redline | 52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0

General

Target

52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe
Size

844KB
MD5

80c5e9c28271e21d5a6b88fa6c819c00
SHA1

31fb791a8f63c7821bc475788b12e96dfbb933fe
SHA256

52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0
SHA512

83862d521f563c7afd58429b2ce8e35308cc433608af84eb27a008c79d4b40454624321a1cd1b05c7c213160a39c22f3f3a21365f9543386d34ec3e80de4ab24
SSDEEP

12288:8y90dKVLtW0TkHKRxct8Daan4Mxwj4VvH6ApLrrB6JUF1/9BK3RdvuyzTwSVa3d:8yZRtBGKnd1aEL/CUFFPK3RddT2d

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a20582316.exe	family_redline
behavioral1/memory/3676-15-0x0000000000C30000-0x0000000000C60000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

i71634808.exea20582316.exe

pid process

1000 i71634808.exe
3676 a20582316.exe

pid	process
1000	i71634808.exe
3676	a20582316.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exei71634808.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i71634808.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exei71634808.exea20582316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i71634808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20582316.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exei71634808.exe

description	pid	process	target process
PID 3296 wrote to memory of 1000	3296	52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe	i71634808.exe
PID 3296 wrote to memory of 1000	3296	52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe	i71634808.exe
PID 3296 wrote to memory of 1000	3296	52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe	i71634808.exe
PID 1000 wrote to memory of 3676	1000	i71634808.exe	a20582316.exe
PID 1000 wrote to memory of 3676	1000	i71634808.exe	a20582316.exe
PID 1000 wrote to memory of 3676	1000	i71634808.exe	a20582316.exe

C:\Users\Admin\AppData\Local\Temp\52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe
"C:\Users\Admin\AppData\Local\Temp\52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i71634808.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i71634808.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a20582316.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a20582316.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i71634808.exe

Filesize
371KB

MD5
861b034b9d1fd6977a2cabb72044a6a8

SHA1
810f628adbef8b54735883617f67a585ee7eb1bf

SHA256
f43694e668258003a175a2f86c35fbf4b1724a99d0baba7474ad90c92692041b

SHA512
5170e2f1f9b333b33575438b95fcd71ee83f7865f0f42a1532582df4eab4ca0828ca72354e2a5cc498465f64adc63485d65f9b2ab3e4c4e0cb4971f7b21cdd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a20582316.exe

Filesize
169KB

MD5
e3910c70876d2cf8e33d1949f9aa09f2

SHA1
f338e8b564e8a8b4ac6b33ab8287e000e4f3ea19

SHA256
2d715e490c801611472e9935c22561689f25957aafaa11d0e7ea6a61ddf060bb

SHA512
c576861d4c9d52c974f1a8cdbad766e599970c0f27aa014abd83ccca0e347d9d005cf3f3d002653d9f2bcf3b77f5ad3475e332ce68f40975d71c9ba705bcadf8

Download Submit
memory/3676-14-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/3676-15-0x0000000000C30000-0x0000000000C60000-memory.dmp

Filesize
192KB

Download
memory/3676-16-0x0000000002EB0000-0x0000000002EB6000-memory.dmp

Filesize
24KB

Download
memory/3676-17-0x000000000AFB0000-0x000000000B5C8000-memory.dmp

Filesize
6.1MB

Download
memory/3676-18-0x000000000AAA0000-0x000000000ABAA000-memory.dmp

Filesize
1.0MB

Download
memory/3676-19-0x000000000A9D0000-0x000000000A9E2000-memory.dmp

Filesize
72KB

Download
memory/3676-20-0x000000000AA30000-0x000000000AA6C000-memory.dmp

Filesize
240KB

Download
memory/3676-21-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3676-22-0x0000000002DF0000-0x0000000002E3C000-memory.dmp

Filesize
304KB

Download
memory/3676-23-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/3676-24-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads