redline | e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953

General

Target

e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
Size

852KB
MD5

1cd6afe88ba532ca70c927d90314eac8
SHA1

3e5c107a20bad54a81ec0cb7e18e4dddcfca003b
SHA256

e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
SHA512

d338745cc39ad49e6d94251d2bbc2dc2c2af77ee37fe4fd952ea765a3159e45adb2da316fab36a2f39344d87ed37c0eac91a4f1026e5c31936f38e7a28f2d3bd
SSDEEP

24576:yuxXOKVpvO/cmyGMELxcPZrUm/t3rwFO:rxXdfOEOM6SPtUCQ

Score

10^/10

redline logs discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

LOGS

C2

87.120.120.86:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2884-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2884-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2884-11-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2884-9-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2884-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31
PID 1500 wrote to memory of 2884	1500	e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe	31

C:\Users\Admin\AppData\Local\Temp\e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
"C:\Users\Admin\AppData\Local\Temp\e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
  "C:\Users\Admin\AppData\Local\Temp\e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1500-1-0x0000000000B90000-0x0000000000C6A000-memory.dmp

Filesize
872KB

Download
memory/1500-2-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-3-0x00000000020C0000-0x00000000020DE000-memory.dmp

Filesize
120KB

Download
memory/1500-4-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1500-5-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-6-0x0000000006170000-0x0000000006206000-memory.dmp

Filesize
600KB

Download
memory/1500-21-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-19-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-20-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-8-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-7-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-22-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing