redline | 45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a

General

Target

45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe
Size

1.5MB
MD5

8c908551e74423df1db0b18948b665c1
SHA1

139a273f7f8b5196092ca73e8f7af48a86dc66bf
SHA256

45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a
SHA512

5af9cadbce2e3b5236ab48ebc24562c62d3fa5a0a733eb34e343d71546a497fce77520bac43b449cdd434cfeb2b8d6b5533d66240c4b59798ed161bdb4bef28d
SSDEEP

24576:YyTgV6Bt0OL79SVlsf0DBGc+/1jX/WlZrmJu4SfdkbsYl7sk3liXHu+B:f4SL79SV6fyGcEdWlZrtF4sYl7/+H

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023ba7-33.dat	family_redline
behavioral1/memory/3320-35-0x0000000000280000-0x00000000002B0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
3736	i09575300.exe
4968	i60737886.exe
232	i09613529.exe
4464	i86473273.exe
3320	a74963362.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i86473273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i09575300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i60737886.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i09613529.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i86473273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a74963362.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i09575300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i60737886.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i09613529.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3736	1436	45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe	83
PID 1436 wrote to memory of 3736	1436	45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe	83
PID 1436 wrote to memory of 3736	1436	45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe	83
PID 3736 wrote to memory of 4968	3736	i09575300.exe	84
PID 3736 wrote to memory of 4968	3736	i09575300.exe	84
PID 3736 wrote to memory of 4968	3736	i09575300.exe	84
PID 4968 wrote to memory of 232	4968	i60737886.exe	85
PID 4968 wrote to memory of 232	4968	i60737886.exe	85
PID 4968 wrote to memory of 232	4968	i60737886.exe	85
PID 232 wrote to memory of 4464	232	i09613529.exe	87
PID 232 wrote to memory of 4464	232	i09613529.exe	87
PID 232 wrote to memory of 4464	232	i09613529.exe	87
PID 4464 wrote to memory of 3320	4464	i86473273.exe	89
PID 4464 wrote to memory of 3320	4464	i86473273.exe	89
PID 4464 wrote to memory of 3320	4464	i86473273.exe	89

C:\Users\Admin\AppData\Local\Temp\45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe
"C:\Users\Admin\AppData\Local\Temp\45200a302bb2beb949619ad35533c65d42f97f2e1305b8eda660b0db943bbb4a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i09575300.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i09575300.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60737886.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60737886.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09613529.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09613529.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i86473273.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i86473273.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a74963362.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a74963362.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i09575300.exe

Filesize
1.3MB

MD5
94456e8b608ea12cc6d2719598136942

SHA1
56779089ee1b9b972570c3ac1fdbcdd7a30c5398

SHA256
014ef902976b237b63f228a9ac300753b802029475c32c51f72b2c44edcc2ef0

SHA512
19b35cda80a635cbed64e84cd4c14ab88d48082e7aba32211121e6436d7d64152d0e04917cc45462d7ff4f86fa730fca5418bd6db38ec74a26c4c3b6c9cec468

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60737886.exe

Filesize
1015KB

MD5
fa741caf34e7dda26041e39a2a11d2ab

SHA1
616acb8866c50c06938876d69e663198aa34748d

SHA256
0422792cd8a98416c8cc23d3f279482201d8c7793b7bbce342d345780acda242

SHA512
63c155a7676df0f5c6eb44070c9504bced03933357ada094db81732e3375c7617b985669697ff88daca8c855bfd87cc2c09a7ceb3a3aac1663f3654a1939d213

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09613529.exe

Filesize
843KB

MD5
891ed53022c7cce94f271667d540ea1c

SHA1
3da22c644a3fac70c50bd2b80d06ab77e4ce0d60

SHA256
34d56ce8e60333a2b13597cbcc055f83e3e0812592874a2e74a52c0342905dde

SHA512
9bff1c0f1210ab3db6cdba564d6a2f8632bb2f87bdc48db03e266e436e69143c745c9fd7088faaa87b5b5d2aa99a2d6b46dab435cbe07afb26356cae5758c3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i86473273.exe

Filesize
371KB

MD5
088f9c106f964238b3e77426592fc61c

SHA1
8dcb1269c372c136eb8388aa3d22ed4ba7fe2585

SHA256
670d9652407dc1bfa94a0079c68efe485f3f0370d5c7d47e2674c488d71fea62

SHA512
fb6b2dfb4d4ed37db8cedfaf3ec2598410866a08a029d76c903bdc32a688bdab14f23daa633415506f04bd4e9c95999e50b9630e1b4a3044b51153dc7778a5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a74963362.exe

Filesize
169KB

MD5
e0f9e298a7241308028a214faab7603a

SHA1
d7fd007c0316cebb124335d4f0074f811ae1e078

SHA256
b12714ef526771950d11b0ec3e65d1e6bcddf7e40e3f9c4a9ba4b21e939bd925

SHA512
62ff9efc192bcdd1063d59e66725c4e63955451ddc4267a1bd358a80bef4983867eebee730e09143cb56a0ff394bc2b369333e85ab515f1f35a8f860406e286b

Download Submit
memory/3320-35-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/3320-36-0x0000000004CE0000-0x0000000004CE6000-memory.dmp

Filesize
24KB

Download
memory/3320-37-0x000000000A770000-0x000000000AD88000-memory.dmp

Filesize
6.1MB

Download
memory/3320-38-0x000000000A260000-0x000000000A36A000-memory.dmp

Filesize
1.0MB

Download
memory/3320-39-0x000000000A170000-0x000000000A182000-memory.dmp

Filesize
72KB

Download
memory/3320-40-0x000000000A1D0000-0x000000000A20C000-memory.dmp

Filesize
240KB

Download
memory/3320-41-0x00000000025C0000-0x000000000260C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads