redline | 0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2

General

Target

0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe
Size

843KB
MD5

be3dbdc6a690363172732abc11e0d93c
SHA1

1bbf494ab00fc31d9f06ec0db06d6c7125df589f
SHA256

0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2
SHA512

475aa239c7c38149f43c1f3438cd4fb3a546ea8906993f26aece41742ea56344fe4942d821462954f1ffdb9daa5542ab581ac645b7942dcfe988ed4f2f5047f3
SSDEEP

24576:PyuVt7U7Fuogx3T3Cab1MKrSY/twKx9L4EE:aQWz2XVVD/0

Score

10^/10

redline most discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc5-12.dat	family_redline
behavioral1/memory/228-15-0x0000000000200000-0x0000000000230000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4688	i41143962.exe
228	a11479179.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i41143962.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i41143962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a11479179.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 4688	2840	0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe	85
PID 2840 wrote to memory of 4688	2840	0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe	85
PID 2840 wrote to memory of 4688	2840	0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe	85
PID 4688 wrote to memory of 228	4688	i41143962.exe	86
PID 4688 wrote to memory of 228	4688	i41143962.exe	86
PID 4688 wrote to memory of 228	4688	i41143962.exe	86

C:\Users\Admin\AppData\Local\Temp\0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe
"C:\Users\Admin\AppData\Local\Temp\0370286016a793b6b4d3fb647aba2dc7f893e278a37a7c49d45fbddf1faa56d2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41143962.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41143962.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a11479179.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a11479179.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41143962.exe

Filesize
371KB

MD5
f645905f88c9f6dda57368081c7cf1f4

SHA1
a8070e8eb98fe2836a897934b066be32f33162aa

SHA256
db81d5f8c074e5ef00893c16e118bf26c0dfdae7e1068de67c7992e7091ab691

SHA512
9b8067b266d692123fb09c31f4e38192aea83d976f396c1533de8013edf08ca76c6e29c77cf05e6d8b9d331bcfe79aad0f46fb8ca1a534a89cd37c697f3c4730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a11479179.exe

Filesize
169KB

MD5
8aa82a269f2ca64c7202db91c58fe320

SHA1
f22ce5018d0eac44f3d677ab07bca75ae562d39f

SHA256
e323128dcc4b7f4734b7610eff786869417134073d11fc2301f60258c22c679a

SHA512
9e4a6d293db4a784233e044c09ef8f209ac99321365ddf3564f78574dfa3620250b57fb30e4e7c41ad5c1e69acd5d2ae744f6416ed68aa606864a060abac3c96

Download Submit
memory/228-14-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/228-15-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download
memory/228-16-0x0000000002370000-0x0000000002376000-memory.dmp

Filesize
24KB

Download
memory/228-17-0x0000000005140000-0x0000000005758000-memory.dmp

Filesize
6.1MB

Download
memory/228-18-0x0000000004C50000-0x0000000004D5A000-memory.dmp

Filesize
1.0MB

Download
memory/228-19-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/228-20-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/228-21-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/228-22-0x0000000004D60000-0x0000000004DAC000-memory.dmp

Filesize
304KB

Download
memory/228-23-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/228-24-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads