

2486cea3f13755d6eedcf5c0001bec31
SHA1

a8f71f163583dda2f4131a5d5c793294582c14ac
SHA256

9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e
SHA512

e832c83da1796ea64188e053db8525336c985a8d28f42875e7bdc065f48a416748bd219e4684fd81e883501b21af8fe7309996644ff09817babf459ae1bfc178
SSDEEP

12288:ZMr3y90faOUok5MZjkWP7kt5h/7uyVm6WBlfBA+7pkS0Z9si0726UzXbZqtYp2OX:Ky7OW1Ht5BbE7R0jsmXzU2NJF8denTr

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca3-19.dat	family_redline
behavioral1/memory/4264-21-0x0000000000C60000-0x0000000000C8A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3304	x9015588.exe
2424	x6616735.exe
4264	f5052165.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6616735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9015588.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9015588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6616735.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5052165.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3304	1848	9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe	83
PID 1848 wrote to memory of 3304	1848	9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe	83
PID 1848 wrote to memory of 3304	1848	9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe	83
PID 3304 wrote to memory of 2424	3304	x9015588.exe	85
PID 3304 wrote to memory of 2424	3304	x9015588.exe	85
PID 3304 wrote to memory of 2424	3304	x9015588.exe	85
PID 2424 wrote to memory of 4264	2424	x6616735.exe	86
PID 2424 wrote to memory of 4264	2424	x6616735.exe	86
PID 2424 wrote to memory of 4264	2424	x6616735.exe	86

C:\Users\Admin\AppData\Local\Temp\9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe
"C:\Users\Admin\AppData\Local\Temp\9c1ae8110a6dbfa1e10e72f7cb85d92bda8fc9258d4dfb4cb7d56c46a588060e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015588.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015588.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6616735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6616735.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5052165.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5052165.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015588.exe

Filesize
749KB

MD5
ec5142567681c2b5c3b1e6713a02c6d4

SHA1
d36b958f9d537f317f465da78c11396492f8c56d

SHA256
e0195c9d45e07fb44c7a6d6b5df7bc6c6304c4185861b7a791b34dcc38c7ba6a

SHA512
d87bbd0bb9ec3fd2cdb06a6e50cae695acb5014009146f14ae4f79b9e848984a1a278dc8ff403de8c79a2c96d167c218229163eabba5eb8495a99f27093b82a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6616735.exe

Filesize
304KB

MD5
03bfcea2be3154bf7146960621c0ae6d

SHA1
616a72f2d94856efced3f0acac6f5c83832998b6

SHA256
3facb3934fecdf6ce5ca582492d11ecac8f618c5bbebb4dfb17647b66e13bd04

SHA512
6626786ca7693b0b741337159e19381f900a81ad8d824eceb422d5f5eaa0ae39bf4dcf0d561a74d38ce61335c5ef9416735aaacbfc2ecb09cc2e15d2f6513822

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5052165.exe

Filesize
145KB

MD5
b2c32cf9afda24737d757bc7fc41b6a2

SHA1
1dd5ad8ab4e2e9a5835928be0deb5aca2a97eb85

SHA256
e55f5d0641a80ca9dc4c75b6e1676baad0d84105f3bd274332f838b2669656e7

SHA512
2005fbd949c20d9660391a924040bab331c2ee77f985563f2210e578aaa19ff313ae84b11fe56e170cd06e58d5682944f17094d16868baf13cb4bcf81df29b21

Download Submit
memory/4264-21-0x0000000000C60000-0x0000000000C8A000-memory.dmp

Filesize
168KB

Download
memory/4264-22-0x0000000005A70000-0x0000000006088000-memory.dmp

Filesize
6.1MB

Download
memory/4264-23-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/4264-24-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/4264-25-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/4264-26-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads