redline | f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb

General

Target

f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe
Size

1.5MB
MD5

28acf0f823fa99382e3e4f568c808571
SHA1

3fe767869a414b60e81ddf3ea9d4c3fc9a1ec588
SHA256

f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb
SHA512

dd514845030289b42e27a4709c83450438cdf6e722a636285c5fceff8dac4bd17aed175cde8aa835be426e96125b75ef44080898fd367eb722ca66c9db650db6
SSDEEP

24576:tylwVBGORj9ZRTYeyp986KhVyp5jB1bjIwbuQxFqsrkL2AsCQ:IOzGORJZ5Yey8hVypRB1bNFpAL7sC

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cad-33.dat	family_redline
behavioral1/memory/1560-35-0x0000000000590000-0x00000000005C0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
3140	i08220958.exe
1760	i44109281.exe
1620	i94017254.exe
4716	i62710860.exe
1560	a05277063.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i94017254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i62710860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i08220958.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i44109281.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i08220958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i44109281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i94017254.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i62710860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a05277063.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3140	4768	f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe	83
PID 4768 wrote to memory of 3140	4768	f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe	83
PID 4768 wrote to memory of 3140	4768	f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe	83
PID 3140 wrote to memory of 1760	3140	i08220958.exe	84
PID 3140 wrote to memory of 1760	3140	i08220958.exe	84
PID 3140 wrote to memory of 1760	3140	i08220958.exe	84
PID 1760 wrote to memory of 1620	1760	i44109281.exe	86
PID 1760 wrote to memory of 1620	1760	i44109281.exe	86
PID 1760 wrote to memory of 1620	1760	i44109281.exe	86
PID 1620 wrote to memory of 4716	1620	i94017254.exe	87
PID 1620 wrote to memory of 4716	1620	i94017254.exe	87
PID 1620 wrote to memory of 4716	1620	i94017254.exe	87
PID 4716 wrote to memory of 1560	4716	i62710860.exe	89
PID 4716 wrote to memory of 1560	4716	i62710860.exe	89
PID 4716 wrote to memory of 1560	4716	i62710860.exe	89

C:\Users\Admin\AppData\Local\Temp\f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe
"C:\Users\Admin\AppData\Local\Temp\f9ec8f873f35ec3ec7fde07f82f184e355b8c813c985de79d3a562ab75af59bb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08220958.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08220958.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44109281.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44109281.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94017254.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94017254.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i62710860.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i62710860.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05277063.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05277063.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08220958.exe

Filesize
1.3MB

MD5
e3191fa3772d2fd5338d8c75973a54f1

SHA1
be0efef66b028ecb2cdfb39808a1a9f434806418

SHA256
d535002aabcceb577e090bf0c6b8147c995661413968971e0fd399ec23ffcb49

SHA512
cf1a804cb25a87128cf48518a985796277aae979f05f19bdb25711592bccc4270fba0b20d9651cf439da7430d3dadc943300385f9f884254579333d72b1e37a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44109281.exe

Filesize
1000KB

MD5
cfbfd60bf7d1f4306312ff6b2f1e3441

SHA1
ab48a13613e8fc4a32bf3b419ce1e91841643af7

SHA256
bdaf08fb8f27c6009ec95f82ceacbaacc557afdaf4023028dda799fe2b5150dc

SHA512
4e646c3d442fbf7d4c31d328c3b2039792d148e6c947a5409d98e205cedcd0ffb0342a244cf26d2039699a489f3e32c38c997791a20046cb22cce95ac1dc01ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94017254.exe

Filesize
828KB

MD5
f5cba410fcc08676bb52fc03403e2ec3

SHA1
00aa506256769264aa50c2dbc214ca02224c328f

SHA256
350655f92d79f2ae2295c59295143246fcd20a7dd174b432424d6cc00082aa4b

SHA512
ad645ccb1d927a6e91ca7dbf995cae96054fcf1b58404ca0a22e1a2c0c0760ba4a267a1d35c0190a354804c2864856765ea766dd1abe187e89c9f8eedd880515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i62710860.exe

Filesize
363KB

MD5
ab28ab0bb8e557acc55a29ddf28fb7ac

SHA1
f6c43edd6a64282b0e1361108a6b37e8888f4b10

SHA256
171f7124a97a89e46ce8167e318c79acf534eb06986f1ee8a131e4875c871ad7

SHA512
c69627250cdb7b7834ce6d63a3d20b220343bc4a63f305051b96d98415b54fb598ebd02ea39148e348c7c11a881e027cc07db7649942561407a4b2ecaf21d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05277063.exe

Filesize
170KB

MD5
93f767d3d2d95cd3c5fe104b4d01de5f

SHA1
fe5443f55faadd8574e4dfca153eb513519a9996

SHA256
b6f1618cabbb77c09be189e29dd274c465efe4f7722ddec590a98fe6d6335f4e

SHA512
dc9296b71e3747bbadfa73a6eaa9977ce72ddbcae95417b35ad8f416ad1f9497795824344f959ab77446fd1d3e792f3ad72e6ac4f9d4ea118603e5a9b4b1fb77

Download Submit
memory/1560-35-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/1560-36-0x00000000028A0000-0x00000000028A6000-memory.dmp

Filesize
24KB

Download
memory/1560-37-0x000000000A8D0000-0x000000000AEE8000-memory.dmp

Filesize
6.1MB

Download
memory/1560-38-0x000000000A400000-0x000000000A50A000-memory.dmp

Filesize
1.0MB

Download
memory/1560-39-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/1560-40-0x000000000A390000-0x000000000A3CC000-memory.dmp

Filesize
240KB

Download
memory/1560-41-0x0000000002820000-0x000000000286C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads