redline | 4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620

General

Target

4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe
Size

479KB
MD5

86be6eac88a9e1a969d7e02572bbbe6c
SHA1

986fdf2f3c8b5ad793cc47264bdc7b5d05b9b980
SHA256

4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620
SHA512

dcf20454273779c9abd343427e65290b2e32cb9376c503c8a150abb5f7cfd5ac567be365620f850a911e274c8cbfe2ec0b7500b8777ec7187cfc71fcbce006d2
SSDEEP

12288:LMrvy90wXxV7GTQXX9v6nrYUbtHHzF7p:YyZhVwQgHt

Score

10^/10

redline fuka discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

fuka

C2

193.233.20.11:4131

Attributes

auth_value
90eef520554ef188793d77ecc34217bf

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca9-12.dat	family_redline
behavioral1/memory/1424-15-0x0000000000D00000-0x0000000000D32000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3996	dcX87.exe
1424	aRo92.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dcX87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aRo92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcX87.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3996	5036	4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe	83
PID 5036 wrote to memory of 3996	5036	4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe	83
PID 5036 wrote to memory of 3996	5036	4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe	83
PID 3996 wrote to memory of 1424	3996	dcX87.exe	85
PID 3996 wrote to memory of 1424	3996	dcX87.exe	85
PID 3996 wrote to memory of 1424	3996	dcX87.exe	85

C:\Users\Admin\AppData\Local\Temp\4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe
"C:\Users\Admin\AppData\Local\Temp\4fe0ac49c2ca17dc591f1cd6d910e9672ff974663a817ee1fc403590080ca620.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dcX87.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dcX87.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aRo92.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aRo92.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dcX87.exe

Filesize
202KB

MD5
38f8fd18d1f6c7ddb27a0082162e44d3

SHA1
c02acf5ba11a8244a6e6c8c2d6b579b1ca085e52

SHA256
458475de272903b912eceb3b3ad01d7b608c0cc83bfdc2b5f6fe539a8b7ad20f

SHA512
59c53833974eb355b3aa6e8b67d88e7ea3e748335f816ce0c5333d6f2cc63ff18d19aa577f983963c3ce99aa9bee0503f6be02837bf50feb5f342f9ea75b1316

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aRo92.exe

Filesize
175KB

MD5
4c35cfbd12826cedb7982ab4e1763a6a

SHA1
1496bd1d1981d8bf38cf98cdd4aa47020ffe9303

SHA256
8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2

SHA512
5e55022ab3b5a49ba3695062b7db3fa920aa9e3653e52e5a556caeed2d8f217457ae472eb2cf3da32f4332fba52b9b1d4e8b42e09793c1f3bf970dcbce35566c

Download Submit
memory/1424-14-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/1424-15-0x0000000000D00000-0x0000000000D32000-memory.dmp

Filesize
200KB

Download
memory/1424-16-0x0000000005B30000-0x0000000006148000-memory.dmp

Filesize
6.1MB

Download
memory/1424-17-0x00000000056A0000-0x00000000057AA000-memory.dmp

Filesize
1.0MB

Download
memory/1424-18-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/1424-19-0x0000000005640000-0x000000000567C000-memory.dmp

Filesize
240KB

Download
memory/1424-20-0x00000000057B0000-0x00000000057FC000-memory.dmp

Filesize
304KB

Download
memory/1424-21-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads