redline | 760cd792f50a692ddc7ef5672ac9786444a51319d4f595e66781d9da27c9905e

General

Target

db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe
Size

1.5MB
MD5

14bc2b2d5f1d564bce6ba169aa3d6193
SHA1

7d32252a30f6d9706786713ae8ef8677362100ff
SHA256

760cd792f50a692ddc7ef5672ac9786444a51319d4f595e66781d9da27c9905e
SHA512

8194e180e31c8c4bab1aa9710178c7e88f4217f585064adf6653d742c9ca60980b033b1567bb89c137911e54082e489470553a3aa237393edc0c1244b26888bd
SSDEEP

24576:fyiI3Kt5vJgir9Wy05CW1S3Ikn58qLQjrGq7cyezATdf6ROHjPRkNugXswZLb:qiI3A6S0y0oKS3Ik58sQjjRYA9BDYugV

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023ba7-33.dat	family_redline
behavioral1/memory/2724-35-0x0000000000140000-0x0000000000170000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
3672	i86219630.exe
2296	i23814102.exe
2840	i94343111.exe
1928	i95223336.exe
2724	a53719515.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i86219630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i23814102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i94343111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i95223336.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i86219630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i23814102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i94343111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i95223336.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53719515.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 3672	4680	db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe	83
PID 4680 wrote to memory of 3672	4680	db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe	83
PID 4680 wrote to memory of 3672	4680	db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe	83
PID 3672 wrote to memory of 2296	3672	i86219630.exe	85
PID 3672 wrote to memory of 2296	3672	i86219630.exe	85
PID 3672 wrote to memory of 2296	3672	i86219630.exe	85
PID 2296 wrote to memory of 2840	2296	i23814102.exe	86
PID 2296 wrote to memory of 2840	2296	i23814102.exe	86
PID 2296 wrote to memory of 2840	2296	i23814102.exe	86
PID 2840 wrote to memory of 1928	2840	i94343111.exe	88
PID 2840 wrote to memory of 1928	2840	i94343111.exe	88
PID 2840 wrote to memory of 1928	2840	i94343111.exe	88
PID 1928 wrote to memory of 2724	1928	i95223336.exe	89
PID 1928 wrote to memory of 2724	1928	i95223336.exe	89
PID 1928 wrote to memory of 2724	1928	i95223336.exe	89

C:\Users\Admin\AppData\Local\Temp\db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe
"C:\Users\Admin\AppData\Local\Temp\db1edca29d8b6093db1fcb5e859e1e9d889e1476542ca3ea475d3404ef7d32f0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86219630.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86219630.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i23814102.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i23814102.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94343111.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94343111.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i95223336.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i95223336.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53719515.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53719515.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86219630.exe

Filesize
1.3MB

MD5
99b9cc27c5696f72a7b0ae99a25c0aa3

SHA1
9095a5501a9fd97c39443cce0084b11f1efcef4c

SHA256
d6f236a5270865aa5ea6ae8a2b8d95894ed9de009228d96f2dcc575356849818

SHA512
d3c5bd53ff56c19736130ebb3cbfb01806fe1544d902bced88dfb65ce1cf2622379f044de52df868f3caa156784299f45e8997a9c5ab572f7803989afaebc359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i23814102.exe

Filesize
1022KB

MD5
4bbd835404f10ae15894496c4608676e

SHA1
984c35f92a4a888a33425c6fd33feaa0147fc180

SHA256
cb537e08272d9392180199d266dadbdb6804628790be129a83a979c245da39d8

SHA512
0139893a9635d61ae0487c700fbde164f6c0cdd4b16f6ec6a1dd95181f6473f83076cca6a12bd5201f2e5be13b1991d7789f6b0315092a0270e91be916bb8da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i94343111.exe

Filesize
850KB

MD5
933cd9746bd270cfa7be4c468efe8d24

SHA1
5f122cda14be87fffa8baec0009bb9cc7caed4e6

SHA256
2188a79d5b53fcd7c574386e2799e607b023bc6bb5f7cb6904b863bd5a52b078

SHA512
74a5c07d30a1d3cc71793a268306b03c6e38543be2f24bf0009f1bf2da184c9ce6e89c365f11f1cace1fd1a50e840a37ca35c7ca1d7b806fef01425318636cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i95223336.exe

Filesize
374KB

MD5
31b286b755ced54dbc979d8bb463fe5a

SHA1
9f929a8d90e4fdd59079e209748e368e14509be9

SHA256
ba66e71e86dedb36a8424ce63da1e890befe0f7e51e0626ee29b59565f03674e

SHA512
6114ff9df89c354bed9f272f0c9fecd26fee12df4ff3e56f59c187e7e405e02bce4650f30fee1e22035a87ac0fdf9c8d30b5645e3b93275e23ded550d0803e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53719515.exe

Filesize
169KB

MD5
74c3b1c0911a1806073802de5b04802a

SHA1
da4c6308cb326edb3cfc48b92b18e9c23023a593

SHA256
1a49611982fbdd2319d15786835ef7c218c52f225db33d1b84d02365e4c56368

SHA512
0d66548cc0e90991c69606ecf904cc6c9878ab5fcfaba77c98cec45936bfec485dd3a3d0a6cde107f473792e589f220308fb2146fbab91b459199b569f207f90

Download Submit
memory/2724-35-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/2724-36-0x0000000004AA0000-0x0000000004AA6000-memory.dmp

Filesize
24KB

Download
memory/2724-37-0x0000000005250000-0x0000000005868000-memory.dmp

Filesize
6.1MB

Download
memory/2724-38-0x0000000004D40000-0x0000000004E4A000-memory.dmp

Filesize
1.0MB

Download
memory/2724-39-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2724-40-0x0000000004C70000-0x0000000004CAC000-memory.dmp

Filesize
240KB

Download
memory/2724-41-0x0000000004CB0000-0x0000000004CFC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads