redline | e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241

General

Target

e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe
Size

1.5MB
MD5

7eda7c90383c65582a8307635f2ee7e4
SHA1

3b5516c788b67eebc9a71e1f5867b046b8a07b34
SHA256

e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241
SHA512

ca030ad553e0afb79935a66f652b1c9daecbafff6a3269a1ec8d0d47eb7fd8b9a637bf834e42cc2fc02b535e3484de79818133327a2c5c4f0bf23fd52f81fd1b
SSDEEP

24576:ZyCVZYYA4UILwue+HFjZ8WnimwW+ym/R2GCYxT5j33N1nEggJbyQVoQmaafBY:MWYYQIcIgWIf1/REs5j3jnEto6+5

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c80-33.dat	family_redline
behavioral1/memory/2920-35-0x0000000000480000-0x00000000004B0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2664	i17561283.exe
3356	i80262579.exe
2416	i20301129.exe
1812	i28007453.exe
2920	a96353391.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i17561283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i80262579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i20301129.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i28007453.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i80262579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i20301129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i28007453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a96353391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i17561283.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2664	4904	e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe	83
PID 4904 wrote to memory of 2664	4904	e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe	83
PID 4904 wrote to memory of 2664	4904	e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe	83
PID 2664 wrote to memory of 3356	2664	i17561283.exe	84
PID 2664 wrote to memory of 3356	2664	i17561283.exe	84
PID 2664 wrote to memory of 3356	2664	i17561283.exe	84
PID 3356 wrote to memory of 2416	3356	i80262579.exe	86
PID 3356 wrote to memory of 2416	3356	i80262579.exe	86
PID 3356 wrote to memory of 2416	3356	i80262579.exe	86
PID 2416 wrote to memory of 1812	2416	i20301129.exe	88
PID 2416 wrote to memory of 1812	2416	i20301129.exe	88
PID 2416 wrote to memory of 1812	2416	i20301129.exe	88
PID 1812 wrote to memory of 2920	1812	i28007453.exe	89
PID 1812 wrote to memory of 2920	1812	i28007453.exe	89
PID 1812 wrote to memory of 2920	1812	i28007453.exe	89

C:\Users\Admin\AppData\Local\Temp\e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe
"C:\Users\Admin\AppData\Local\Temp\e066725d1da49e6fe75c14be80c53df852c0890bce4332ccdb990f3c434a7241.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17561283.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17561283.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i80262579.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i80262579.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i20301129.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i20301129.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i28007453.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i28007453.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96353391.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96353391.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17561283.exe

Filesize
1.3MB

MD5
02e36cbf7ed9a601e29840f77d61a0fe

SHA1
27dca5e4a0859822ab8455c4e0608fddaf3fd068

SHA256
fac1f5d37d2d6363aa5010039311b3f3f10668c26fa565d6fefd125107dd8e28

SHA512
d2b4e3d21daa50f947f8ff5b82f5d6a895d88ae91f334078d3ea1c895b8bed355075f004559e9c92a0e207072f4fdab9c20c1d8ede2beb7a4cf6a00e78cd807f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i80262579.exe

Filesize
1016KB

MD5
6b8ff7aa779eb22715db2351afdf9a4a

SHA1
ded3cc83e6d91160cda1f266a48eaeade588c3b1

SHA256
7ea09667271bd9dab025335a1a82a48296cd07b3b5977e0929625aea9daa625f

SHA512
bca70d9c2b273bac04b7641af7ff000ef85a44849eb2a502008a05b13e5570068dbe7d6dadf1a423261ab41a6e83c0109e094f517089ad594bf56ee025d670c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i20301129.exe

Filesize
844KB

MD5
43439bd68ec1b1f541d9ea77da98da71

SHA1
54c13eea0603c16d48784eb5e7b37721a6c9078f

SHA256
39799c6fd9cf707059869804d880746bdb5ab0bc4d46c94cf06717e08f4b9879

SHA512
6f16966a3079cab1374b69e0dff6c4944cfcd60f911e6f8656fbdd84fef0144a0b2893518d765d5055216b519b24feda5ac948de29a1739387725bcc79f6816b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i28007453.exe

Filesize
371KB

MD5
08d484127b6395fd583a3b44e2c1adde

SHA1
e2037afd56b1d4189a04ca21585594f2041b9980

SHA256
3ae02deebef7e279cad673efd00611225af80ac0e58cedd6961af3f066a37ad1

SHA512
6f6ac09bccdc106c4210311f6470ae02a0c73bc4d1be995c883c5b0839a6f0bedbc6f2a0066f9c8cc100d0b3815b30bbc02972b68ac5f45b6a6baaa2df0315a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96353391.exe

Filesize
169KB

MD5
bd72730d48db397b7d4b36baa3e1d6cf

SHA1
edd8d86db709af4dbb24a3327e1924ff2e46cde5

SHA256
5920d5cd3d3855ba500eeb71605a2bf586ee372b84c70424f3656c74e8ae0d6b

SHA512
4a76551a5ba1ddd1bd5bfdb5fb86aebbfda0215afa2ce97b243c269f1d43a29410bbbb39f7832289bf41368146fb1d13030fb3bbfb9e68445cb51793efc23b7a

Download Submit
memory/2920-35-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/2920-36-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/2920-37-0x000000000A7D0000-0x000000000ADE8000-memory.dmp

Filesize
6.1MB

Download
memory/2920-38-0x000000000A2F0000-0x000000000A3FA000-memory.dmp

Filesize
1.0MB

Download
memory/2920-39-0x000000000A220000-0x000000000A232000-memory.dmp

Filesize
72KB

Download
memory/2920-40-0x000000000A280000-0x000000000A2BC000-memory.dmp

Filesize
240KB

Download
memory/2920-41-0x0000000002740000-0x000000000278C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads