redline | ed1784d50e3da5daa8178094fcee1fa9c0e5509bf1e77d0acf6f1cf11dd44fff

General

Target

Setup.exe
Size

7.2MB
MD5

691de5f672de4897dfbd2e54418dc587
SHA1

a63cb199ef02798caa326ed80412dc2ec0bed5ad
SHA256

ed1784d50e3da5daa8178094fcee1fa9c0e5509bf1e77d0acf6f1cf11dd44fff
SHA512

15d830e16e8a7bfedc1f94934bbeb44a21e8ae7a0e62daf7fbf6a5385aa69d9dba62113fa7ccfac916832fe1bdfda55a84358c1a01e3db03dc86175ed2be1a76
SSDEEP

98304:i8ZwIQDCfn6ujDo5XrTuE3/P23ULzv5ZaG4nQm+:i8ZwXDCftoBrTu++gzho4

Score

10^/10

redline 1 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

193.233.132.32:38976

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1944-16-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Redline family
redline

Loads dropped DLL 1 IoCs

pid	Process
3564	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3564 set thread context of 1944	3564	Setup.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83
PID 3564 wrote to memory of 1944	3564	Setup.exe	83

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/1944-24-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/1944-25-0x0000000006DD0000-0x00000000073E8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-31-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1944-30-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1944-29-0x0000000008610000-0x000000000865C000-memory.dmp

Filesize
304KB

Download
memory/1944-26-0x00000000086A0000-0x00000000087AA000-memory.dmp

Filesize
1.0MB

Download
memory/1944-27-0x0000000006DA0000-0x0000000006DB2000-memory.dmp

Filesize
72KB

Download
memory/1944-20-0x0000000005EB0000-0x0000000006456000-memory.dmp

Filesize
5.6MB

Download
memory/1944-22-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1944-21-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1944-23-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1944-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1944-28-0x00000000085D0000-0x000000000860C000-memory.dmp

Filesize
240KB

Download
memory/3564-4-0x00000000075A0000-0x0000000007852000-memory.dmp

Filesize
2.7MB

Download
memory/3564-15-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3564-14-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3564-13-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/3564-0-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/3564-7-0x0000000007BA0000-0x0000000007D32000-memory.dmp

Filesize
1.6MB

Download
memory/3564-1-0x0000000000FE0000-0x000000000170A000-memory.dmp

Filesize
7.2MB

Download
memory/3564-2-0x00000000061F0000-0x000000000628C000-memory.dmp

Filesize
624KB

Download
memory/3564-6-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3564-18-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3564-5-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/3564-19-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3564-3-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing