redline | aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42

General

Target

aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe
Size

1.2MB
MD5

9fc49682ef7c531882ca92c6fadda89c
SHA1

6e97ffe94dfce9f6d3fd9947678816aa5bb4f91b
SHA256

aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42
SHA512

a25da1aafb278acf18b9ea7263c0640af13854de417070654b37748c1dbffe525058ae2376b4709dca5fd010689a447b077487a07a6a4f99981e6374bbf491a5
SSDEEP

24576:KyQZ0/xEeS78FqRsWPUpgBf56cncQ1xhK7GLYwnGUEu:RaJeS78FkxPXfIccQ1xU7GLYwn5

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a47022617.exe	family_redline
behavioral1/memory/3640-28-0x00000000003A0000-0x00000000003D0000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

i76932649.exei44914407.exei00135755.exea47022617.exe

pid process

2432 i76932649.exe
4728 i44914407.exe
2856 i00135755.exe
3640 a47022617.exe

pid	process
2432	i76932649.exe
4728	i44914407.exe
2856	i00135755.exe
3640	a47022617.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exei76932649.exei44914407.exei00135755.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i76932649.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i44914407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i00135755.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exei76932649.exei44914407.exei00135755.exea47022617.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i76932649.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i44914407.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i00135755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a47022617.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exei76932649.exei44914407.exei00135755.exe

description	pid	process	target process
PID 1612 wrote to memory of 2432	1612	aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe	i76932649.exe
PID 1612 wrote to memory of 2432	1612	aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe	i76932649.exe
PID 1612 wrote to memory of 2432	1612	aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe	i76932649.exe
PID 2432 wrote to memory of 4728	2432	i76932649.exe	i44914407.exe
PID 2432 wrote to memory of 4728	2432	i76932649.exe	i44914407.exe
PID 2432 wrote to memory of 4728	2432	i76932649.exe	i44914407.exe
PID 4728 wrote to memory of 2856	4728	i44914407.exe	i00135755.exe
PID 4728 wrote to memory of 2856	4728	i44914407.exe	i00135755.exe
PID 4728 wrote to memory of 2856	4728	i44914407.exe	i00135755.exe
PID 2856 wrote to memory of 3640	2856	i00135755.exe	a47022617.exe
PID 2856 wrote to memory of 3640	2856	i00135755.exe	a47022617.exe
PID 2856 wrote to memory of 3640	2856	i00135755.exe	a47022617.exe

C:\Users\Admin\AppData\Local\Temp\aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe
"C:\Users\Admin\AppData\Local\Temp\aa6c2c3b04168cd516848a1885db5f4e475931ea9cfdf97547f1491889336e42.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i76932649.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i76932649.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44914407.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44914407.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00135755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00135755.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a47022617.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a47022617.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i76932649.exe

Filesize
1000KB

MD5
355ec40e99742b9155f2ffddc1e280cb

SHA1
2b0683d4b5f0c24ff47b266be09545d2637f93ed

SHA256
9b52fbeb0ed6a9b5d2578749cb6f8b749f90fa633d7986e70cd1fd553ab38faa

SHA512
72e6f13333d48797f6fb9a8a2a75b1e45f434573b0dfde23cf1f7454550aa624f444436e106da734a4ea47bb55fe2fe07c1ab5bd403f190bc077e504524561fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44914407.exe

Filesize
828KB

MD5
eda5b4ce78dfac0c3c8c1dbd98c37501

SHA1
8bcf5cca898adbb471e88e7f6c28b64baaa7c32a

SHA256
b7c1b08f9d186100a1bf424d102b653700c14cbc1c4058b2d87ead68cf7d7507

SHA512
7c98e6aeec9849ef148bd8b950a9ac40f9726997e012105e233d4431f3f142f372f66f1d0480aa2dd51d50dfdb54a63182d2ae4dfeaf7f32fe6b00f95f2da896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00135755.exe

Filesize
363KB

MD5
433e0a463767de9bee2b80a2e9c9933e

SHA1
c8abc608f197aa4c027040a692c515004e4b1243

SHA256
cf6a302c01d295630a6ac3b33c6831648467a996a15a8b183d99c94fd5886851

SHA512
335e34d54e318035de3d8aa714cdd82da6b961a3c4ed38ba5f81c6a010257dc5f755cc3c269a66184b167a035866a1c4db82eaba52d94c5e39b80b8eebaf8593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a47022617.exe

Filesize
170KB

MD5
fd5505485871b85aeb927be71a460f65

SHA1
91633b0444d5f42241f9122857d5c32cd877105b

SHA256
8cb7a64e8586f4ecdc2bba43dfc1f923ff6fb9b72c882e361ba6543cc81a59d1

SHA512
f2c0b7ece01993329575f216034603e0afb40d8ed17d89a39ebde0f367488bc17667e8d26ee1216904454eed628873b60172b872f43eeb7b6cd48031b5dda936

Download Submit
memory/3640-28-0x00000000003A0000-0x00000000003D0000-memory.dmp

Filesize
192KB

Download
memory/3640-29-0x0000000004BC0000-0x0000000004BC6000-memory.dmp

Filesize
24KB

Download
memory/3640-30-0x000000000A710000-0x000000000AD28000-memory.dmp

Filesize
6.1MB

Download
memory/3640-31-0x000000000A210000-0x000000000A31A000-memory.dmp

Filesize
1.0MB

Download
memory/3640-32-0x000000000A140000-0x000000000A152000-memory.dmp

Filesize
72KB

Download
memory/3640-33-0x000000000A1A0000-0x000000000A1DC000-memory.dmp

Filesize
240KB

Download
memory/3640-34-0x00000000046B0000-0x00000000046FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads