redline | a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7

General

Target

a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe
Size

1.5MB
MD5

e4aa66110ae36b728ff903b80ac64fb8
SHA1

0b117abbfa59337448a4216cec01717eaef0d69e
SHA256

a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7
SHA512

cb21edc4bd62f6353efe5f91a72f708bb25a6997d54ae41dc99d5b3e3b9f42a9a430dafad756c99f4f62d003323a46964f8840313dd9d5a6b8991b3619b9f62e
SSDEEP

24576:pyQQG0VnGlCUEUVXlRbM9P4ZQyyQYtGSoVata9BbAZ/bC+z08Q3:cLGQnGzJMF4ZByQQukEMY

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c0f-33.dat	family_redline
behavioral1/memory/2316-35-0x00000000004C0000-0x00000000004F0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
5108	i81630264.exe
5012	i86250340.exe
4568	i09480974.exe
4396	i04774273.exe
2316	a43242463.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i09480974.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i04774273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i81630264.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i86250340.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i81630264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i86250340.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i09480974.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i04774273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a43242463.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 5108	3588	a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe	83
PID 3588 wrote to memory of 5108	3588	a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe	83
PID 3588 wrote to memory of 5108	3588	a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe	83
PID 5108 wrote to memory of 5012	5108	i81630264.exe	84
PID 5108 wrote to memory of 5012	5108	i81630264.exe	84
PID 5108 wrote to memory of 5012	5108	i81630264.exe	84
PID 5012 wrote to memory of 4568	5012	i86250340.exe	85
PID 5012 wrote to memory of 4568	5012	i86250340.exe	85
PID 5012 wrote to memory of 4568	5012	i86250340.exe	85
PID 4568 wrote to memory of 4396	4568	i09480974.exe	86
PID 4568 wrote to memory of 4396	4568	i09480974.exe	86
PID 4568 wrote to memory of 4396	4568	i09480974.exe	86
PID 4396 wrote to memory of 2316	4396	i04774273.exe	88
PID 4396 wrote to memory of 2316	4396	i04774273.exe	88
PID 4396 wrote to memory of 2316	4396	i04774273.exe	88

C:\Users\Admin\AppData\Local\Temp\a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe
"C:\Users\Admin\AppData\Local\Temp\a1d8b3da3ea79d710b793b817212d30d55f57bff12e2e29ce567e27a488709d7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81630264.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81630264.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86250340.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86250340.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09480974.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09480974.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i04774273.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i04774273.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43242463.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43242463.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81630264.exe

Filesize
1.3MB

MD5
de11439b82646473812c8e12597551c6

SHA1
b280474b203fcf50f848c5c419214a532448e430

SHA256
9d33c51ffed2edced84ba72ffb98ec7960056e58a03f734ecee3800e340e968f

SHA512
287b38ae47fbc429c619e099e5013ae609dc7be5202b221fd31e3573062fc0d5d384c1d605368cbd2e43abd67bc7410acac723d98dabe1bdbdb0ee48cfb25c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86250340.exe

Filesize
1016KB

MD5
79d9ca3e89db256138f370e9d488bba3

SHA1
d04dc0bf59f9cfb9d396a798b38983499d705fec

SHA256
bd021731c552e4584a5308f6e309e9d509b0ae7b9626a8a8f603a83fa68549c2

SHA512
2f16cac1a07cf3f7a5c545bb39f6119a9969187b019a5939ecbf06d256a0d697cdab2a43c6c1aed48b6bf8c601f21755d568510f45b926f275ab85692d50fedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09480974.exe

Filesize
844KB

MD5
e7475e36814e9ebc5e8250c523d242bf

SHA1
29c80dc6e4424709ef7187492dc9daa787ddd498

SHA256
fadb95b943c1e5e1685f51c1f108d6ea482f99e9ed98826f9febe8c7a140d82e

SHA512
4da2ad803272be5b8e576a672f88b0dec8fed61108627e719f8d2a570c151d6bdad14c4fb4ad17f19f0a250826929150a762cd926a5ff6260db1221cd5042284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i04774273.exe

Filesize
371KB

MD5
e2444c4fddd079f838e76ef580ef2226

SHA1
de9fe5b24a688d140c76adf69e4b3f1ae60082a7

SHA256
3f6ccbf6d7be65935db7af3b41f03fb13a9d930f6f04af56e440ad8bc474404a

SHA512
e378f6714bca96fda89e6a54df96ff09aae176210c0b25dc4685814e307a4ad3229f1a88e5de2d77f5fb3001f03bbe9c93e3332fae04e1ae2b0d694cd19dc6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43242463.exe

Filesize
169KB

MD5
529b0875c5c32d5679c470b6ec57b32c

SHA1
3cd48fcb7aae4594ce2e45607ccaef457541a937

SHA256
0f24e09312646a4cbbfb9bee1df4733feae28ba3287436a969e181c43c5aa5f3

SHA512
3cf4ff9057ebac4da3ffe793e89f2a93d883476d0c29982258a4048c7ba3afc8596b5aa000ff983321f3fd0a98ac37a3493a59fb65c1371c013496f89ffee168

Download Submit
memory/2316-35-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2316-36-0x0000000000B90000-0x0000000000B96000-memory.dmp

Filesize
24KB

Download
memory/2316-37-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/2316-38-0x0000000004F10000-0x000000000501A000-memory.dmp

Filesize
1.0MB

Download
memory/2316-39-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/2316-40-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

Filesize
240KB

Download
memory/2316-41-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads