redline | 770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db

General

Target

770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe
Size

479KB
MD5

cc1e2583416c9e7f036fe791f833e125
SHA1

638ce38cf7011f7e7cf7e9354e79b1915d2489e8
SHA256

770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db
SHA512

e1d60125e78506baa6c208ec5c9a39688fc356b886d7125ab159fc9c4b4075e0b9d39ec5e428d306bcfff694ad9718146cd884667b359637299c53c12aac9c93
SSDEEP

12288:sMrdy90zYsVTX4ea01BjkrrPylk7cU5L0qQ:Zy9sVTJa0feD7cFF

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc7-12.dat	family_redline
behavioral1/memory/3076-15-0x0000000000190000-0x00000000001B8000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4836	x1225407.exe
3076	g3009994.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1225407.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1225407.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g3009994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4836	1924	770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe	83
PID 1924 wrote to memory of 4836	1924	770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe	83
PID 1924 wrote to memory of 4836	1924	770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe	83
PID 4836 wrote to memory of 3076	4836	x1225407.exe	84
PID 4836 wrote to memory of 3076	4836	x1225407.exe	84
PID 4836 wrote to memory of 3076	4836	x1225407.exe	84

C:\Users\Admin\AppData\Local\Temp\770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe
"C:\Users\Admin\AppData\Local\Temp\770c7738f60205bacce633102254eb069ff626d512e6a795bb5e14e0b2ec54db.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1225407.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1225407.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3009994.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3009994.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1225407.exe

Filesize
307KB

MD5
7f2e4fc3db63188b96f2db9979129a46

SHA1
a77f56db4349fe406452f6b2d824a2dcf6aad73d

SHA256
5dadf51283123fe471728f38e76fe3261e2ac955ffcb6b3145bcc590504ab395

SHA512
0bf1df523f8caae0752b9a70d3d13e5640b2241cf6aef9ccd02f49b4f612e5e28917e28dbb48b05c3a3c359c93570679c7d26fa7f8d227641f2e5826dd56c6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3009994.exe

Filesize
137KB

MD5
cb3c8d732d2df0e02dc212152465cee6

SHA1
c82ad9923f6611fd5b05b75f5ea97d57e23d3361

SHA256
28f7811b18a905f102f6bad6d31a67000e496f2487c5264cd23da01d1d839868

SHA512
d96d095a2b26b8fb8f381d0ccb5e829c3eece4a5d1e1ad253d1722915d41979099cc41f1d3090fdeb2eccfb01ec37d1b81ce5164cbc6503b7e7dc6f298bd782b

Download Submit
memory/3076-14-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/3076-15-0x0000000000190000-0x00000000001B8000-memory.dmp

Filesize
160KB

Download
memory/3076-16-0x0000000007470000-0x0000000007A88000-memory.dmp

Filesize
6.1MB

Download
memory/3076-17-0x0000000006EF0000-0x0000000006F02000-memory.dmp

Filesize
72KB

Download
memory/3076-18-0x0000000007020000-0x000000000712A000-memory.dmp

Filesize
1.0MB

Download
memory/3076-20-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3076-19-0x0000000006F50000-0x0000000006F8C000-memory.dmp

Filesize
240KB

Download
memory/3076-21-0x00000000024A0000-0x00000000024EC000-memory.dmp

Filesize
304KB

Download
memory/3076-22-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/3076-23-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads