redline | fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3

General

Target

fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe
Size

715KB
MD5

a3f1773ec835b4a940e1bb9a89f771ef
SHA1

d901e7e7416fd7140bd78fa47bcbf39010b35d0f
SHA256

fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3
SHA512

a0d9a6fcae78dcad3bbcd8c10e91a23b2c24e187a8f4602519645ab98e006c685b89a96fd3b6c7515b62673c23776bc9df99cce22064748820a55512c31c6f0c
SSDEEP

12288:1MrGy90fKtSVoYzDlx5QYjQcM0hWnkWlAQITvDMpJbtx7o3N2SyxnDbz7w5GDM9s:fyIKgVooDQb0QkqAQITvDMzbH092Pv4e

Score

10^/10

redline fukia discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c77-19.dat	family_redline
behavioral1/memory/3888-21-0x0000000000080000-0x00000000000B2000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3584	siV97Tb.exe
2648	saQ13Gt.exe
3888	keD31zx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	siV97Tb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	saQ13Gt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siV97Tb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saQ13Gt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keD31zx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3584	3080	fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe	85
PID 3080 wrote to memory of 3584	3080	fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe	85
PID 3080 wrote to memory of 3584	3080	fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe	85
PID 3584 wrote to memory of 2648	3584	siV97Tb.exe	86
PID 3584 wrote to memory of 2648	3584	siV97Tb.exe	86
PID 3584 wrote to memory of 2648	3584	siV97Tb.exe	86
PID 2648 wrote to memory of 3888	2648	saQ13Gt.exe	87
PID 2648 wrote to memory of 3888	2648	saQ13Gt.exe	87
PID 2648 wrote to memory of 3888	2648	saQ13Gt.exe	87

C:\Users\Admin\AppData\Local\Temp\fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe
"C:\Users\Admin\AppData\Local\Temp\fc506c71dbf1b42f49b6d27f7e3192563ab2e36e163262fd83abd3c1b56de4b3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\siV97Tb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\siV97Tb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saQ13Gt.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saQ13Gt.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\keD31zx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\keD31zx.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\siV97Tb.exe

Filesize
611KB

MD5
8691072a5500803939d9fee1577dbdd5

SHA1
bfcf87fb1049c514e6b80e6e4bbc60c6479306fa

SHA256
c962b88fb3b5e08cc9a223af457308cddb05d42ad2da853aba3577dff81f07ef

SHA512
af4a5b7b0cfa22f8ef094678bf68d949340beeac805d952571f9b282f6eaa04bd73381a4da3fbedf25cbf568e542687bb5bfa6c195108d834e51f2fedd7d3001

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saQ13Gt.exe

Filesize
286KB

MD5
3d5552216edf53a0a10fa4aac6891a04

SHA1
6c25addb57fb756f80874cf8597e9e7e34140510

SHA256
6bad377e5ab654c9b0da0a5f623839285ab292f14df700a04f8844b11cdea666

SHA512
37c648ea5451fbb2ccbdc559e2af3abdab12c40fb95284fa2e6336891d7289326f848f607ecde6b9f335e466979438078caa30596648cd56168d03f3b7431442

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\keD31zx.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
memory/3888-21-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/3888-22-0x0000000004F00000-0x0000000005518000-memory.dmp

Filesize
6.1MB

Download
memory/3888-23-0x0000000004A30000-0x0000000004B3A000-memory.dmp

Filesize
1.0MB

Download
memory/3888-24-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3888-25-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/3888-26-0x0000000004B40000-0x0000000004B8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads