redline | 2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1

General

Target

2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe
Size

770KB
MD5

3a6e057177307fa589d4a2553a1cf9d8
SHA1

48be7612b71389d0ea28dce91ae483bea54c87d2
SHA256

2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1
SHA512

48785a209dddbaf453877610899f5393970d8997831afcde26353ea79fe5cba5b8f36319a4584820729942dec4f4bb2d12055e032ed7ef5af33ef725c0cfa7d2
SSDEEP

12288:PMrxy90wGTM2Acc60NMeAiYIHC70Up64QmRgI5ZpNefU/mmKUWc:2yHf2CKDIi70Up647gsZpWwmmzt

Score

10^/10

redline debro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023bdc-19.dat	family_redline
behavioral1/memory/3512-21-0x0000000000290000-0x00000000002BE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4856	x5609059.exe
3308	x1423044.exe
3512	f0754928.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5609059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1423044.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5609059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1423044.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0754928.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4856	636	2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe	83
PID 636 wrote to memory of 4856	636	2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe	83
PID 636 wrote to memory of 4856	636	2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe	83
PID 4856 wrote to memory of 3308	4856	x5609059.exe	84
PID 4856 wrote to memory of 3308	4856	x5609059.exe	84
PID 4856 wrote to memory of 3308	4856	x5609059.exe	84
PID 3308 wrote to memory of 3512	3308	x1423044.exe	86
PID 3308 wrote to memory of 3512	3308	x1423044.exe	86
PID 3308 wrote to memory of 3512	3308	x1423044.exe	86

C:\Users\Admin\AppData\Local\Temp\2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe
"C:\Users\Admin\AppData\Local\Temp\2d9aca0cfa7cc4aeb464264ab7e2db73f1eefb05d62b7d156b8e70c739a7f1d1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5609059.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5609059.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1423044.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1423044.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0754928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0754928.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5609059.exe

Filesize
488KB

MD5
4896b2ecb425a4c74b41c9163634fe57

SHA1
56448a3cc71305431ad3d040400d4fafda7166f9

SHA256
b1b1c2072bf4bf016aa8cbd16cabb766b3f4b950517c56f5a5b3f32d4883c9d5

SHA512
b72680212e6182e1314e389e1c3b2ef6ec2f1d0e1fb251b54914e7750714ef1d5c1265db48248b2548805b0b6c6f6513cb8d879373f89e74c8bffc77ebb6c68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1423044.exe

Filesize
316KB

MD5
f460a223b3eef33dbd628e6316050f8b

SHA1
e3ade7116f4b1e82c1d2610371eadc4ee17f1679

SHA256
36550c2d6deaebd7e82f106dad32800576930e73932a45a1a31979a2dfa678a3

SHA512
5e95035a10d8a56881978076d756e1c3107e95e0af9165bfb29221d0ed42b6910b1ab4f0bc58f2602f55efe4c39203539afde298529072704d2e2864771525e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0754928.exe

Filesize
168KB

MD5
245315178d83153861eabdf3f93891e3

SHA1
b1569d25458b96ad3271f279bd530cdb06b1cc39

SHA256
2f757c664fce6facece1320e8f8cc174a3e130cbf0d8cd9d7f9ed2cef1723ee0

SHA512
a0c8933f595df631c721efd610ef3cce71b2c3b51f2b80a43f90b54a64b863068219533f4de9e657557c6cb5efd5969587b1bb5af9e903536b6d0fc4e30948f5

Download Submit
memory/3512-21-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/3512-22-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/3512-23-0x000000000A5B0000-0x000000000ABC8000-memory.dmp

Filesize
6.1MB

Download
memory/3512-24-0x000000000A100000-0x000000000A20A000-memory.dmp

Filesize
1.0MB

Download
memory/3512-25-0x000000000A030000-0x000000000A042000-memory.dmp

Filesize
72KB

Download
memory/3512-26-0x000000000A090000-0x000000000A0CC000-memory.dmp

Filesize
240KB

Download
memory/3512-27-0x0000000002540000-0x000000000258C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads