redline | a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a

General

Target

a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe
Size

1.1MB
MD5

e63248f1b85279aca6ae445ed6eeed8e
SHA1

87cdf186105225e784d4805b682e866af3ed92c1
SHA256

a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a
SHA512

08bd1cfe6552016908cf8a60606042ce069ebff0952cd86cea745934b310ebb334a49fe45d15d3a787cc2346821cecf5486779cc27b62d8181979afa499d2102
SSDEEP

24576:hyH2NWIfzXZ4tu+FzKFiWI5QKH5zDP3HK9KeNvlR9fn6j9LUZwgYXw:UWN7rg+iBZzDPyNNLyj9Q6X

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b6d-19.dat	family_redline
behavioral1/memory/4212-21-0x0000000000EF0000-0x0000000000F1A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

Processes:

x9762026.exex3722132.exef5107471.exe

pid	Process
1516	x9762026.exe
5112	x3722132.exe
4212	f5107471.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exex9762026.exex3722132.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9762026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3722132.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exex9762026.exex3722132.exef5107471.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9762026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3722132.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5107471.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exex9762026.exex3722132.exe

description	pid	Process	procid_target
PID 3200 wrote to memory of 1516	3200	a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe	84
PID 3200 wrote to memory of 1516	3200	a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe	84
PID 3200 wrote to memory of 1516	3200	a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe	84
PID 1516 wrote to memory of 5112	1516	x9762026.exe	85
PID 1516 wrote to memory of 5112	1516	x9762026.exe	85
PID 1516 wrote to memory of 5112	1516	x9762026.exe	85
PID 5112 wrote to memory of 4212	5112	x3722132.exe	87
PID 5112 wrote to memory of 4212	5112	x3722132.exe	87
PID 5112 wrote to memory of 4212	5112	x3722132.exe	87

C:\Users\Admin\AppData\Local\Temp\a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe
"C:\Users\Admin\AppData\Local\Temp\a2428add09ecd5325ce9a602550984188d162eecb2825ea6c52cb8fb1ea2683a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9762026.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9762026.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3722132.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3722132.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5107471.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5107471.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9762026.exe

Filesize
748KB

MD5
44d61c080dd44084c157ea37e46140c2

SHA1
14d052c589333db6601dfd6acaf3ecfec63dfe39

SHA256
3675a48bfd6fad8484e05cec5aeacd17aca5ab2f40c3cce531e10f061dd3d38e

SHA512
1957eb47e93a9a79ddf354c235cca3ef3897a1ca960e563d00989f077374c48acbbda13245671e6aa1240475d021df686fae2e5a23d577b7d50290346c1de381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3722132.exe

Filesize
304KB

MD5
9d85e33e54d98519aa0eea6ab3ca1b14

SHA1
90e7ca9d5247694a996ca0c5e34ad5379884532f

SHA256
b453bddaaf39c5268616a2843c8339405caf192872bc44c4c8c5c795a60f2b13

SHA512
37231d0917b5ba29c5d0a1322bd1823b57249a6223014aa676233c053cac141190650c012177bd8991ac59f67cf494bbd0e16688e10d79055b1a87f019206d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5107471.exe

Filesize
145KB

MD5
2c1730d1e41bafe16b5ea295a67bd792

SHA1
03ca6c79e106f03f39bc6ff2618205635dd026a5

SHA256
8c0d9f61094dfa42c8f6e422cc4c96b5a86355b8210d5c5903760bc48767c591

SHA512
0773e1cb860da494784ec93fde84b98f3fbe2ed7c8b211b76a5378092a50bbe99369ec73de34761f82e0d2ca18575ca1afd8f1662044ac4e97f00afd225c6f38

Download Submit
memory/4212-21-0x0000000000EF0000-0x0000000000F1A000-memory.dmp

Filesize
168KB

Download
memory/4212-22-0x0000000005E90000-0x00000000064A8000-memory.dmp

Filesize
6.1MB

Download
memory/4212-23-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4212-24-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/4212-25-0x0000000005950000-0x000000000598C000-memory.dmp

Filesize
240KB

Download
memory/4212-26-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads