redline | 2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972

General

Target

2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe
Size

770KB
MD5

1470d3a918741e249a9f481e30db2014
SHA1

49dec9bb40dee85d8b379de254f8710044da77b2
SHA256

2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972
SHA512

f4fb2ca6ca3df1bfe9337f6878e57aaebb212c49f3b3c121a1273e43bb98b0a9c903cffcfd829fac5aac0fccd33d991168437a1299c7e590aa6395f6e132a820
SSDEEP

24576:VypT/BOJ7xF5gkuPDhjzSRuo7fmeD/SrNWv:w5BOLFuku5zSoor1/SrN

Score

10^/10

redline debro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cca-19.dat	family_redline
behavioral1/memory/2160-21-0x00000000001C0000-0x00000000001EE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4836	x3923895.exe
3208	x5555455.exe
2160	f8127160.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3923895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5555455.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8127160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3923895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5555455.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4836	1340	2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe	83
PID 1340 wrote to memory of 4836	1340	2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe	83
PID 1340 wrote to memory of 4836	1340	2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe	83
PID 4836 wrote to memory of 3208	4836	x3923895.exe	84
PID 4836 wrote to memory of 3208	4836	x3923895.exe	84
PID 4836 wrote to memory of 3208	4836	x3923895.exe	84
PID 3208 wrote to memory of 2160	3208	x5555455.exe	85
PID 3208 wrote to memory of 2160	3208	x5555455.exe	85
PID 3208 wrote to memory of 2160	3208	x5555455.exe	85

C:\Users\Admin\AppData\Local\Temp\2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe
"C:\Users\Admin\AppData\Local\Temp\2e99b2c74937ed8bbfa2c5d65f0c473763067c21708bd57128c379b47506e972.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3923895.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3923895.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5555455.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5555455.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8127160.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8127160.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3923895.exe

Filesize
488KB

MD5
ecb0d6618b2eb2d89d9b7af5ba2b3423

SHA1
a87ff4b82c593d0fa4fdbe29282299962d0f9250

SHA256
6e60383d22d1b7f8b7c68d609da0eaa0dc3558dfd30810636a01549cc6da0664

SHA512
18b08decfc8e4e68b90e8e91757d55fd714c0250d5847019b102a440fcb067099889a24c1acbce7c0151564694f45df7a80f608eaa8486a20f809127c63c48ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5555455.exe

Filesize
316KB

MD5
460bfc848a4b966110cbf4d25d80599d

SHA1
c95f92764adbcf1132b62b6adaf1c233fc4fe814

SHA256
39e0903888d0f4eafedad03f5eafa0caa229e0bdec9f9ea3c2aec404e9fabda0

SHA512
c06ec4086652cd58716fbfb71210954cfabff5db73425815b96fe92fe373db69cccbcb3a449ce70f7d58ef820920b7c94ee78f2c820f05baec2f5f3939a53dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8127160.exe

Filesize
168KB

MD5
107e888d223cfb9be28756d2056f9273

SHA1
bafcb345e5e94254b0f58399bef154471416e603

SHA256
761ccdcd80ad3ba58d25acfc82fc4d9c810b0c4bd313f7854c0fca91e2c8e4e0

SHA512
7d4e5b87202bbacab8f08d676908f5e4ca00245835a50ca3d493deaf9599004d2df84d57ce813113af2cbff9eca185c65e65d3f648aa4c792f73471e48cd5ffe

Download Submit
memory/2160-21-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/2160-22-0x00000000023A0000-0x00000000023A6000-memory.dmp

Filesize
24KB

Download
memory/2160-23-0x00000000051D0000-0x00000000057E8000-memory.dmp

Filesize
6.1MB

Download
memory/2160-24-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

Filesize
1.0MB

Download
memory/2160-25-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/2160-26-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

Filesize
240KB

Download
memory/2160-27-0x0000000004BF0000-0x0000000004C3C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads