redline | 367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90

General

Target

367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe
Size

643KB
MD5

cd84e0de4f6f4b4b795245c30d067fe2
SHA1

94a509db8bd7f6b78001167b5a533ef1de2badb7
SHA256

367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90
SHA512

db82f4b740f7204132c7b6be1b67b4284a33a417bb099772d3fd97048e5a92e24c67f732734252f32ae3370abf47f6331437806bb1391050646e3ffdf7166c3b
SSDEEP

12288:1MrHy90n1+kvFM5jHKgmrig1LQAR8IcMElROY2aPAw3W1+vfwhVtUxg5dKvch:2ys1+ddKFriqQ28blROza48Iif6PWIKC

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca2-12.dat	family_redline
behavioral1/memory/3464-15-0x0000000000900000-0x0000000000930000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2884	x2925665.exe
3464	g2221573.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2925665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2925665.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2221573.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2884	4712	367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe	83
PID 4712 wrote to memory of 2884	4712	367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe	83
PID 4712 wrote to memory of 2884	4712	367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe	83
PID 2884 wrote to memory of 3464	2884	x2925665.exe	84
PID 2884 wrote to memory of 3464	2884	x2925665.exe	84
PID 2884 wrote to memory of 3464	2884	x2925665.exe	84

C:\Users\Admin\AppData\Local\Temp\367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe
"C:\Users\Admin\AppData\Local\Temp\367a1f1a3a240e4674d28e08bf4365b5551e3da5483bbe3462c49019d2fcff90.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2925665.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2925665.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2221573.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2221573.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2925665.exe

Filesize
383KB

MD5
e2d7abc7781a896a36420c467ca4db33

SHA1
2f0360507f8fd4c75d6dfdc2974f4178d7ae2776

SHA256
1cd5b6d993277873e7010da93b4e66787457838bfdde7e56d1ce3044173a2f24

SHA512
ccf5d9fc1ff8061517849d5fa7b753ee511a939cdc2ea518e7a74021b61118549dcfd12fd70063b4b517cdb75a864a2e750efcd437c40c7be9dffc451f54f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2221573.exe

Filesize
168KB

MD5
9740f040a11f79d37b5aa8d0e799314a

SHA1
1304d7593ece992385663db225aea63afbcd1d32

SHA256
360ed341aef09f7ef81af522f7896d9630c32d133a9b3b2d201e4def105c499a

SHA512
3bf64869bb5490472106b6c7f06e1441fc1724d30724d951190062997a6e1296f7a8cf402e021e42b003af7172f626aeab4fd4b3e4365b6a3a9146eec20a8e28

Download Submit
memory/3464-14-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/3464-15-0x0000000000900000-0x0000000000930000-memory.dmp

Filesize
192KB

Download
memory/3464-16-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

Filesize
24KB

Download
memory/3464-17-0x000000000AD80000-0x000000000B398000-memory.dmp

Filesize
6.1MB

Download
memory/3464-18-0x000000000A8B0000-0x000000000A9BA000-memory.dmp

Filesize
1.0MB

Download
memory/3464-19-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/3464-20-0x000000000A840000-0x000000000A87C000-memory.dmp

Filesize
240KB

Download
memory/3464-21-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-22-0x0000000002C40000-0x0000000002C8C000-memory.dmp

Filesize
304KB

Download
memory/3464-23-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/3464-24-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads