redline | 8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557

General

Target

8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe
Size

1.5MB
MD5

cf9935de9ba543d86b222e598e9a5be1
SHA1

7655428e838bfd355d48a2c5ba34596bcf641944
SHA256

8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557
SHA512

fab841acbb5dfaac68dbb90a2b4d42d634a2cfc70e0dc173e6ce0ec9f417eeaa5c6443c97c53aac69939e23477390219cac8ca092b927ec2673db4de9c20dad7
SSDEEP

24576:MyPfqZApjccVe9s9h7tTFu2KuINsY4nyd8goJIJXwh8Deo46sY1/7iD1dduS86rk:7PfqZej1e9KhRTQcKGI8gs0Xx6oUOg1a

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b7c-34.dat	family_redline
behavioral1/memory/468-35-0x0000000000720000-0x0000000000750000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4588	i94778254.exe
2240	i26671386.exe
3528	i73109198.exe
952	i20902722.exe
468	a96228864.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i94778254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i26671386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i73109198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i20902722.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i94778254.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i26671386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i73109198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i20902722.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a96228864.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4588	404	8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe	84
PID 404 wrote to memory of 4588	404	8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe	84
PID 404 wrote to memory of 4588	404	8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe	84
PID 4588 wrote to memory of 2240	4588	i94778254.exe	85
PID 4588 wrote to memory of 2240	4588	i94778254.exe	85
PID 4588 wrote to memory of 2240	4588	i94778254.exe	85
PID 2240 wrote to memory of 3528	2240	i26671386.exe	87
PID 2240 wrote to memory of 3528	2240	i26671386.exe	87
PID 2240 wrote to memory of 3528	2240	i26671386.exe	87
PID 3528 wrote to memory of 952	3528	i73109198.exe	89
PID 3528 wrote to memory of 952	3528	i73109198.exe	89
PID 3528 wrote to memory of 952	3528	i73109198.exe	89
PID 952 wrote to memory of 468	952	i20902722.exe	90
PID 952 wrote to memory of 468	952	i20902722.exe	90
PID 952 wrote to memory of 468	952	i20902722.exe	90

C:\Users\Admin\AppData\Local\Temp\8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe
"C:\Users\Admin\AppData\Local\Temp\8b79dad54d61ac9299eff055681fcb9a5c0c076bb6371623ee0276ef093fb557.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i94778254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i94778254.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i26671386.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i26671386.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i73109198.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i73109198.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20902722.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20902722.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96228864.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96228864.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i94778254.exe

Filesize
1.3MB

MD5
c7e1b3a779783f44612d07cd985edf43

SHA1
4737669644542f4b2b5b43522ab1d109685bcb30

SHA256
c529787de6da7c8c7b238bf30b55780f2bdcdf972bf25452df38b1a0a5255f7d

SHA512
34577ad135bf08209c721759702003852d4280d81213d76355237ba6de044182f930bbc68c6068ccfcf9677ae83e185df2302a8864c1302f10b49e89303cbab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i26671386.exe

Filesize
1023KB

MD5
ad177dd67c4a906df70791122d92afc8

SHA1
ff636b781e70177163b28e36d52ef20655b1c19d

SHA256
229e8c00accc20fb5be528184e0830d53a663a51054eb6bd667e99db3681f0d4

SHA512
dca1660a110a9dba42f86b8f8e38a8150a4c8ce1de8b2b815a9223970d3dad0ba98f686ec424680c571bcb8024c89209c5fb7c6b6a8d7b9433f966b3ca30b7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i73109198.exe

Filesize
851KB

MD5
3e5b72b7201f86f3590f44b984fcd575

SHA1
61ebb09a453cf62acacaeb32d9b1163cefde5ad1

SHA256
026e38867afc3b31b140536b8dec94dde931c9a6aa1cbcb1fd78db6965a494da

SHA512
0b7f1fc11073ad4f258ebc09f5703d0bc5fc963a22f0ce50aa9ae292a04e7ae5f63b79d16dd8a973870231bdfbb15887e1bae14a5474f716bde43a2bf2a7a673

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20902722.exe

Filesize
375KB

MD5
0123f03d73d2395410d4c5b769ac7de6

SHA1
87dd360e4379e77af488e9851296011697460025

SHA256
cba0191514fc4d7fa30d5d9a3d8d27c9c862f2c138a08fdffd05f0ea70eac4af

SHA512
be24fd498903c2994e2c298f29efec8fcdb142f026e8f3b9c3813f7f0fbb6645377044851fab5abfa4178bcb7f91b6124492154d696d79a5728c05adc0d226e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96228864.exe

Filesize
169KB

MD5
54a3193597e4dfd092001593b0826f71

SHA1
777d1eb1a2408a307ac337c32e645245f6e7eeb3

SHA256
8eb963494bcfdf5396220e0d57c2c3e70ed03cf98a432c9d0370a0f34f972baf

SHA512
9d9c14b62c4ab6f8a9b265b096c0f185bc5b595fae5b8592b90c8a97f087680ce594d9733bc66981e71f963201ee45616b4959edfa2697ff3b5db0688b27291a

Download Submit
memory/468-35-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/468-36-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/468-37-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/468-38-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/468-39-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/468-40-0x0000000005100000-0x000000000513C000-memory.dmp

Filesize
240KB

Download
memory/468-41-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads