redline | 3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095

General

Target

3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe
Size

1.5MB
MD5

15f4581662a1bdaedda76be5a0c7f680
SHA1

55cb2a8af029ba87786bea1b8ac943d2d6d44ac4
SHA256

3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095
SHA512

6e55d32a00d14d7db1d021d02e2fa3fbfb4fe7828a79945855d1275dcbb979ca916a27d55399332f7f9d209b1cf2541a5d9e4bfa4837e31f6b961126b2a34686
SSDEEP

24576:my4pUGOMDtlDJ6DoKMn5Lb/AUYmnjc4TIdXKu8SDmlMOqH/krSRVs6K9oQ+sTCXr:14G9GDJC9MnZ/004caXYqA4/kQVQW+T4

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a06813422.exe	family_redline
behavioral1/memory/1380-35-0x0000000000D60000-0x0000000000D90000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 5 IoCs

Processes:

i54173472.exei24221126.exei61547163.exei98606271.exea06813422.exe

pid process

4652 i54173472.exe
4604 i24221126.exe
3292 i61547163.exe
1880 i98606271.exe
1380 a06813422.exe

pid	process
4652	i54173472.exe
4604	i24221126.exe
3292	i61547163.exe
1880	i98606271.exe
1380	a06813422.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exei54173472.exei24221126.exei61547163.exei98606271.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i54173472.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i24221126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i61547163.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i98606271.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a06813422.exe3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exei54173472.exei24221126.exei61547163.exei98606271.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a06813422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i54173472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i24221126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i61547163.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i98606271.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exei54173472.exei24221126.exei61547163.exei98606271.exe

description	pid	process	target process
PID 3636 wrote to memory of 4652	3636	3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe	i54173472.exe
PID 3636 wrote to memory of 4652	3636	3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe	i54173472.exe
PID 3636 wrote to memory of 4652	3636	3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe	i54173472.exe
PID 4652 wrote to memory of 4604	4652	i54173472.exe	i24221126.exe
PID 4652 wrote to memory of 4604	4652	i54173472.exe	i24221126.exe
PID 4652 wrote to memory of 4604	4652	i54173472.exe	i24221126.exe
PID 4604 wrote to memory of 3292	4604	i24221126.exe	i61547163.exe
PID 4604 wrote to memory of 3292	4604	i24221126.exe	i61547163.exe
PID 4604 wrote to memory of 3292	4604	i24221126.exe	i61547163.exe
PID 3292 wrote to memory of 1880	3292	i61547163.exe	i98606271.exe
PID 3292 wrote to memory of 1880	3292	i61547163.exe	i98606271.exe
PID 3292 wrote to memory of 1880	3292	i61547163.exe	i98606271.exe
PID 1880 wrote to memory of 1380	1880	i98606271.exe	a06813422.exe
PID 1880 wrote to memory of 1380	1880	i98606271.exe	a06813422.exe
PID 1880 wrote to memory of 1380	1880	i98606271.exe	a06813422.exe

C:\Users\Admin\AppData\Local\Temp\3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe
"C:\Users\Admin\AppData\Local\Temp\3c456a258a27736e1ef8f9f1fad6167412362e842053107d0de08c2df5fd4095N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i54173472.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i54173472.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24221126.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24221126.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i61547163.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i61547163.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i98606271.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i98606271.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a06813422.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a06813422.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i54173472.exe

Filesize
1.3MB

MD5
56710e43248a18f09ebedf59f5d2fb53

SHA1
2f8ac65e741644a81c463c6021b553294778d233

SHA256
60198a1595df0bb97c84897cd73b7caf15b3dd36a11d662342beee3e3e98fc47

SHA512
e198d54d2e4346a0bb5c494db9f106c43558fefa55ad8b998fb3b73c592544f57c1d8ab2e3ca6f0a3ca55c705bfe3f53e61be4ccdae7d59c845af7fe14f10d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24221126.exe

Filesize
1024KB

MD5
a7a81bad84d4f640ca2685a04ba1b6e8

SHA1
ec6f20b2cba4eeae05bc7cdd996a6f196877fca5

SHA256
44bb50cfc8663b2bef6d601625c0e69b099820c9ffa5f132a09d4d5432034d0d

SHA512
f461d1ca072b75be681788d19cd63cacc6791c3865ca723bf568e1be01327c1844aea9694e6063a169af356fc16db7d95d1131919630ecaa3a9c7d4ee2653f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i61547163.exe

Filesize
852KB

MD5
c4111cf68a2a3ed06aff9c9b7cad5584

SHA1
dd16bc41d5e484cf53565d4142ba95a6e97b5e2a

SHA256
9f742466dd6d4a3a20c1dd86974d08765e114f7f2d1b465f7a5b4002ce09f68b

SHA512
ec92359f736fff97d5e79704716cb426982fe06be20c079cd3e61273497a18eebdcf8675829f0a808ccbf2595e86af2ffb5602c6040055a1efb87020057bc4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i98606271.exe

Filesize
375KB

MD5
e3af7f9230d2a00d24e1853b0baa62e1

SHA1
6a4242af257f917f33555d7d6997282d33d29633

SHA256
f9a7582b7f24f916a0896005e9b4658f5120ce7d6c1e0f1bc179ba4b134751f8

SHA512
66111b8a50f77163d3ffd2a1bf23900cb4713a357c348f995dc9427360797ff4fd75bb31a1b5d3b0fb54d45e84de8c712bf49b8f34b4b71a207a8fb5d907f9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a06813422.exe

Filesize
169KB

MD5
0cf6f6ce880eeed9839f095d38c66491

SHA1
0fabed3d1e209dc87852fc3f75c8c79aca087fb3

SHA256
3c13807979ade5d48212ef3645228b46278153bfdbcbdf1bfc948cf2710327a2

SHA512
332fdc992f475440a3b646752819a74db9e84e5d5302808461551bb220fa56731188d7e8f028352c8050515bf44ab45e85355b1a9856f41d894f351aae893c65

Download Submit
memory/1380-35-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/1380-36-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/1380-37-0x0000000005E70000-0x0000000006488000-memory.dmp

Filesize
6.1MB

Download
memory/1380-38-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/1380-39-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/1380-40-0x0000000005890000-0x00000000058CC000-memory.dmp

Filesize
240KB

Download
memory/1380-41-0x00000000058D0000-0x000000000591C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads