redline | 0823571bf2ec2fe312740dfb557536d1ee59b62e502e81d4e8f577e702514c59

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe
Size

747.6MB
MD5

97deb4fcf4c69ab166fd1301455b5dfa
SHA1

0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58
SHA256

0823571bf2ec2fe312740dfb557536d1ee59b62e502e81d4e8f577e702514c59
SHA512

16d83960c7f4fe98031a13a889a3fa994fe504f7300acb251bb6e819327448da8ff4ddc59ee8efdada34cd025a3e4b89f24a7f89dcd3e6b543338a9da6ab5e9b
SSDEEP

12288:BLotIV4X2N9Ogad7pPnJvVKBenSvq33OKjmhI9YSb1jnWLsUmVw3kEun6dHS:Uc4X2TcNpPJdKUiAO8ivMjWLsRV

Score

10^/10

redline ppiinstall discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ppiinstall

5.255.103.64:80

Attributes

auth_value
5b4e066b64a55bd70f10196ec142d81e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1492-28-0x0000000000F70000-0x0000000000F98000-memory.dmp	family_redline

Redline family
redline

Deletes itself 1 IoCs

pid	Process
2728	Brooklyn.exe.pif

Executes dropped EXE 1 IoCs

pid	Process
2728	Brooklyn.exe.pif

Loads dropped DLL 6 IoCs

pid	Process
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	iplogger.com
19	iplogger.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3300	tasklist.exe
2380	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 1492	2728	Brooklyn.exe.pif	113

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Brooklyn.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1772	cmd.exe
2692	PING.EXE
4760	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2692	PING.EXE
4760	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	3300	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif
2728	Brooklyn.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1148	2008	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe	83
PID 2008 wrote to memory of 1148	2008	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe	83
PID 2008 wrote to memory of 1148	2008	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe	83
PID 2008 wrote to memory of 1772	2008	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe	84
PID 2008 wrote to memory of 1772	2008	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe	84
PID 2008 wrote to memory of 1772	2008	0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe	84
PID 1772 wrote to memory of 1912	1772	cmd.exe	86
PID 1772 wrote to memory of 1912	1772	cmd.exe	86
PID 1772 wrote to memory of 1912	1772	cmd.exe	86
PID 1912 wrote to memory of 2380	1912	cmd.exe	87
PID 1912 wrote to memory of 2380	1912	cmd.exe	87
PID 1912 wrote to memory of 2380	1912	cmd.exe	87
PID 1912 wrote to memory of 4216	1912	cmd.exe	88
PID 1912 wrote to memory of 4216	1912	cmd.exe	88
PID 1912 wrote to memory of 4216	1912	cmd.exe	88
PID 1912 wrote to memory of 3300	1912	cmd.exe	91
PID 1912 wrote to memory of 3300	1912	cmd.exe	91
PID 1912 wrote to memory of 3300	1912	cmd.exe	91
PID 1912 wrote to memory of 3976	1912	cmd.exe	92
PID 1912 wrote to memory of 3976	1912	cmd.exe	92
PID 1912 wrote to memory of 3976	1912	cmd.exe	92
PID 1912 wrote to memory of 5076	1912	cmd.exe	93
PID 1912 wrote to memory of 5076	1912	cmd.exe	93
PID 1912 wrote to memory of 5076	1912	cmd.exe	93
PID 1912 wrote to memory of 2728	1912	cmd.exe	94
PID 1912 wrote to memory of 2728	1912	cmd.exe	94
PID 1912 wrote to memory of 2728	1912	cmd.exe	94
PID 1912 wrote to memory of 2692	1912	cmd.exe	95
PID 1912 wrote to memory of 2692	1912	cmd.exe	95
PID 1912 wrote to memory of 2692	1912	cmd.exe	95
PID 1772 wrote to memory of 4760	1772	cmd.exe	99
PID 1772 wrote to memory of 4760	1772	cmd.exe	99
PID 1772 wrote to memory of 4760	1772	cmd.exe	99
PID 2728 wrote to memory of 1492	2728	Brooklyn.exe.pif	113
PID 2728 wrote to memory of 1492	2728	Brooklyn.exe.pif	113
PID 2728 wrote to memory of 1492	2728	Brooklyn.exe.pif	113
PID 2728 wrote to memory of 1492	2728	Brooklyn.exe.pif	113
PID 2728 wrote to memory of 1492	2728	Brooklyn.exe.pif	113

C:\Users\Admin\AppData\Local\Temp\0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe
"C:\Users\Admin\AppData\Local\Temp\0ff0b92ea0c7a7e1a0e9e25415a45afe81731d58.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\tapiunattend.exe
  tapiunattend.exe
  2⤵
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Inspector.xlam & ping -n 5 localhost
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2380
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3300
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3976
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^rsFkfaUC$" Packed.xlam
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brooklyn.exe.pif
      Brooklyn.exe.pif E
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2692
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brooklyn.exe.pif

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Inspector.xlam

Filesize
11KB

MD5
62b35fde6c3bd929b14455f42a7aba51

SHA1
ca3e32ea3b20d1ffe83189a7bfe4c856c0a64220

SHA256
a34ad5c227a3eaccc64273e053b932282188e8132041458d09ec3016e21af84a

SHA512
ec9579a596d9e7d398f10c23bbb90daa83f201725488f0248cd33b25271ff52c9a161de5652e37f87f63a10831e5bb148d8a9d4beffdb557d35db29862834ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Packed.xlam

Filesize
925KB

MD5
6e886da9317a2e0ae693d7e5bc6fe832

SHA1
df79b26408412284d1af644e7c4f617257d86d63

SHA256
67d53fac4523f6621e1033d2ab97a8787fcddba8695fd39626d7186b7b53864b

SHA512
5375befe56fa5c53dc860b9b6d2319b2020b3aec2c7130a9e48e43a624f4fe5582667dbe12d740cc6c081bd32301d3790bd1aa6f3991b7d1a6ba5baa766f6b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Recipe.xlam

Filesize
695KB

MD5
450f295303a69c7cc5bbf525d1bce8a8

SHA1
93b69407d3a6281939b782ed6ee739bea92e138d

SHA256
f525858ebbba889dd5332628a9b0c7fa0ab69466eb42868205c123bbb82a66d7

SHA512
c813f284c24e6df83c8424db5d60bba86b1c987f50d24841536aa0785bf64e2576f81b60c3a145150e2aa7f412c796b86ed21dca27a1a2c2ce700f87ee13611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UiFrOPXxH.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1492-28-0x0000000000F70000-0x0000000000F98000-memory.dmp

Filesize
160KB

Download
memory/1492-34-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/1492-35-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/1492-36-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/1492-37-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/1492-38-0x0000000005A80000-0x0000000005ACC000-memory.dmp

Filesize
304KB

Download