redline | 9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6

General

Target

9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe
Size

1.5MB
MD5

162ccdfb9e19260302599633fdf56143
SHA1

4b67350136aa7647b8be692dd10690a5d4af9573
SHA256

9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6
SHA512

27cbdda0fa384f0a4b8809330539887644af6438a09186f5dacfaa12ca5af1b0d4d148b3a80e1634013083b4f5bd167b35973673627e8a82f7679d4b5bc8c250
SSDEEP

24576:CyPXCPgnVJwlLdWaVdcW+7rvzAaS//lr1nbT1YSWXgxiGK/yKEPjTsNDom5V:pPyMVJELEoSQRNdTGcxiGMyKEPnU5

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023bfd-33.dat	family_redline
behavioral1/memory/2208-35-0x0000000000C60000-0x0000000000C90000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4700	i22435028.exe
2156	i32167551.exe
3616	i55230344.exe
3716	i39138045.exe
2208	a59028844.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i22435028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i32167551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i55230344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i39138045.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i22435028.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i32167551.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i55230344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i39138045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a59028844.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4700	3644	9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe	84
PID 3644 wrote to memory of 4700	3644	9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe	84
PID 3644 wrote to memory of 4700	3644	9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe	84
PID 4700 wrote to memory of 2156	4700	i22435028.exe	85
PID 4700 wrote to memory of 2156	4700	i22435028.exe	85
PID 4700 wrote to memory of 2156	4700	i22435028.exe	85
PID 2156 wrote to memory of 3616	2156	i32167551.exe	87
PID 2156 wrote to memory of 3616	2156	i32167551.exe	87
PID 2156 wrote to memory of 3616	2156	i32167551.exe	87
PID 3616 wrote to memory of 3716	3616	i55230344.exe	89
PID 3616 wrote to memory of 3716	3616	i55230344.exe	89
PID 3616 wrote to memory of 3716	3616	i55230344.exe	89
PID 3716 wrote to memory of 2208	3716	i39138045.exe	90
PID 3716 wrote to memory of 2208	3716	i39138045.exe	90
PID 3716 wrote to memory of 2208	3716	i39138045.exe	90

C:\Users\Admin\AppData\Local\Temp\9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe
"C:\Users\Admin\AppData\Local\Temp\9c93b86286f4e19c3baf8194458355b050fc01f3195aa52c9a71c6e37b262dc6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22435028.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22435028.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i32167551.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i32167551.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i55230344.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i55230344.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i39138045.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i39138045.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a59028844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a59028844.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22435028.exe

Filesize
1.3MB

MD5
5cdfd4f166154006d9d1509132c76666

SHA1
45979a9f2d0f1672c5f0483674e9d2c3fd6d4169

SHA256
a40af26d881db79ba221c8f0e4e0da29466eed57da13a9e75db9de3633633fa1

SHA512
b41a003cd7b81ad24631e246b5cca85c6429ae578cdf267d7e43236ce70b4182ce5f61256ffd55e4dcca7bc127b7713fc4e2d7f0d06804eab481786235cf5474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i32167551.exe

Filesize
1015KB

MD5
a77dfbacf077c94e4b43ebafee8cc17f

SHA1
8839b875df85092594fa889156609f6fb384d62c

SHA256
abdbe108d6553dc5debc4dbca452719cb2c075c46b8a074cdcc3246a2b4be4e1

SHA512
bea6d6dd9246c691c26acb3580c2895d02c8657e5745bedfc3c25e45dfc74fe3ac9e4a81a203388e070ce4871a07765f50a3e348ad77d0cc88fb52a5c8970ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i55230344.exe

Filesize
843KB

MD5
b313d7e7061b8cc5a022fdd9364cffc2

SHA1
e36c73b556f62b4bff3e43b632084b1e85275670

SHA256
b0dc4027d8a636f840def7d5e70b8332ef3f1bc408d4ba83fca576cf28f83042

SHA512
6f198a593394176231a3290f7c820d1b93cc500533367e9ff27c407574f0da75af551d74f8762b971d42ecb1fd6a1caf668eb0f0772491d4f9c3c5b07b6410b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i39138045.exe

Filesize
371KB

MD5
a18e99c10b17e127c9e2f5bd081d2d9f

SHA1
d5e1c05b660ec6a9ed024b1aa0b6b2090ea04248

SHA256
0fe927b1b64fa54013625b5cfd8a659262a24238e64266c7d4035d924d563db2

SHA512
0a2a38e1f2c7b1d16a3b4041367e5fdc064b8b13eccbed78f49ddfc6531fa434fafce1d4f25565b333d23d368b55c66662df7fa6d1fdd037b09736b43eb68cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a59028844.exe

Filesize
169KB

MD5
d1731ad1e898a516cec25b96ba474b31

SHA1
597ebbf16438c1874249dbeec2ad5ee24fbef73e

SHA256
9814ac96601928926ea572e59939f950e9efdcb5ba83ae8c75d991b51ce19be1

SHA512
f27ace1b479999edaa29e7d2df0ed67eba4cf061f6ddd65a20fb69ead436c76987e65ab44c110f47c9ad0ea37d7ec13fd0543fee354d654bf7d686d594349519

Download Submit
memory/2208-35-0x0000000000C60000-0x0000000000C90000-memory.dmp

Filesize
192KB

Download
memory/2208-36-0x0000000005580000-0x0000000005586000-memory.dmp

Filesize
24KB

Download
memory/2208-37-0x0000000005C10000-0x0000000006228000-memory.dmp

Filesize
6.1MB

Download
memory/2208-38-0x0000000005700000-0x000000000580A000-memory.dmp

Filesize
1.0MB

Download
memory/2208-39-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/2208-40-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/2208-41-0x0000000005690000-0x00000000056DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads