redline | ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66

General

Target

ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe
Size

599KB
MD5

02a270175da65258dc1fddf63a8e93bc
SHA1

edb7640b983f47b2bb312df19ed6b889cee448fd
SHA256

ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66
SHA512

8f6f5de6e5d5972cfe4face4cfc31f47b0ee882cb3e22d961d68c407cd2685a514574d925c28009d8e3e06e5a91ba7e28ded2292901b9f7580e308e0651d3b4f
SSDEEP

12288:YMr7y90ZH9Jg4G7nmgj9CCyTH+zPxuUgVKY41n5BeJ3Ulk:DyCHPb0nmgxCjIZII7Vu3Ulk

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023bc8-12.dat	family_redline
behavioral1/memory/1116-15-0x0000000000390000-0x00000000003B8000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2352	y1100488.exe
1116	k3214075.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1100488.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1100488.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3214075.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 2352	3176	ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe	83
PID 3176 wrote to memory of 2352	3176	ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe	83
PID 3176 wrote to memory of 2352	3176	ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe	83
PID 2352 wrote to memory of 1116	2352	y1100488.exe	84
PID 2352 wrote to memory of 1116	2352	y1100488.exe	84
PID 2352 wrote to memory of 1116	2352	y1100488.exe	84

C:\Users\Admin\AppData\Local\Temp\ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe
"C:\Users\Admin\AppData\Local\Temp\ebea827ffc3c62e9cc7920e55c36037bdf41ad30ca4835f5bc27338a343cce66.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1100488.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1100488.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3214075.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3214075.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1100488.exe

Filesize
307KB

MD5
e352e36bcb2f983a09ffee13cb3c327b

SHA1
2241f27c2d431fedfde4c2c01168e6f54b2b512e

SHA256
b24e79c473217075b4abe36527f027af4933d5440b1b9f8fd98f53101c268788

SHA512
d52e34ecf3f8c68580816506d786f81e2c58924a81ca6a9968fc7580c3b5e0dbbc9f988baad97e7e7acd2baf029ce7f65e6e7d9ea0643263042b5ce8efd77737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3214075.exe

Filesize
136KB

MD5
2facb94a806e6231e93c194e0bebb426

SHA1
77708b688f49d42c6a5f4aa23899ec9fd52eea66

SHA256
9394c6beff02402f8916eff7eb1d24b09b1f2d7e5d80a4567e923ab650bbe447

SHA512
451e7762bf980b76041badce16f7be3105ec8eaa0825f89090ac1bba781d31e818d1466a7aaa769e8bd8d26c4a157d5010c9d4950118aff775094af9291a310e

Download Submit
memory/1116-14-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1116-15-0x0000000000390000-0x00000000003B8000-memory.dmp

Filesize
160KB

Download
memory/1116-16-0x0000000007680000-0x0000000007C98000-memory.dmp

Filesize
6.1MB

Download
memory/1116-17-0x00000000070C0000-0x00000000070D2000-memory.dmp

Filesize
72KB

Download
memory/1116-18-0x0000000007230000-0x000000000733A000-memory.dmp

Filesize
1.0MB

Download
memory/1116-19-0x0000000007160000-0x000000000719C000-memory.dmp

Filesize
240KB

Download
memory/1116-20-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/1116-21-0x00000000026A0000-0x00000000026EC000-memory.dmp

Filesize
304KB

Download
memory/1116-22-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1116-23-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads