redline | 1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a

General

Target

1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe
Size

770KB
MD5

c1b073a29c99e103ba2227ee8de16442
SHA1

3c9a5a234f5b9bfc4ef182ca4c55dd96751aa2a1
SHA256

1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a
SHA512

ff6b9889dd07b31db096c4ba248ee4bd2186ea4f35b0d70c2df844f865d5dc9b923f9d57aa629d2a6156e2caf84f0e4d751ba823f6c0f9445606cfa2888354f5
SSDEEP

12288:+Mr7y90MlDVtyKuNCbaWM1OiZtPN7XRuGrx8uDCoxaUz/SAv5xb:lyRlWKeqEbTFXBrVCox/H

Score

10^/10

redline debro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b70-19.dat	family_redline
behavioral1/memory/3696-21-0x0000000000A00000-0x0000000000A2E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2880	x3033799.exe
2896	x8668169.exe
3696	f3313043.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8668169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3033799.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3033799.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8668169.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3313043.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2880	3896	1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe	83
PID 3896 wrote to memory of 2880	3896	1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe	83
PID 3896 wrote to memory of 2880	3896	1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe	83
PID 2880 wrote to memory of 2896	2880	x3033799.exe	85
PID 2880 wrote to memory of 2896	2880	x3033799.exe	85
PID 2880 wrote to memory of 2896	2880	x3033799.exe	85
PID 2896 wrote to memory of 3696	2896	x8668169.exe	86
PID 2896 wrote to memory of 3696	2896	x8668169.exe	86
PID 2896 wrote to memory of 3696	2896	x8668169.exe	86

C:\Users\Admin\AppData\Local\Temp\1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe
"C:\Users\Admin\AppData\Local\Temp\1eba9bd58f897ca0407fa65a5c1b412da337cc9f3c4da2a8279065746490c94a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3033799.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3033799.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8668169.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8668169.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3313043.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3313043.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3033799.exe

Filesize
488KB

MD5
57a9343af37ad864968d43de3f4c9378

SHA1
96cd63677e8e0ad9f03e9085e5a6590136021e0d

SHA256
7d36a0535c12e83cdeb96519876efcfb2aa47d32679b01ec7e43dccb13c6a961

SHA512
f0d35bf43f3ab054f8c44d67ac3f309c5208d583a3bbff1cf3a6b13b846b163e00ee931652547bb17af20227d772ee630a796f6774cd639185210b3088dc1446

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8668169.exe

Filesize
316KB

MD5
ee16087ffdd4d13aec3206c053ef0678

SHA1
c3479b60f338f7365db60e26f2498c02a1b495b0

SHA256
f4b9d6ca67dac0557e93a6074b9846818d7ae8978e602e6b40c672f0103fa303

SHA512
a5770cb7a6389b6f486fd157daecef820da27c0552193bce987e944954fe80ef4eb537c21b9a07d29b686c38e742cc0456ea765dea3b44a29fe525af4ec8468e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3313043.exe

Filesize
168KB

MD5
2535973c731fe8c073b36917d6fb8709

SHA1
b2f59742aac1b4f04cd3c1ae66e41957ca209a7b

SHA256
0d3d7917cd51435e5d0a5b70a0a23a0fb3497c19c2debbe3e0a2e10ad4197ac4

SHA512
96039f994fe412398a057bb5b00be2a042d1d7a4987413927e16e9c6a8f1cdc67d42efa20f60b628f1a939a418516ca0682e63383fddd7a7d5e92ed9655eb8b3

Download Submit
memory/3696-21-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/3696-22-0x0000000005220000-0x0000000005226000-memory.dmp

Filesize
24KB

Download
memory/3696-23-0x0000000005980000-0x0000000005F98000-memory.dmp

Filesize
6.1MB

Download
memory/3696-24-0x0000000005470000-0x000000000557A000-memory.dmp

Filesize
1.0MB

Download
memory/3696-25-0x0000000005380000-0x0000000005392000-memory.dmp

Filesize
72KB

Download
memory/3696-26-0x00000000053E0000-0x000000000541C000-memory.dmp

Filesize
240KB

Download
memory/3696-27-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads