redline | 6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd

General

Target

6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe
Size

479KB
MD5

b9b19673c73f64f24b8dda158adcaea4
SHA1

4ba693ff8e1828388a87eb8164048f2de661b331
SHA256

6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd
SHA512

f7b8e0169125a401a92d84c51a7670ee29eea95b5ed4abe972d97f9fd12f21d9c8e3c76b7d2a6cfbd3244e5fa4f5d98c77fc91ee4e84518cf852c55ddff8e186
SSDEEP

12288:aMrYy90wB6KKcd5ymezXLqJwxoDQzjSuubigRJUVo:Oy/Bmcd5Kb2JZmWnbiQV

Score

10^/10

redline ditro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes

auth_value
8f24ed370a9b24aa28d3d634ea57912e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb8-12.dat	family_redline
behavioral1/memory/3552-15-0x0000000000200000-0x0000000000230000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
628	x3827213.exe
3552	g2892671.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3827213.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3827213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2892671.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 628	4056	6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe	83
PID 4056 wrote to memory of 628	4056	6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe	83
PID 4056 wrote to memory of 628	4056	6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe	83
PID 628 wrote to memory of 3552	628	x3827213.exe	84
PID 628 wrote to memory of 3552	628	x3827213.exe	84
PID 628 wrote to memory of 3552	628	x3827213.exe	84

C:\Users\Admin\AppData\Local\Temp\6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe
"C:\Users\Admin\AppData\Local\Temp\6f6787ec5f4650b6ea2728e2f7ac7375b1abbe1f5898d8fd171b87e9555cd5cd.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3827213.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3827213.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2892671.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2892671.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3827213.exe

Filesize
307KB

MD5
a94436ed153c91d3b6533168ac043d12

SHA1
a0340a513e32f882b340a95489da800073d04275

SHA256
bb9d248eb188b86ecf4c763f9becc4d21012aa51020d2e203f66884712e56c1e

SHA512
5be71adaad5399e85fe13c3c1c1323a398d3c28369c877e64adcff2564fd6562ec0326d9e055ea8df137ba9d407cb92faa42db067b0918ce80d34d1ea47006b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2892671.exe

Filesize
168KB

MD5
ceb3f7c80a8f5adc893feb73fd9b8e55

SHA1
aee3258e7d98aae46e60ff7a7f843ed641efb42c

SHA256
7663ede98af86cb2c0153691967049f91071c29e083c048492c560d922674346

SHA512
96b57b5dbfb610d6e4560e8158a12ba221a3696bf8303464085a6e4d83015416b20908a73a4131e7cacf57af58d15d8bdb561ecf3385d06dac4052e900599218

Download Submit
memory/3552-14-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3552-15-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download
memory/3552-16-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/3552-17-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/3552-18-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/3552-19-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/3552-20-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-21-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/3552-22-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/3552-23-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3552-24-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads