redline | a71bc1a9c73d95cfcada85c017b39e7d8b0aa6c8c80ef0410ab38a289a9871e1

Analysis

max time kernel
129s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe
Size

387KB
MD5

7c633602c37572f5c0134c56ffb03d4d
SHA1

d0f59a62757b426eca5be2838f165e7f3ca63b23
SHA256

ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f
SHA512

2c8e8ebb33575c96a9130865cdf7f5abbf73cc379de7e6d140aaa9fbe7b8c8c91eb5bde3b51a6b92563aa291e151800f022761061fb3fb9b5e33e2dd0238ba51
SSDEEP

6144:HarYp69LhPz7fWS1bKtWM9bKlBNRjhZJh1qWeR4kAe8KxqK5g21TUxrOXWsiT4Vl:6fPzjoTOjntZJh1qWeR4kaNWTDNMc7

Score

10^/10

redline lyla10.11 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

Lyla10.11

185.215.113.216:21921

Attributes

auth_value
b78918bf192f26624c358e966a70107f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/2528-4-0x0000000005500000-0x0000000005538000-memory.dmp	family_redline
behavioral2/files/0x0008000000023cdd-9.dat	family_redline
behavioral2/memory/4804-17-0x0000000000E00000-0x0000000000E38000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe

Executes dropped EXE 1 IoCs

pid	Process
4804	Lyla1011.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lyla1011.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 4804	2528	ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe	88
PID 2528 wrote to memory of 4804	2528	ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe	88
PID 2528 wrote to memory of 4804	2528	ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe	88

C:\Users\Admin\AppData\Local\Temp\ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe
"C:\Users\Admin\AppData\Local\Temp\ff796cfa476a4dc68d5d01340d99ce2aa76add70ea69f751ca0fa48f4b03724f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\Temp\Lyla1011.exe
  "C:\Windows\Temp\Lyla1011.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\Lyla1011.exe

Filesize
199KB

MD5
81e7c24b4392e2cef352aecac3def34e

SHA1
6e73a844a3487181cca59027e8b79bd5600254ac

SHA256
f0c0aef304c6919cec9e170b8c62d44a3f9003d04ec394e8c0b1d34f4e815dd9

SHA512
43471f7663d0504af3ae9d6d3161364c5b2e024c75248f5db501d588f5b7caa73e4391a015f991247076363e2a655372aabb919247b7882a91fce8d2e9d58a49

Download Submit
memory/2528-18-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2528-1-0x0000000000A30000-0x0000000000A98000-memory.dmp

Filesize
416KB

Download
memory/2528-2-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2528-3-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2528-4-0x0000000005500000-0x0000000005538000-memory.dmp

Filesize
224KB

Download
memory/2528-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/4804-21-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/4804-19-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4804-20-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/4804-17-0x0000000000E00000-0x0000000000E38000-memory.dmp

Filesize
224KB

Download
memory/4804-22-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/4804-23-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/4804-24-0x0000000005740000-0x000000000578C000-memory.dmp

Filesize
304KB

Download
memory/4804-25-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4804-26-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download