redline | 95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6

General

Target

95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe
Size

480KB
MD5

a335e43c4f994ad9217a02b1afd10cef
SHA1

02e280e606d5631b5f483c16dbd5ace0add25f5f
SHA256

95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6
SHA512

b28a39bc1f8333e5e51857900b3d5bf869363c1b3d56a2bad50b82bf48b5dfe15350d30757ddf1f82add93997bdc56631b352d54324416efea5de28b51e848e4
SSDEEP

12288:4MrLy905Lh23CKqu225yrxdo36DCUxx1M:zyChqCKqu228rf91M

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b9c-12.dat	family_redline
behavioral1/memory/4560-15-0x0000000000920000-0x0000000000948000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4448	x8597964.exe
4560	g8243327.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8597964.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8597964.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g8243327.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4448	2404	95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe	85
PID 2404 wrote to memory of 4448	2404	95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe	85
PID 2404 wrote to memory of 4448	2404	95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe	85
PID 4448 wrote to memory of 4560	4448	x8597964.exe	86
PID 4448 wrote to memory of 4560	4448	x8597964.exe	86
PID 4448 wrote to memory of 4560	4448	x8597964.exe	86

C:\Users\Admin\AppData\Local\Temp\95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe
"C:\Users\Admin\AppData\Local\Temp\95caee2e43797b5f1c199cc1696eb4fd9ab036e842d974f1a1f852268d49f1a6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8597964.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8597964.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8243327.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8243327.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8597964.exe

Filesize
308KB

MD5
559e1fef62802080660720c0a17265a3

SHA1
53e1c408bc9caca9ced9ab03b89ef18ea971adad

SHA256
59b2bd04a7a8f0f91180e4acbd2dd40aabca9d2a8e89531f42da892b2e5eaae8

SHA512
c57ad6bf6dc3d2d1ee46860b179842a50e92e25f675e69c521589d694d0d1f64a8824b86577cd99c54d3d894e9a535184d2323b2ed71efd2f0aa2728efacbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8243327.exe

Filesize
136KB

MD5
62b511f868b541fcab2d80602c748cef

SHA1
57ecbb2e7c5f3619932d80d0bbfe112be96b5e47

SHA256
e1e30646e8f820ef0892561925d6b83e0a46f75c6311bc1a9bd9df2977dc1acb

SHA512
3fa75015978742bb2de8126875e73db884a0783a0a08972c6e01622268e4ddc8183cb5c44f42fb465f8b61cc48ce86fa821cd6f1323c4c0e3c7241c46b6c1895

Download Submit
memory/4560-14-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/4560-15-0x0000000000920000-0x0000000000948000-memory.dmp

Filesize
160KB

Download
memory/4560-16-0x0000000007DD0000-0x00000000083E8000-memory.dmp

Filesize
6.1MB

Download
memory/4560-17-0x00000000077D0000-0x00000000077E2000-memory.dmp

Filesize
72KB

Download
memory/4560-18-0x0000000007900000-0x0000000007A0A000-memory.dmp

Filesize
1.0MB

Download
memory/4560-19-0x0000000007830000-0x000000000786C000-memory.dmp

Filesize
240KB

Download
memory/4560-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-21-0x0000000002D70000-0x0000000002DBC000-memory.dmp

Filesize
304KB

Download
memory/4560-22-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/4560-23-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads