redline | 7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211

General

Target

7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe
Size

829KB
MD5

786992f66178c6e340990b404ea6849e
SHA1

0032a6a088a0b0123cb3d2d88eb149d983071dc3
SHA256

7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211
SHA512

dc41310921788e2a09e9e6d40b9227d1ec59ce2fe5f222b9985fdcacb9cedc5948546dd53b8844aadb51de22e90678172a99742f03d91fedd20367c9103e29ca
SSDEEP

12288:cy904s3gh4Jph8vmTUOfzFSb2N4kybwE2CeqMGSl7npIO6mMcI14YHvM:cyq3gh4PNJbi22k2yAVq9bI14X

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c8f-12.dat	family_redline
behavioral1/memory/1832-15-0x00000000002D0000-0x0000000000300000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
632	i14315621.exe
1832	a78297148.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i14315621.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a78297148.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i14315621.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 632	3636	7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe	83
PID 3636 wrote to memory of 632	3636	7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe	83
PID 3636 wrote to memory of 632	3636	7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe	83
PID 632 wrote to memory of 1832	632	i14315621.exe	84
PID 632 wrote to memory of 1832	632	i14315621.exe	84
PID 632 wrote to memory of 1832	632	i14315621.exe	84

C:\Users\Admin\AppData\Local\Temp\7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe
"C:\Users\Admin\AppData\Local\Temp\7918594ac542c92465d932c7603f261b5d4d4ba223bdeb3b1e31591bb6c13211.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i14315621.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i14315621.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a78297148.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a78297148.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i14315621.exe

Filesize
364KB

MD5
6bda2f58a9766749d35df21d2d3b4a72

SHA1
e40e7344e1d80ecb106b86fd995c7c305a766eba

SHA256
c4488a24aef460b9ab37505864ccc6cdc91b1e0c2c5ada687e9e3e902456452b

SHA512
8a8c431cddc440316069909d43f2fc4d2ca82d4518edc92959dd09bff9ee2a9b52853f6ccdc61f5f93b7af9fd2a0afb7e4e353bf8f08fc9d1b436627dc9c960f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a78297148.exe

Filesize
170KB

MD5
e5ce00b0887be0a7a33e45aedf9378b2

SHA1
d0b8ec6ae789cd9930b86600f650800eaa9b4585

SHA256
e6527ae583ccb4f9bd92b9823ee07f40e1621e9500f1317c0ae94a24342c05eb

SHA512
e0908182e95b1e581b68420d0ea9fe1c664592628defab243b20d679a1fd9d34f58795809a2dc12d93b9424a5e508fb6bc2d2c110bf401bd83790360bdfc5087

Download Submit
memory/1832-14-0x0000000073D4E000-0x0000000073D4F000-memory.dmp

Filesize
4KB

Download
memory/1832-15-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/1832-16-0x0000000004AF0000-0x0000000004AF6000-memory.dmp

Filesize
24KB

Download
memory/1832-17-0x000000000A790000-0x000000000ADA8000-memory.dmp

Filesize
6.1MB

Download
memory/1832-18-0x000000000A280000-0x000000000A38A000-memory.dmp

Filesize
1.0MB

Download
memory/1832-19-0x000000000A1B0000-0x000000000A1C2000-memory.dmp

Filesize
72KB

Download
memory/1832-20-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1832-21-0x000000000A210000-0x000000000A24C000-memory.dmp

Filesize
240KB

Download
memory/1832-22-0x00000000045B0000-0x00000000045FC000-memory.dmp

Filesize
304KB

Download
memory/1832-23-0x0000000073D4E000-0x0000000073D4F000-memory.dmp

Filesize
4KB

Download
memory/1832-24-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads