redline | ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315

General

Target

ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe
Size

1016KB
MD5

604a9ed304bf0fa5e8f3eaeff075516b
SHA1

1bd1743473025471ed157b374c5cdb07d62d353e
SHA256

ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315
SHA512

a4a95143aaec88c419d59ce60d9e63ac3252bdfce719fa81c9787d8dd5cef276956ffd870fbdc526a6cf32eca7f85619a7322ecc8c248423a303ed3ba8fc21e1
SSDEEP

12288:Sy90N4nVmQOXQVchhK5NQtV8Up2ZtgztiZMBAr4deDE2rCi6t54c7ZDaYQdZVRex:SyZ8QwTWHQP8UpA5KAr4dY6tqkVeQx

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a08429624.exe	family_redline
behavioral1/memory/1316-21-0x0000000000580000-0x00000000005B0000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

i57885400.exei33690218.exea08429624.exe

pid process

4000 i57885400.exe
1096 i33690218.exe
1316 a08429624.exe

pid	process
4000	i57885400.exe
1096	i33690218.exe
1316	a08429624.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exei57885400.exei33690218.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i57885400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i33690218.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

i57885400.exei33690218.exea08429624.exeec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i57885400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i33690218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a08429624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exei57885400.exei33690218.exe

description	pid	process	target process
PID 740 wrote to memory of 4000	740	ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe	i57885400.exe
PID 740 wrote to memory of 4000	740	ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe	i57885400.exe
PID 740 wrote to memory of 4000	740	ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe	i57885400.exe
PID 4000 wrote to memory of 1096	4000	i57885400.exe	i33690218.exe
PID 4000 wrote to memory of 1096	4000	i57885400.exe	i33690218.exe
PID 4000 wrote to memory of 1096	4000	i57885400.exe	i33690218.exe
PID 1096 wrote to memory of 1316	1096	i33690218.exe	a08429624.exe
PID 1096 wrote to memory of 1316	1096	i33690218.exe	a08429624.exe
PID 1096 wrote to memory of 1316	1096	i33690218.exe	a08429624.exe

C:\Users\Admin\AppData\Local\Temp\ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe
"C:\Users\Admin\AppData\Local\Temp\ec803fbb76a1fa19380f671d70906ed4079e720618daefcd871ddd710d8dc315.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57885400.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57885400.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33690218.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33690218.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a08429624.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a08429624.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57885400.exe

Filesize
844KB

MD5
167e9d755bf4b8984e3e1ec70ea5866d

SHA1
4a82a5c8ecadc1a82c656127f3904f1a73f67ef0

SHA256
c52ab766dada67de7cbe1229117d23afd5c43e6cdb95e068a90cab076b340e8a

SHA512
077176465891d1123f1ffa828da77abdc7561d9ce976b3aa9d0015bd3db8f067daecc86c45af298b3d8f2a51dd8823b55a1bc9846b7fe6266473b865ad839403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33690218.exe

Filesize
371KB

MD5
14be357e4f54c5b68160c871fb0e387a

SHA1
2f1eb960769507c1c0c528cd6c39954b253f128e

SHA256
92631766aa4c4b7d68cea4dd1f9c5e46d1e0210d31b7458c03afa78d0bfd1dc2

SHA512
92a3d79ae40850d9145e0ed4b43770b5e563cfd6d106bf1518b9e5a04184fb9110abe4d002d20c46e1635f0cff36e5f3f0bb1a20af1d89eb23bcb5788d8c3dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a08429624.exe

Filesize
169KB

MD5
64f9484e1ed109448568eea679ae3be6

SHA1
45b8530246c1fa8b64b2e60fb15ea8f7c935d060

SHA256
374e6a35ad9c2c3ee57e2a5c4ce585aded4dbad050ef074593d0b644eab9406c

SHA512
50b223b2ed9d655daf63eff3d1f12a47b7320e46f99a6a35f32ee9a6cba40d1b2c3cac84edc875dee38d5f9c270dfcd5a229c5ede8f30f271d42abbc8467cd7e

Download Submit
memory/1316-21-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/1316-22-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/1316-23-0x000000000A900000-0x000000000AF18000-memory.dmp

Filesize
6.1MB

Download
memory/1316-24-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

Filesize
1.0MB

Download
memory/1316-25-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/1316-26-0x000000000A380000-0x000000000A3BC000-memory.dmp

Filesize
240KB

Download
memory/1316-27-0x0000000002750000-0x000000000279C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads