redline | 1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d

General

Target

1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe
Size

707KB
MD5

033e302f7380a72d969f0febf77f91b0
SHA1

61828ad6b58dd95711d1489c32b74d26b895b09a
SHA256

1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d
SHA512

ee96b134242e04eba85e86092a6cd3787c02fd9b8b641bd61cd150023f27881f290f727db4250290b527b7842bc06c16ad5bd1f7f8c4ac5338e28e51e5d230df
SSDEEP

12288:GMrry903wfRQ2+BeQ+6P7ZAeYCIwFxrgW0AJJSBk23BeZLko:lyEwfh+BpVIKHfe0X

Score

10^/10

redline discovery infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb0-12.dat	family_redline
behavioral1/memory/4568-15-0x00000000002A0000-0x00000000002C8000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3548	x4790063.exe
4568	g6334698.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4790063.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4790063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g6334698.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3548	4156	1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe	85
PID 4156 wrote to memory of 3548	4156	1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe	85
PID 4156 wrote to memory of 3548	4156	1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe	85
PID 3548 wrote to memory of 4568	3548	x4790063.exe	86
PID 3548 wrote to memory of 4568	3548	x4790063.exe	86
PID 3548 wrote to memory of 4568	3548	x4790063.exe	86

C:\Users\Admin\AppData\Local\Temp\1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe
"C:\Users\Admin\AppData\Local\Temp\1732093f6eae90ae702b695eb7a52dee1be2758c963c3fd30da75cd328865c4d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4790063.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4790063.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6334698.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6334698.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4790063.exe

Filesize
416KB

MD5
90e395183f0a851140e31f54e47228ee

SHA1
f9b23478d184319bd33b54d5f93eb1d81b0c5cbc

SHA256
cbd85e945a0cc1f8b7f86fdb91fd9c04b403b6b2a488ca89fb9587cebeb6e1f0

SHA512
4ef5ead6cf65673ae5bd7ec3698539eb92f9227c082765fc036a7a79c8eefea20c294894817b38cb076215cd0b43c9b8a08609f1b593e7d32fa3d2a0b6728afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6334698.exe

Filesize
136KB

MD5
cf159666b7c91c0ea18d2f7ef9571e6c

SHA1
757f24d893a5254060c75a6667abba7e0bd879da

SHA256
56a36fffdda24672a83f3501ea0b493335798f44b0e314f0892f918710fbc960

SHA512
7027705084ac10092acdc3e546c1a20d2824fab143345c2e0bc5bf98af91557a205480f3ae5940d19ef93c661eebadeef0666b86c87595f5b3189317cd19ad98

Download Submit
memory/4568-14-0x000000007410E000-0x000000007410F000-memory.dmp

Filesize
4KB

Download
memory/4568-15-0x00000000002A0000-0x00000000002C8000-memory.dmp

Filesize
160KB

Download
memory/4568-16-0x0000000007540000-0x0000000007B58000-memory.dmp

Filesize
6.1MB

Download
memory/4568-17-0x0000000006FC0000-0x0000000006FD2000-memory.dmp

Filesize
72KB

Download
memory/4568-18-0x0000000007130000-0x000000000723A000-memory.dmp

Filesize
1.0MB

Download
memory/4568-19-0x0000000007060000-0x000000000709C000-memory.dmp

Filesize
240KB

Download
memory/4568-20-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/4568-21-0x00000000023E0000-0x000000000242C000-memory.dmp

Filesize
304KB

Download
memory/4568-22-0x000000007410E000-0x000000007410F000-memory.dmp

Filesize
4KB

Download
memory/4568-23-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads