redline | 182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8

General

Target

182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe
Size

4.6MB
MD5

034c8216b5f3d87bfda4c653b700d853
SHA1

fa0efb9699b7ae5a02c4e715acd70378e01e15f8
SHA256

182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8
SHA512

1b338249cdf33f9926641f7b5be2f5eac1ad9ec2ea4886d5d7fe0e259af03e1963d2cdaf9628889104a8fd4870b60fdcaed52f63d023254993490e73cadbfcc6
SSDEEP

98304:KLVsQ7KjJWC9/cQFNuhEpjZnThGBwTNTUGeWynzf6jSjiSh3BD6Ksz:YG8C9kjh6ThGOlTyWSjt3B7u

Score

10^/10

redline @iamrpx discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@iamrpx

C2

185.209.22.181:29234

Attributes

auth_value
5a0918bd3e8ede8e02c8dd9d106a996d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2712-43-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2712-42-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2712-36-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe

description	pid	process	target process
PID 2384 set thread context of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exeAppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe

pid	process
2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe
2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe

description	pid	process	target process
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe
PID 2384 wrote to memory of 2712	2384	182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe
"C:\Users\Admin\AppData\Local\Temp\182e0f1bc24af68a440440e1631883839668d5e4ae7822d629a478c7d49cb1e8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-4-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2384-44-0x0000000000325000-0x000000000059A000-memory.dmp

Filesize
2.5MB

Download
memory/2384-30-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2384-23-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2384-20-0x0000000000325000-0x000000000059A000-memory.dmp

Filesize
2.5MB

Download
memory/2384-19-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2384-17-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2384-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2384-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2384-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2384-25-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2384-2-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2384-0-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2384-31-0x00000000002F0000-0x0000000000781000-memory.dmp

Filesize
4.6MB

Download
memory/2384-33-0x00000000002F0000-0x0000000000781000-memory.dmp

Filesize
4.6MB

Download
memory/2384-28-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2712-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-40-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-45-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2712-46-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-47-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2712-48-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads