redline | 71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4

General

Target

71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe
Size

1.5MB
MD5

bdac71e6c435966d0f66f1bfbe5acce7
SHA1

be51245ac41ac38674921a309371004732267315
SHA256

71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4
SHA512

1c765e6f8066254b1c737b3319964fee4efe9eb08524cb14a2b7995a2ebe477ce4de4fdc9b6b9ea81eb957bb7b236d5a81983d3f0afd60e63c8f06b440323103
SSDEEP

24576:/yrnJSzL5zY/TwDa2fTO4tJYOvgAI3ruMGigxeSe5fSArZSD3gNj9o7:KrnJSz90h2bOwJYN3ruQFBrC3S

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c83-33.dat	family_redline
behavioral1/memory/656-35-0x0000000000070000-0x00000000000A0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
5064	i53115549.exe
1732	i37530556.exe
4936	i52195213.exe
1160	i20144424.exe
656	a40845397.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i53115549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i37530556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i52195213.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i20144424.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i53115549.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i37530556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i52195213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i20144424.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a40845397.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 5064	4112	71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe	83
PID 4112 wrote to memory of 5064	4112	71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe	83
PID 4112 wrote to memory of 5064	4112	71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe	83
PID 5064 wrote to memory of 1732	5064	i53115549.exe	85
PID 5064 wrote to memory of 1732	5064	i53115549.exe	85
PID 5064 wrote to memory of 1732	5064	i53115549.exe	85
PID 1732 wrote to memory of 4936	1732	i37530556.exe	86
PID 1732 wrote to memory of 4936	1732	i37530556.exe	86
PID 1732 wrote to memory of 4936	1732	i37530556.exe	86
PID 4936 wrote to memory of 1160	4936	i52195213.exe	87
PID 4936 wrote to memory of 1160	4936	i52195213.exe	87
PID 4936 wrote to memory of 1160	4936	i52195213.exe	87
PID 1160 wrote to memory of 656	1160	i20144424.exe	89
PID 1160 wrote to memory of 656	1160	i20144424.exe	89
PID 1160 wrote to memory of 656	1160	i20144424.exe	89

C:\Users\Admin\AppData\Local\Temp\71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe
"C:\Users\Admin\AppData\Local\Temp\71c7f97368f738b457fa9730ec9da60ecc6d395e3f1a0f7d11b94c459c6a3dc4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i53115549.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i53115549.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37530556.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37530556.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52195213.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52195213.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20144424.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20144424.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40845397.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40845397.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i53115549.exe

Filesize
1.3MB

MD5
08680bafdb50c0e01e7290ae324ac34a

SHA1
b41059f032979b4a41452ce08e772a047f85ab7f

SHA256
18c998d05b1f7f73217a56715e1265f2016b7e4d299542f92dcd7225528ce903

SHA512
a9ec1f62a952ee279caffd62eace90a956a0231d460168026d6c10300eefdfb561235c02a8c56c7b52d0d860a8b3ad4136b7b86e82fda3ebaf6c1dd3c5eee039

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37530556.exe

Filesize
1022KB

MD5
a28106a4ab4f13bc24d9725c5d82fa49

SHA1
b10f34fdbd88418244ca641ec12cdc21c0cf0ae4

SHA256
8add27f1a105d17dcb92c52549fc7d03c4c0696c84beefe72556b89e08da9295

SHA512
5f5dbe1fb8aef68af9166d8b0a6ebe921557f667584dfa750f6c6b22eb0c89a80658e666a2bcd611d89e4a08f45e109caeb1085ecb636e86ec3be84bf925325f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52195213.exe

Filesize
851KB

MD5
7ec2a08074ad598f555bad20c14e05e0

SHA1
bafd50955844bd64f1a3aaa856e42dd64e2d4914

SHA256
5c86f22594a8910d2f410bb20510f176959cf9debb90ddcf35c34b0b58ba700b

SHA512
1b370df841cbfe747961e8a51363c5333741a1694e6ce82eb9a765aec7daad19e6c142e13caea04ce637bfd083321d5b4aa5815edf720cf789ab81e83335835b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20144424.exe

Filesize
375KB

MD5
354c5b8d99aec205695fd3f3f9a2a403

SHA1
74d84e77d557f870505cd1b9a0cc01512787ff7b

SHA256
6bb9ee3d57242997316304a83a2e2f71486724c3b9914c12a9e3349ea6b91899

SHA512
2ff47a5ecf6fecca9446da4a6f3cd6632a3c37bb30e8135ca05ee77b7d9377ad072f49adf6b34d78f0d4379d543f85c39c037958ce39b43e06a48a47b17079a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40845397.exe

Filesize
169KB

MD5
ca7bc94b97c6f2720c2404e7c37e52b3

SHA1
994995288db525bdf96bcfd24e484162b4448df2

SHA256
0c69c02bf4e744dcc432445a8d383782273e982aef670331fe70865501dedd57

SHA512
56c18a1821755a6e0a09b16b7da2f6d8b930b9a49d4a535a796ed4d1dce8ff890163f44ffbe40c1c9d13bd2a70ac9aa593197bfc1680512166ba311eb0ea72f2

Download Submit
memory/656-35-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/656-36-0x0000000004990000-0x0000000004996000-memory.dmp

Filesize
24KB

Download
memory/656-37-0x000000000A3F0000-0x000000000AA08000-memory.dmp

Filesize
6.1MB

Download
memory/656-38-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

Filesize
1.0MB

Download
memory/656-39-0x0000000009E10000-0x0000000009E22000-memory.dmp

Filesize
72KB

Download
memory/656-40-0x0000000009E70000-0x0000000009EAC000-memory.dmp

Filesize
240KB

Download
memory/656-41-0x0000000004390000-0x00000000043DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads