redline | ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84

General

Target

ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe
Size

843KB
MD5

56ab9abd5c5ae4d01f6cf0d69d47b474
SHA1

fcd21254e6eff8b76450ce220c876b408e826147
SHA256

ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84
SHA512

ed4b26f01db9cfb60ea6990a4a3d68109cd08adff002ee5ca21396d58f029cd5ec6f8a66a58df761d29085e0a5633fbfb44df45e4291883e0c5d4177b5840833
SSDEEP

24576:vyk9xMuH4eLpt5swv1DfQJggJET6d5fTzwMthF:6axMuYeLPNDMgGvb8MtX

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a19787522.exe	family_redline
behavioral1/memory/1452-15-0x0000000000870000-0x00000000008A0000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

i10720882.exea19787522.exe

pid process

3748 i10720882.exe
1452 a19787522.exe

pid	process
3748	i10720882.exe
1452	a19787522.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exei10720882.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i10720882.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exei10720882.exea19787522.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i10720882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a19787522.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exei10720882.exe

description	pid	process	target process
PID 4984 wrote to memory of 3748	4984	ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe	i10720882.exe
PID 4984 wrote to memory of 3748	4984	ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe	i10720882.exe
PID 4984 wrote to memory of 3748	4984	ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe	i10720882.exe
PID 3748 wrote to memory of 1452	3748	i10720882.exe	a19787522.exe
PID 3748 wrote to memory of 1452	3748	i10720882.exe	a19787522.exe
PID 3748 wrote to memory of 1452	3748	i10720882.exe	a19787522.exe

C:\Users\Admin\AppData\Local\Temp\ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe
"C:\Users\Admin\AppData\Local\Temp\ac3201ef44b170f3ffba66e04e52285d8d0bbaf3b80155273ba1634085074e84.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10720882.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10720882.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a19787522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a19787522.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10720882.exe

Filesize
371KB

MD5
f0ae6229bfa3ad3728023b312866bd62

SHA1
85e0a0f74dd807c1ac6c8b94d0cd239bb001a9a3

SHA256
e0f06cf1cbd3b041b276adfcb85078fe7ad31d7b99395f7876729f6f02462958

SHA512
5c434a2e2fd2d1b111397fee755a88f2af674d85d0a9d64f956a5bcbf07420e563da6bf3ae5a2d3ae9f2d70165ca00081423ca3fd3465b283281674dc55a5b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a19787522.exe

Filesize
169KB

MD5
f182b953dd97f8e883aace6ef86bc906

SHA1
109d15da5ee0ff447cd6d5a1a1649a88385b398c

SHA256
17ff1b390c54522135c62787d8158d31dddfb6de985ab726db41ef6b0a010752

SHA512
645593c0b0cfc994f91e6e0f57f57e3a1181b698a3a1b5c060431fb4090ea2a4689e112e46328fea2dd04659aa21b0607020a829cd2792c3c680fa8f85e0dd1d

Download Submit
memory/1452-14-0x0000000073E1E000-0x0000000073E1F000-memory.dmp

Filesize
4KB

Download
memory/1452-15-0x0000000000870000-0x00000000008A0000-memory.dmp

Filesize
192KB

Download
memory/1452-16-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

Filesize
24KB

Download
memory/1452-17-0x00000000058C0000-0x0000000005ED8000-memory.dmp

Filesize
6.1MB

Download
memory/1452-18-0x00000000053B0000-0x00000000054BA000-memory.dmp

Filesize
1.0MB

Download
memory/1452-19-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1452-21-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/1452-20-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/1452-22-0x00000000052A0000-0x00000000052EC000-memory.dmp

Filesize
304KB

Download
memory/1452-23-0x0000000073E1E000-0x0000000073E1F000-memory.dmp

Filesize
4KB

Download
memory/1452-24-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads