redline | 574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578af

General

Target

574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe
Size

1015KB
MD5

cd790e2d6b1254c880b774b57655fb50
SHA1

ab136b01537b00e22f4ecbe8e57f42470bc2f08d
SHA256

574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578af
SHA512

36541d4b9358ac725bd3f563b8726749681f30b7dde72ebae8b19062cff109a27fcd6f9b89c3c0ee970dea2b570acadab308859c6923a1b21beb99b1688d7cdb
SSDEEP

24576:ryTvvk1OfUhB9ifJdtnUqTC0vNjAJW4m:eTnk1+Uh7gTpTC8AF

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a99948086.exe	family_redline
behavioral1/memory/4664-21-0x0000000000E00000-0x0000000000E30000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

i53305915.exei89290906.exea99948086.exe

pid process

1316 i53305915.exe
4564 i89290906.exe
4664 a99948086.exe

pid	process
1316	i53305915.exe
4564	i89290906.exe
4664	a99948086.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exei53305915.exei89290906.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i53305915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i89290906.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exei53305915.exei89290906.exea99948086.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i53305915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i89290906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a99948086.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exei53305915.exei89290906.exe

description	pid	process	target process
PID 3592 wrote to memory of 1316	3592	574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe	i53305915.exe
PID 3592 wrote to memory of 1316	3592	574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe	i53305915.exe
PID 3592 wrote to memory of 1316	3592	574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe	i53305915.exe
PID 1316 wrote to memory of 4564	1316	i53305915.exe	i89290906.exe
PID 1316 wrote to memory of 4564	1316	i53305915.exe	i89290906.exe
PID 1316 wrote to memory of 4564	1316	i53305915.exe	i89290906.exe
PID 4564 wrote to memory of 4664	4564	i89290906.exe	a99948086.exe
PID 4564 wrote to memory of 4664	4564	i89290906.exe	a99948086.exe
PID 4564 wrote to memory of 4664	4564	i89290906.exe	a99948086.exe

C:\Users\Admin\AppData\Local\Temp\574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe
"C:\Users\Admin\AppData\Local\Temp\574296c9a6f4c61b0a062f9f1e0589f3eeac8955202c4cd42dc21b86003578afN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i53305915.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i53305915.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89290906.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89290906.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a99948086.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a99948086.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i53305915.exe

Filesize
843KB

MD5
d5aeaa86d1e99265099f013dbd5b78a0

SHA1
95911dcad4fc449e85af2ca7de525bad6c767f6f

SHA256
64b142b370e0053e422be86d63889ba2e7c7d6dc6874f5597d990053fc87eef8

SHA512
99b257dae1f8ecdb4e68cda53f9d70fa95cdde590b47f9aa650d50c41c151d6e553350749e64f862b46532961f7c199d811fc2a7829444f2b8b8ef98e4e13bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89290906.exe

Filesize
371KB

MD5
08181dd3aa2cc412303258fb0a471e5c

SHA1
10a329a9dec14600205c3847a193dfd16a57e936

SHA256
67b37986af8faa1326f6931cd4a2f9fc58030bbeee81da829f6c60a3a088e3f8

SHA512
abf6aa1bf9227394a27aabc9960ba5cdde350613fdfcc188da40b005cf2ca7f33f3154a8a39148e04dd5e43e65daf69988747b0241cb6e41c63b36d86e84b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a99948086.exe

Filesize
169KB

MD5
cf3cfb5fd18c6e28b49d5a202e21d8cd

SHA1
ebe6e286ed8ad39f2886c91400412c0365b59a67

SHA256
27b2b419360782c22956669dea231131661e461efa1d780bc92b3ec03da69472

SHA512
671c6ef88af37fbdc4016492dc551034673577478f8826ec3a37b5b03bb578bc7019344d36b7686a618d480af92ab0b063f75bc034035343eb0ad4e5eae5a58f

Download Submit
memory/4664-21-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/4664-22-0x0000000003250000-0x0000000003256000-memory.dmp

Filesize
24KB

Download
memory/4664-23-0x000000000B170000-0x000000000B788000-memory.dmp

Filesize
6.1MB

Download
memory/4664-24-0x000000000AC70000-0x000000000AD7A000-memory.dmp

Filesize
1.0MB

Download
memory/4664-25-0x000000000ABA0000-0x000000000ABB2000-memory.dmp

Filesize
72KB

Download
memory/4664-26-0x000000000AC00000-0x000000000AC3C000-memory.dmp

Filesize
240KB

Download
memory/4664-27-0x00000000030D0000-0x000000000311C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads