redline | c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e

General

Target

c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe
Size

480KB
MD5

9504f4bb4bf8b98255f798fb51faabc0
SHA1

23b4e0c32af7be447424283a35e37659b82f2d1c
SHA256

c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e
SHA512

5a6dfa622447d4ee328ae7fe9643f37a0074646016b25682adc9b5275a4e9dbbe1367c798fe4f96badc4a06b23d300c01d192a51f4731d4d1f4a62d40a973ee4
SSDEEP

12288:VMr1y90HCa27TFiqZY4wfFoIpZd4pn1clHrb:Ay57fF7ZYDoqYpn1clHH

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cce-12.dat	family_redline
behavioral1/memory/900-15-0x00000000003E0000-0x0000000000408000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4468	x0720582.exe
900	g7278810.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0720582.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0720582.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7278810.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 4468	3660	c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe	83
PID 3660 wrote to memory of 4468	3660	c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe	83
PID 3660 wrote to memory of 4468	3660	c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe	83
PID 4468 wrote to memory of 900	4468	x0720582.exe	84
PID 4468 wrote to memory of 900	4468	x0720582.exe	84
PID 4468 wrote to memory of 900	4468	x0720582.exe	84

C:\Users\Admin\AppData\Local\Temp\c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe
"C:\Users\Admin\AppData\Local\Temp\c0a2bc18c3becdd074d641eb1146fe1924a19e383cc7409eeb99e25a40d0a05e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0720582.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0720582.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7278810.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7278810.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0720582.exe

Filesize
307KB

MD5
05d9ee1fa8c7344b2c865f151bd40487

SHA1
46eafafff8481c83a53451651747496d0b8146b3

SHA256
1423a537bf134cb69aeda8b53968ad4e3e149d5b1f80c6d086ba7ccd93d56dde

SHA512
18617991794a33d98e83c679cc359e1dc052d51afdc0c4f1a321c4b5b453185d337807177de24a6109e781170ed0fae01dee1efdad2dafe624492d180c9cb8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7278810.exe

Filesize
136KB

MD5
b90bf1bf49c13288906d5d6fd89504dc

SHA1
a67515517ec9bc35d4b029ec754e74c73bae93f4

SHA256
534c4c162f4f463d3e9c9596b396bdda337f69f8fb26b2ddfd5e8e02476371b9

SHA512
2bea6c2244b2bb9378b473a11f367b89eab7dcbc69493fb03d6efd0ace6779aba82a29feb65eb69d807a9f7b5553cd727c879504698e1354472e4bd2b09f77f6

Download Submit
memory/900-14-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

Filesize
4KB

Download
memory/900-15-0x00000000003E0000-0x0000000000408000-memory.dmp

Filesize
160KB

Download
memory/900-16-0x0000000007670000-0x0000000007C88000-memory.dmp

Filesize
6.1MB

Download
memory/900-17-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/900-18-0x0000000007270000-0x000000000737A000-memory.dmp

Filesize
1.0MB

Download
memory/900-19-0x00000000071A0000-0x00000000071DC000-memory.dmp

Filesize
240KB

Download
memory/900-20-0x0000000073D60000-0x0000000074510000-memory.dmp

Filesize
7.7MB

Download
memory/900-21-0x0000000002550000-0x000000000259C000-memory.dmp

Filesize
304KB

Download
memory/900-22-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

Filesize
4KB

Download
memory/900-23-0x0000000073D60000-0x0000000074510000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads