redline | 4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4

General

Target

4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe
Size

773KB
MD5

7d90af5042fabd5f2c371eb6237ab3e8
SHA1

096330632b18a78a88d30328584d3e94aa7c4cca
SHA256

4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4
SHA512

b85044dd1ad936a050645291fdb87c988f58c9f28f1bae6d9d55e85aa1fe89e6aa663b72e8ab1d728891966973c5b353d1a60dc42908c03bd93267cbbfd12c8e
SSDEEP

12288:uMr1y90KOE2rrWdU6uGoZdHFzgPRDRCtlp2dI9hkXTBNcormP0xB8p682CJUKd:7ylEm/XojpgPRDQ1AI9heNHq0xK6fCT

Score

10^/10

redline dubur discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dubur

C2

217.196.96.102:4132

Attributes

auth_value
32d04179aa1e8d655d2d80c21f99de41

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c94-19.dat	family_redline
behavioral1/memory/1720-21-0x00000000000F0000-0x000000000011E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4992	x6791607.exe
2660	x8216394.exe
1720	f8054035.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6791607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8216394.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6791607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8216394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8054035.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4992	4264	4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe	82
PID 4264 wrote to memory of 4992	4264	4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe	82
PID 4264 wrote to memory of 4992	4264	4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe	82
PID 4992 wrote to memory of 2660	4992	x6791607.exe	83
PID 4992 wrote to memory of 2660	4992	x6791607.exe	83
PID 4992 wrote to memory of 2660	4992	x6791607.exe	83
PID 2660 wrote to memory of 1720	2660	x8216394.exe	84
PID 2660 wrote to memory of 1720	2660	x8216394.exe	84
PID 2660 wrote to memory of 1720	2660	x8216394.exe	84

C:\Users\Admin\AppData\Local\Temp\4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe
"C:\Users\Admin\AppData\Local\Temp\4859ab09aee3a5b3afd36469b0e03064fe5d29422bfb2b522eb027989aa31ee4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6791607.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6791607.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8216394.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8216394.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8054035.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8054035.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6791607.exe

Filesize
490KB

MD5
88afa16c7e1a0f89c2f7e0bd61adef37

SHA1
ae97e1546e33c0c064cc2cc3e1c661d14ce4e93b

SHA256
64f75441eef4038473ceeb150afacd14d723845bb9d25627edd61381e1838181

SHA512
54b5549a925ecf69f8ba5cf5d8d1b524012eab3bee15588111f96fb4c9bc29ad075625b569526d27fc7d974c79713c8cb350ca7914c4d52e5f47b91f71aeefb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8216394.exe

Filesize
318KB

MD5
1f0577e399aa0014f9770a3c5a0eff63

SHA1
d911a669747b83406ea187e690560d64fd46c7c4

SHA256
22b73e32dc04130a4cc291eed79fc42604df2e42da5cf5517a58213437a35d7b

SHA512
958d29233d922d5bd35298a8585fdb8dddc295986d7f43a3e19136beb0440b3b34cc1ba6f40c39e704c65d949d1b115cffb1d0543925ba0647311f0c05441ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8054035.exe

Filesize
168KB

MD5
58327e31ce3133e4aed81a39b7ca5284

SHA1
4e9bea150fc474da99a053d72337d14822a82794

SHA256
d2a72a0aa2c4f50ba276f0f64c1fe73f901b6d678fc9a95b17767d63db108738

SHA512
545c17ee4d0334350bc37780b74ec5b7ee4dea8eb131c29aeac8d1fb9f9778d7f37ab11e9a1d571f5715617211031ba3402d1fc46c83367fcd725fa5fa1b2bc2

Download Submit
memory/1720-21-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/1720-22-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/1720-23-0x0000000005140000-0x0000000005758000-memory.dmp

Filesize
6.1MB

Download
memory/1720-24-0x0000000004C30000-0x0000000004D3A000-memory.dmp

Filesize
1.0MB

Download
memory/1720-25-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1720-26-0x00000000049C0000-0x00000000049FC000-memory.dmp

Filesize
240KB

Download
memory/1720-27-0x0000000004B20000-0x0000000004B6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads