redline | 9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257

General

Target

9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe
Size

1.1MB
MD5

3afc83b51b5b70e94cc0f91b7207f55c
SHA1

96fe940edd4a2f03260badb735c9da72cf2fcbbf
SHA256

9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257
SHA512

3a2baea272889a89f8918f135a34ef038062376b6609bafbdd7440d73ab4595cd0a27fed973f4d18027bb0e8f57284a3f5358195e1a7a089a3b5460e9854eb3c
SSDEEP

24576:+yHabJfUKKlxL35YaRR9HQ08urM4FPJ3a48gFe612xv:NHQfg35RRjwmgS6gj2

Score

10^/10

redline doma discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8655419.exe	family_redline
behavioral1/memory/968-21-0x00000000003F0000-0x000000000041A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x8372171.exex6248367.exef8655419.exe

pid process

2840 x8372171.exe
624 x6248367.exe
968 f8655419.exe

pid	process
2840	x8372171.exe
624	x6248367.exe
968	f8655419.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exex8372171.exex6248367.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8372171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6248367.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exex8372171.exex6248367.exef8655419.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8372171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6248367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8655419.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exex8372171.exex6248367.exe

description	pid	process	target process
PID 4868 wrote to memory of 2840	4868	9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe	x8372171.exe
PID 4868 wrote to memory of 2840	4868	9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe	x8372171.exe
PID 4868 wrote to memory of 2840	4868	9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe	x8372171.exe
PID 2840 wrote to memory of 624	2840	x8372171.exe	x6248367.exe
PID 2840 wrote to memory of 624	2840	x8372171.exe	x6248367.exe
PID 2840 wrote to memory of 624	2840	x8372171.exe	x6248367.exe
PID 624 wrote to memory of 968	624	x6248367.exe	f8655419.exe
PID 624 wrote to memory of 968	624	x6248367.exe	f8655419.exe
PID 624 wrote to memory of 968	624	x6248367.exe	f8655419.exe

C:\Users\Admin\AppData\Local\Temp\9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe
"C:\Users\Admin\AppData\Local\Temp\9b4836ec708bdd5484335c902d72de9521edfe7089c5b829fd597a4a5d19e257.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8372171.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8372171.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6248367.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6248367.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8655419.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8655419.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8372171.exe

Filesize
748KB

MD5
bcc04888c4096f5367f0f3ca407f3f7b

SHA1
4ec6590e7f465931d38304959f8df0ebef2dc51f

SHA256
adea9be94c4a8713b8bd5ab71911fe0d5032e0697f4a11cd6f79f39a6487bc48

SHA512
906f916f0e755eae5c5c5147568ec0b13df04c647ee25c2ff96a47c606c06f661ba866ce15bb2bac83be70d85d81e729c285a0ac6243cffbabc6e8682e998693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6248367.exe

Filesize
304KB

MD5
94843cef9b201a52336f513170094338

SHA1
81bf20b8832791080957fd4aa94131489aada09d

SHA256
8201ba8b8dcc5932126d870bd9e26efc5be1004ff6a4ec93fe413f1ad479faec

SHA512
6d7c60ca7f67c1f0e8b78bebd52ed63e4d49a5c28f767a7c325ed55a094ec7b6e742fdd9a8402178f50317a5ec823210d35047e078bcff81636a557464aa70ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8655419.exe

Filesize
145KB

MD5
5a753b93baaaf888321fe79f70c9a924

SHA1
2f86ad8538862a32c925e7f5a3662418bffe5938

SHA256
c4b3f5be415df25defe97773bdd6ae76d2bcfda5e411c3a6aff57ecbcea9ad6d

SHA512
d93094e10d27949d57db25de2c6b5edd04de0a3a1bbcf900d55e2eaca7e6dd7c825d3f41be48ddc7029a1b361b335d2540a247685fd7816985d67f2a9bfa153d

Download Submit
memory/968-21-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/968-22-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/968-23-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/968-24-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/968-25-0x0000000004D10000-0x0000000004D4C000-memory.dmp

Filesize
240KB

Download
memory/968-26-0x0000000004E90000-0x0000000004EDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads