redline | 92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50

General

Target

92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe
Size

599KB
MD5

be8fc3226eccfa56286f98212873a037
SHA1

36f1960510176f102a980916a0931a2904b4446e
SHA256

92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50
SHA512

254c51c0db0930fdc588061c722f329069154b8f114fa8676df01631a184838b21191ba63c1d4967c2d3c7d7a61167fafd16124aa40d7a938e4ef4ff4de03ab6
SSDEEP

12288:DMr3y90tsRYO9PoX1I4Zdk1i0+Z+EnOvYFgD8WL+Tsed:cyQsRj9PgaAk1bSvOvYFgD9aL

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b81-12.dat	family_redline
behavioral1/memory/4464-15-0x0000000000D40000-0x0000000000D68000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
8	y2032491.exe
4464	k0350623.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2032491.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2032491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0350623.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 8	3608	92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe	83
PID 3608 wrote to memory of 8	3608	92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe	83
PID 3608 wrote to memory of 8	3608	92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe	83
PID 8 wrote to memory of 4464	8	y2032491.exe	85
PID 8 wrote to memory of 4464	8	y2032491.exe	85
PID 8 wrote to memory of 4464	8	y2032491.exe	85

C:\Users\Admin\AppData\Local\Temp\92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe
"C:\Users\Admin\AppData\Local\Temp\92f181588802f97162bf28ac858b162f84f324a01e2a82515ceabebfb4d2fe50.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2032491.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2032491.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0350623.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0350623.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2032491.exe

Filesize
307KB

MD5
15ecfffe00d16321764e5c9671c4939f

SHA1
50ae6efb9ad52fd6d9da0e474fd806e4f414011b

SHA256
cb971cfe6466b62fdadbbbc5a06784f38be290dc917d734afe1c9bf3d6c43e39

SHA512
90d46fb6a1821075944f8b3b3e583a6b40449540bf88acf152474fc84c8ae6119a242776c6201728251dd09bb2f4d76c284260757d70afe5d570b91a3c2bb40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0350623.exe

Filesize
136KB

MD5
9ee0bd69bebb1704ffc4affc8a651203

SHA1
21846e4fe06b0fe0384f4cd63e8cc009083e10e3

SHA256
eff842fdafe62cf9982878ae5113594dbba8a846226408ce3034c4cfb6fb629e

SHA512
b99ecb7eaf67c85e0cab0195ad943244997fc4a9b7e46e3dd10ccb3af33caccc838220dae4aa6e67bb160faa5d2dc408a6f6f611e07d86a865c59b10ceb374fe

Download Submit
memory/4464-14-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/4464-15-0x0000000000D40000-0x0000000000D68000-memory.dmp

Filesize
160KB

Download
memory/4464-16-0x0000000008050000-0x0000000008668000-memory.dmp

Filesize
6.1MB

Download
memory/4464-17-0x0000000007A90000-0x0000000007AA2000-memory.dmp

Filesize
72KB

Download
memory/4464-18-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

Filesize
1.0MB

Download
memory/4464-19-0x0000000007AF0000-0x0000000007B2C000-memory.dmp

Filesize
240KB

Download
memory/4464-20-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4464-21-0x00000000050E0000-0x000000000512C000-memory.dmp

Filesize
304KB

Download
memory/4464-22-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/4464-23-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads