redline | 5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008

General

Target

5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe
Size

1.1MB
MD5

4cecdfc961d9324d4065ef427a6b98ef
SHA1

5663db5679b2fdaeb561f0c32623481e049e40a9
SHA256

5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008
SHA512

4f954430f05afb637b072c49d81c72d953049fe0eec64aca7819d1a2598f8515b742dfc1be06c0cd2345ba32b3c0e0265351daf43c2106afbd9914074ff5b951
SSDEEP

24576:cyRSI8TJzGiUJFNcyp1X+/dN9ZgFXC5Vy6YPdRz6U:LII8TJTeGyby9ZjK6yd

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3902141.exe	family_redline
behavioral1/memory/1684-21-0x00000000001F0000-0x000000000021A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x8757610.exex1269181.exef3902141.exe

pid process

4388 x8757610.exe
312 x1269181.exe
1684 f3902141.exe

pid	process
4388	x8757610.exe
312	x1269181.exe
1684	f3902141.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exex8757610.exex1269181.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8757610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1269181.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exex8757610.exex1269181.exef3902141.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8757610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1269181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3902141.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exex8757610.exex1269181.exe

description	pid	process	target process
PID 3880 wrote to memory of 4388	3880	5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe	x8757610.exe
PID 3880 wrote to memory of 4388	3880	5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe	x8757610.exe
PID 3880 wrote to memory of 4388	3880	5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe	x8757610.exe
PID 4388 wrote to memory of 312	4388	x8757610.exe	x1269181.exe
PID 4388 wrote to memory of 312	4388	x8757610.exe	x1269181.exe
PID 4388 wrote to memory of 312	4388	x8757610.exe	x1269181.exe
PID 312 wrote to memory of 1684	312	x1269181.exe	f3902141.exe
PID 312 wrote to memory of 1684	312	x1269181.exe	f3902141.exe
PID 312 wrote to memory of 1684	312	x1269181.exe	f3902141.exe

C:\Users\Admin\AppData\Local\Temp\5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe
"C:\Users\Admin\AppData\Local\Temp\5dc4a0a6406b6ac48f0a38f9aae635bd300c5cdfd473fba9252bde996e120008.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8757610.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8757610.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1269181.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1269181.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3902141.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3902141.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8757610.exe

Filesize
749KB

MD5
7e695cba8a019799715cb5f941c52a4f

SHA1
1acc1a8d457a07a46f7475ded3e10cc34a00e9c9

SHA256
bf77d4278543fd222484fafbf55e42dba84036be31bb89ecdd00db164217ad61

SHA512
5f6169881479ff9c9bf346f6b19f0460e3be3a6c7224176ab535f20955f46a95d11757ba51327b1ef665758a496f026ee68001752a4b3e333e329ff6547b9666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1269181.exe

Filesize
304KB

MD5
592353945ef7a7a4639f8b0cc5e85ae9

SHA1
c60f84ee01cb125365b51be771e06f404c3ee9a6

SHA256
1daa3d7ff99e82a47bcdeea6713e08b3d678dfce34d6e414d3c65a13dfee0bfc

SHA512
55218faf7e70f3f4f252465badccb940cd7b78a62c252fe6fbca97c0f1d7fa91425edf14e8b7d6a80e07c6535f7e5261b54dce1b19b408113951abcf74c4ee3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3902141.exe

Filesize
145KB

MD5
355519e0890fb85ce237439143b02abf

SHA1
7c6499895a3e6e9802fe8668c6681dd5427787ec

SHA256
e2f2ebd42bf26a4d197976f210aadcfab0f7db95e3a873038e436be653025b89

SHA512
2c5f5ed1039966ca281189e1d4ce1b65abf593a5dd458ca394600e07518e23c29d7bf7390f7b4d62da3399af29c5df1f397d420939165ea3564afb76da6420e8

Download Submit
memory/1684-21-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1684-22-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/1684-23-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

Filesize
1.0MB

Download
memory/1684-24-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/1684-25-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/1684-26-0x0000000004DD0000-0x0000000004E1C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads