redline | b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466

General

Target

b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe
Size

1.5MB
MD5

609bdac69d09ab48171e4540a41bae8b
SHA1

3af72db0018fc87144951efe5b09d27fb0894970
SHA256

b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466
SHA512

ba09fa02eaf2d462e397267e068fb8ad35d19e548aefe58f9de285a53787dfbac1e4eb580bb01bbf816004d0685c547f758e55a40f6a07a0de2d3f441c8eee1f
SSDEEP

24576:Fy+t8aBq8D5C9AmF8LFKLwQ7XzcEfxnrhFOC1tftojBkQlKFCBRh6:g0F58T0kBfcEV/1tftod1OCBR

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b87-33.dat	family_redline
behavioral1/memory/400-35-0x0000000000D30000-0x0000000000D60000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4748	i92439317.exe
728	i22047743.exe
2080	i53907364.exe
1068	i02180461.exe
400	a35615806.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i22047743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i53907364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i02180461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i92439317.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i92439317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i22047743.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i53907364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i02180461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a35615806.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 4748	1808	b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe	85
PID 1808 wrote to memory of 4748	1808	b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe	85
PID 1808 wrote to memory of 4748	1808	b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe	85
PID 4748 wrote to memory of 728	4748	i92439317.exe	86
PID 4748 wrote to memory of 728	4748	i92439317.exe	86
PID 4748 wrote to memory of 728	4748	i92439317.exe	86
PID 728 wrote to memory of 2080	728	i22047743.exe	88
PID 728 wrote to memory of 2080	728	i22047743.exe	88
PID 728 wrote to memory of 2080	728	i22047743.exe	88
PID 2080 wrote to memory of 1068	2080	i53907364.exe	89
PID 2080 wrote to memory of 1068	2080	i53907364.exe	89
PID 2080 wrote to memory of 1068	2080	i53907364.exe	89
PID 1068 wrote to memory of 400	1068	i02180461.exe	90
PID 1068 wrote to memory of 400	1068	i02180461.exe	90
PID 1068 wrote to memory of 400	1068	i02180461.exe	90

C:\Users\Admin\AppData\Local\Temp\b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe
"C:\Users\Admin\AppData\Local\Temp\b8f28513fdc04185e27d2bd5d1c2c124a04f808954b44b14fa60b74c2ee24466.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92439317.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92439317.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i22047743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i22047743.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53907364.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53907364.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i02180461.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i02180461.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35615806.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35615806.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92439317.exe

Filesize
1.3MB

MD5
bdbc389cf6f221e0670a0c6cb4054147

SHA1
832895f171c383530e7d17ca172a9b329b7f4669

SHA256
55e6e38c3d2181ec076af8e8ffcf479f005f307f57a9f246ecf995908c574bcb

SHA512
35cc611911386e890bb2c23500b5723c9bcf96ce292bff49e500c14768130ee563bb80e4535b7bd18ac680160db6fc1f47aedb3761e41a4b50ed0f72ef815e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i22047743.exe

Filesize
1015KB

MD5
91e603c8f3bad7ceedda116c1ca29cd2

SHA1
e4beb53de4100a5e3ff8c62d03e04ef66fc406fd

SHA256
eb62e96ca7431b8eeca90acbf4aa675be5451dfaabe85a6026819feb35315741

SHA512
8ad22671ef46e800dcc203dbe5ec3773251c65f2482dc2bc43e5841a238f0bd7f84df84c7d0a901a6edba838eb248d83b7cd9ea962fd465470b19a1d985af3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53907364.exe

Filesize
843KB

MD5
126635c7770cf424b8b214fb2dea9d31

SHA1
b97d09b618aa021b14fe31d74900750350392df1

SHA256
427f44670793dc3d9d2009a6657d540e1ec5417d5e3c708aa01dcf9039ac8c05

SHA512
ac6c452b541721c35817d46a525ace73eced3b542e99da2627d1c439e30743ea2f0e01aa8634f1f168e47ed427dfabb9de11f4df05118db495df8c509c207c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i02180461.exe

Filesize
370KB

MD5
8a909ca5e62e7a948a98aba4970310b8

SHA1
c7b6aa877b5b0461d29837df394782eea69f454b

SHA256
6f5acf40d80d5d8c58572396e36ce900acae13e9340874267a410f49e1c83476

SHA512
1cb1c74b093e5061ef1a938e9aab9ac8c73c2d7a51af1a85d4122b5d4a2ca628775eedcbf7e9ad46ce8b282371a9bb54d5040afadc4d7751da664a93b07a3cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35615806.exe

Filesize
169KB

MD5
7ca2fcd5f5c2007bfe55c1bb972d5758

SHA1
4c6ce9397d15e48809eb5943b8e5c16326d3ed3f

SHA256
1f137f95ff465912b16ca6c637b498d941bcf5f90e3828670fbacaacb27a3596

SHA512
8ef68d79ae5a6a77437ef3b13acbb943e17c3d71aebb0e8f25ace1b8abbfba4d9f8b0a4bf0015a3a40834835c30c1431888de10411c2ca6d4e0df6e227b31a9f

Download Submit
memory/400-35-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/400-36-0x0000000005650000-0x0000000005656000-memory.dmp

Filesize
24KB

Download
memory/400-37-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/400-38-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/400-39-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/400-40-0x0000000005730000-0x000000000576C000-memory.dmp

Filesize
240KB

Download
memory/400-41-0x0000000005770000-0x00000000057BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads