redline | c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2

General

Target

c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe
Size

479KB
MD5

971c5976df03efc5b370db5079ab83c9
SHA1

f1fbfcb80393330cffe51c35e1412206c9cd5643
SHA256

c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2
SHA512

42dfd25b06c655c1face9630aacd72295ebdfb2a8404d34293fdc9d7a8227f8ccaf876ea5aabcbe996b8290a3407863c267f6d69da907fe94a31c9f2e27f4c4c
SSDEEP

12288:8MrAy90kTGIDJdBH/mzZ77lij5ulQJFd5pS44MkRGmz:UynTGINdBOF77ly54QJ1palRvz

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0017000000023c2b-12.dat	family_redline
behavioral1/memory/1060-15-0x00000000009F0000-0x0000000000A18000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4512	x6620715.exe
1060	g7276476.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6620715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6620715.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7276476.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 4512	752	c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe	83
PID 752 wrote to memory of 4512	752	c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe	83
PID 752 wrote to memory of 4512	752	c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe	83
PID 4512 wrote to memory of 1060	4512	x6620715.exe	84
PID 4512 wrote to memory of 1060	4512	x6620715.exe	84
PID 4512 wrote to memory of 1060	4512	x6620715.exe	84

C:\Users\Admin\AppData\Local\Temp\c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe
"C:\Users\Admin\AppData\Local\Temp\c14476c4df0a933f2bbb77f5aeb4ba5add71bd5d8a3b89c9667e13c51512fec2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6620715.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6620715.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7276476.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7276476.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6620715.exe

Filesize
308KB

MD5
fdfe4f2cef175994520afaa6de940b0e

SHA1
c47c8aaadb6ac18d16bc16721a27535cdc693991

SHA256
1e09073aa900d271609442388c175a41eb449c23803ac64743d79287eb0c070b

SHA512
c739af8b5e2f95f441d7453fde9716a6f56ff789e422758aaecc86a6fb04d3a4c1f87aa524e072bbf980b8075746d9cea59e486621912bc0fc3949c42ab32a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7276476.exe

Filesize
136KB

MD5
e3d9dfa7fa80feecb4ce68897c3fb8f5

SHA1
ca28042e3ae270754e6f514a49aeceea5b5e388c

SHA256
d69f43a535b56e83bdf86216ba918738b8c9fb5c99e9ee61f6d47da1c6871eea

SHA512
84cf1470adfb3d61fbe36f478e7f9a3d7cf67490b379e723a7c82390b9421be3ab5bccb6a6ddec2ad661b3d4ab335690b3fb3fcb1015fdf0ac26e72c9fd9967c

Download Submit
memory/1060-14-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1060-15-0x00000000009F0000-0x0000000000A18000-memory.dmp

Filesize
160KB

Download
memory/1060-16-0x0000000007C70000-0x0000000008288000-memory.dmp

Filesize
6.1MB

Download
memory/1060-17-0x0000000007710000-0x0000000007722000-memory.dmp

Filesize
72KB

Download
memory/1060-18-0x0000000007880000-0x000000000798A000-memory.dmp

Filesize
1.0MB

Download
memory/1060-19-0x00000000077B0000-0x00000000077EC000-memory.dmp

Filesize
240KB

Download
memory/1060-20-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1060-21-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

Filesize
304KB

Download
memory/1060-22-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1060-23-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads