redline | 50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81

General

Target

50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe
Size

480KB
MD5

5e718506cda1fb1efb59a260e9b62f14
SHA1

6f956652e7ae724598314c2361c5da54e2d11612
SHA256

50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81
SHA512

e61426ad8425c7c57f520658b9c681d20b0bc4a2c6e5602524823717e70ec7be1e11e767aa5aa16412b4d98970a94427af7eb7e1cffd93b9569371d69b7d6edc
SSDEEP

6144:Kxy+bnr+sp0yN90QE/jeWEuZpFA6iHElA1uJ3hvMubMs14KyAmvo3JnPoix5DRD1:/MrUy90VHewRv9soLpw10Z

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb9-12.dat	family_redline
behavioral1/memory/788-15-0x0000000000270000-0x00000000002A0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3476	x7005573.exe
788	g7144799.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7005573.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7005573.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7144799.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3476	4584	50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe	83
PID 4584 wrote to memory of 3476	4584	50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe	83
PID 4584 wrote to memory of 3476	4584	50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe	83
PID 3476 wrote to memory of 788	3476	x7005573.exe	85
PID 3476 wrote to memory of 788	3476	x7005573.exe	85
PID 3476 wrote to memory of 788	3476	x7005573.exe	85

C:\Users\Admin\AppData\Local\Temp\50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe
"C:\Users\Admin\AppData\Local\Temp\50c1a986d1fcc19fdcca2c670e71ab09488ec151f9a8bfce488c79412226db81.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7005573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7005573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7144799.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7144799.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7005573.exe

Filesize
307KB

MD5
c4a83feac5419e6b6af58ba15d92c18e

SHA1
c0431629c10070452a09fd663a41ff84ccb05032

SHA256
c199f2406c1c354b14957fa1ac1fc0d575de10f6dfb5025407aec0e1d5eab1e9

SHA512
217b36abb6206a2efee40fee7686448a808ab5d391bc2ae830969b261fd6331c37d8d2ae9b15cce5026eef8f79758b91f7ac5ca6a695ca2353d6764a8990eb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7144799.exe

Filesize
168KB

MD5
ce0e7adfc6bb0cb16305903843baa678

SHA1
e302ad49544f13e3f41809d58d78b2c355d98b6a

SHA256
48e130383057175f1c827b1c26810527b88c06245cc2eb476698838ed4f4e14b

SHA512
3775e65bbda061e77c6c8f68d20313b6f9224c28ce84aa2d1d17f6367fe0badb0f5acb99fc76c45414cc2b7627d9467a1ace13d4f66036f71ce8cac3244756f3

Download Submit
memory/788-14-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/788-15-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/788-16-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

Filesize
24KB

Download
memory/788-17-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/788-18-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

Filesize
1.0MB

Download
memory/788-19-0x00000000046A0000-0x00000000046B2000-memory.dmp

Filesize
72KB

Download
memory/788-20-0x0000000004C70000-0x0000000004CAC000-memory.dmp

Filesize
240KB

Download
memory/788-21-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/788-22-0x0000000004CC0000-0x0000000004D0C000-memory.dmp

Filesize
304KB

Download
memory/788-23-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/788-24-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads