redline | a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064

General

Target

a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe
Size

474KB
MD5

507f5d5663662fb6a5d84e3f5516ad18
SHA1

54af8fcc323e343a431ac3b3ce0b0d6906aaff96
SHA256

a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064
SHA512

478435d01193d2c35d2624e9200f284497d48d737560d39f0388d1cad52eb9ca8cf7dee50bd7387cb689ebb82787dcad397ba5a810c757956fbd0d564352571f
SSDEEP

6144:K4y+bnr+cp0yN90QEDSy1r20P9TjzTXfvtJ05LElvaxttIemtWPj3TCzgt8n:AMroy908U2W7T9J02haxUesWP35t8n

Score

10^/10

redline fusa discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b92-12.dat	family_redline
behavioral1/memory/3460-15-0x0000000000410000-0x0000000000442000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4064	nQb46.exe
3460	bxq96.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nQb46.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nQb46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxq96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4064	2180	a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe	83
PID 2180 wrote to memory of 4064	2180	a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe	83
PID 2180 wrote to memory of 4064	2180	a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe	83
PID 4064 wrote to memory of 3460	4064	nQb46.exe	85
PID 4064 wrote to memory of 3460	4064	nQb46.exe	85
PID 4064 wrote to memory of 3460	4064	nQb46.exe	85

C:\Users\Admin\AppData\Local\Temp\a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe
"C:\Users\Admin\AppData\Local\Temp\a0ee11d0b7e5d320c729f6cf1765dc7ae8c1cbbaf2f03298c8fb93e1cc3ff064.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb46.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb46.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxq96.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxq96.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb46.exe

Filesize
200KB

MD5
27020dc13c8b884b3594acc7b94c0d8e

SHA1
c2367a14af11c321a8e7573ad599c2040c1d7d26

SHA256
8eaf3044c7310e0ca2a4356bc6253a36984b1cd4774c7375f6bcd25dd322b041

SHA512
17f2f03dd8ad9311704cb0bdae7c43ac2ec2a523b2bf35f5a64c7598cb82825470b112d8630221af0af1f2c3c4f98553af11627de2ef36c0310d9719964ba4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxq96.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
memory/3460-14-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/3460-15-0x0000000000410000-0x0000000000442000-memory.dmp

Filesize
200KB

Download
memory/3460-16-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/3460-17-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

Filesize
1.0MB

Download
memory/3460-18-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/3460-19-0x0000000004E80000-0x0000000004EBC000-memory.dmp

Filesize
240KB

Download
memory/3460-20-0x0000000005000000-0x000000000504C000-memory.dmp

Filesize
304KB

Download
memory/3460-21-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads