redline | e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429a

General

Target

e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe
Size

844KB
MD5

d7ad81b85f1900ad342e8c4330d378c0
SHA1

556e41687b259543384e06d3a3e1af9ef1e29efa
SHA256

e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429a
SHA512

f3710c7028eb22b6d422c048e20019e059ef5520cc99f5d1738e9f64eac86c899bbf4b521f61b6a7ed564d433f79c1364cc983b1acc58c74fbfc5bf231766d7b
SSDEEP

24576:ty2kRd/Ta9wxL5dbvxefrGlfUtqahpuAPw:I2sNzx9dvxefKfER3

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a96189606.exe	family_redline
behavioral1/memory/1980-15-0x0000000000180000-0x00000000001B0000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

i21640819.exea96189606.exe

pid process

2872 i21640819.exe
1980 a96189606.exe

pid	process
2872	i21640819.exe
1980	a96189606.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exei21640819.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i21640819.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

i21640819.exea96189606.exee63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i21640819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a96189606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exei21640819.exe

description	pid	process	target process
PID 1388 wrote to memory of 2872	1388	e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe	i21640819.exe
PID 1388 wrote to memory of 2872	1388	e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe	i21640819.exe
PID 1388 wrote to memory of 2872	1388	e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe	i21640819.exe
PID 2872 wrote to memory of 1980	2872	i21640819.exe	a96189606.exe
PID 2872 wrote to memory of 1980	2872	i21640819.exe	a96189606.exe
PID 2872 wrote to memory of 1980	2872	i21640819.exe	a96189606.exe

C:\Users\Admin\AppData\Local\Temp\e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe
"C:\Users\Admin\AppData\Local\Temp\e63890121e5cf5059bde07a00be57cdbfac500d94d6bed8f7a5a6f811111429aN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21640819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21640819.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a96189606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a96189606.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21640819.exe

Filesize
371KB

MD5
f54a5c1caa4a4a44e58abf89a401bf1b

SHA1
38cbc9e2d3608892527cd25006e421c4c8e2456f

SHA256
54fc061156dac5f4265f5293b2516f7fcdbab8bb5aa0fb4e92f32208c8e3d659

SHA512
3ccbd11e3445eee7d4f68eddb8711f1aab2719e6c19734b928cc7a8e47c54bdeeb60df1920c181721df54dc1db1be85629a89b4a8055f6abc40c76bec3fbb849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a96189606.exe

Filesize
169KB

MD5
6e4e3fdffc0808d6022bd3e0e9f97a56

SHA1
604dcc29512b4488fa2b542aee1e595e9b4554fa

SHA256
2b0c269f1c833ae9711b77b94bcea5d83f6b4b641d98991527b7b46f6a3d7924

SHA512
b92634cee0859ae517b24b3f18dda71ae80a65c830e7236eff39edc87b42362f81bcd715198fa9a889ef4dcbaab3ba2d16e6b2e553ccac0086bc7a765ff58e80

Download Submit
memory/1980-14-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/1980-15-0x0000000000180000-0x00000000001B0000-memory.dmp

Filesize
192KB

Download
memory/1980-16-0x0000000004AA0000-0x0000000004AA6000-memory.dmp

Filesize
24KB

Download
memory/1980-17-0x000000000A5D0000-0x000000000ABE8000-memory.dmp

Filesize
6.1MB

Download
memory/1980-18-0x000000000A130000-0x000000000A23A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-19-0x000000000A060000-0x000000000A072000-memory.dmp

Filesize
72KB

Download
memory/1980-20-0x000000000A0C0000-0x000000000A0FC000-memory.dmp

Filesize
240KB

Download
memory/1980-21-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1980-22-0x0000000004540000-0x000000000458C000-memory.dmp

Filesize
304KB

Download
memory/1980-23-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/1980-24-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads