redline | b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b

General

Target

b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe
Size

479KB
MD5

e0912697f059362e06deedb00570b13a
SHA1

a3e4bced506af5ae6e12443489edc9ebb6cf6fba
SHA256

b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b
SHA512

22cc7786033597daa0a6cbbfb15cf9f6a828a5b86c5ddb09079b88b548463f09a18e6be03deaf620a9aaa171ef33a321f51892eaed385e2f40ec343a8973a5d3
SSDEEP

12288:9MrQy900/Dkpgh928ZmfNnKN7JZyzlj252i:1yhkpodm1AZul65Z

Score

10^/10

redline domor discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

domor

C2

217.196.96.101:4132

Attributes

auth_value
39471bda00546bb0435bc7adfd6881dc

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc2-12.dat	family_redline
behavioral1/memory/4216-15-0x0000000000550000-0x000000000057E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4900	x3955378.exe
4216	g4779048.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3955378.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3955378.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g4779048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4900	976	b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe	83
PID 976 wrote to memory of 4900	976	b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe	83
PID 976 wrote to memory of 4900	976	b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe	83
PID 4900 wrote to memory of 4216	4900	x3955378.exe	84
PID 4900 wrote to memory of 4216	4900	x3955378.exe	84
PID 4900 wrote to memory of 4216	4900	x3955378.exe	84

C:\Users\Admin\AppData\Local\Temp\b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe
"C:\Users\Admin\AppData\Local\Temp\b5bcc68a70d3e77be27c9abdb79de431472fd1ede8076834c31c5565e8c1810b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3955378.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3955378.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4779048.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4779048.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3955378.exe

Filesize
307KB

MD5
b852abb3ea603945e8d9d20c149b9467

SHA1
28de8863b9362f8ebac1534ed7857adf7e26933c

SHA256
8efdd4d2c11befacd3b8abac9369dd10719e7acf249d6245c9dfe3b45ccb2c68

SHA512
44d49d8d4e8038d71a5ed609172e8f3e4c17e4bca37cd5defaf17b60c6bd3ad010207df46792cacbf0e1c5ad558c1fb6fa8d43b6870a366f1c73f1b85fba045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4779048.exe

Filesize
168KB

MD5
508694d25ed54a06dd3e0264095093df

SHA1
a588ac42d953410dd24eced693089f32ff0f7bcb

SHA256
0b92e7b85607e389290227e9f14664d3b87271df15a0b4d2f481d1e9145e76be

SHA512
2477b24d2e7f73aacaba94a1d07865044b048779ac68b102de6c123f2030b134405b5a81e5d9912620fa33b15dcc24c7a75f1eee74051a8c3083e2541b1f989f

Download Submit
memory/4216-14-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/4216-15-0x0000000000550000-0x000000000057E000-memory.dmp

Filesize
184KB

Download
memory/4216-16-0x0000000004D30000-0x0000000004D36000-memory.dmp

Filesize
24KB

Download
memory/4216-17-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/4216-18-0x0000000004FA0000-0x00000000050AA000-memory.dmp

Filesize
1.0MB

Download
memory/4216-19-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/4216-21-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4216-20-0x0000000004F30000-0x0000000004F6C000-memory.dmp

Filesize
240KB

Download
memory/4216-22-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download
memory/4216-23-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/4216-24-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads