redline | 715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1

General

Target

715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe
Size

843KB
MD5

d9e9faa87d2b4d2f82b2f9842306b5d0
SHA1

b4d495e739080745ef74ca474b8c722f4f5ae82c
SHA256

715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1
SHA512

cba05534a4ccbbb7be1428c785d55bf94726a50977e85963effcd3b831cdee2cb2b2702993c7e74dcce5e96811a9855d0bb4d559e5df65c877909711b379e75a
SSDEEP

24576:By2n1TWWleo1ikd2e2ya24Xo4M9pmsNUF:0UC+eox2e2qfN

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe	family_redline
behavioral1/memory/5116-15-0x0000000000630000-0x0000000000660000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

i08177316.exea79313029.exe

pid process

5032 i08177316.exe
5116 a79313029.exe

pid	process
5032	i08177316.exe
5116	a79313029.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

i08177316.exe715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i08177316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exei08177316.exea79313029.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i08177316.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a79313029.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exei08177316.exe

description	pid	process	target process
PID 2580 wrote to memory of 5032	2580	715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe	i08177316.exe
PID 2580 wrote to memory of 5032	2580	715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe	i08177316.exe
PID 2580 wrote to memory of 5032	2580	715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe	i08177316.exe
PID 5032 wrote to memory of 5116	5032	i08177316.exe	a79313029.exe
PID 5032 wrote to memory of 5116	5032	i08177316.exe	a79313029.exe
PID 5032 wrote to memory of 5116	5032	i08177316.exe	a79313029.exe

C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe
"C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe

Filesize
371KB

MD5
ee33710c8057acb64e9ca7c1f9e07673

SHA1
2b06e4119398dd8f16674341e5adf95ba9f70375

SHA256
28a46b6b121e238b2c07f77a4281c23fe21d24fa8e3561647f3f681386ded443

SHA512
2d379c140ca31aebc88627cb45535eb11678e0548ecc07b6d49dc3e3c8fe611e9121e60283aa7a0f3adc340430edac5957b5738cc3ae81796843aeafd5df17dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe

Filesize
169KB

MD5
b9dbcf7dc0ebc9b366d7f0c3f1bc1f61

SHA1
04ccea00069151a3dd221b7e9acdcdff642a0e14

SHA256
9d10117658b96e7f6245411deab4faee01910d330722bde839f39b57436d020e

SHA512
291d302bad96d6ebefe769490f6c966bd96d4478a63fc8c7462c6d7bfb415929cfc74d6fd19bb63ced349543b812076cb7f6ead37dd26b5ed444126025b3a7f5

Download Submit
memory/5116-14-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/5116-15-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/5116-16-0x0000000002A00000-0x0000000002A06000-memory.dmp

Filesize
24KB

Download
memory/5116-17-0x000000000AAC0000-0x000000000B0D8000-memory.dmp

Filesize
6.1MB

Download
memory/5116-18-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/5116-19-0x000000000A510000-0x000000000A522000-memory.dmp

Filesize
72KB

Download
memory/5116-20-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/5116-21-0x000000000A570000-0x000000000A5AC000-memory.dmp

Filesize
240KB

Download
memory/5116-22-0x00000000028C0000-0x000000000290C000-memory.dmp

Filesize
304KB

Download
memory/5116-23-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/5116-24-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads