redline | e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365

General

Target

e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe
Size

641KB
MD5

b31afc4c3e3c602f73e9b950cb0ad998
SHA1

e749453b14b5f8fa1648b9fead4f13edb2790c47
SHA256

e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365
SHA512

eced81289b68e8198b075d0d053411bd90dd4d40141b3bbadea29f76a3b594724f5b6b634c5eee010b795b66440a53f8c4c37111da4e972e4d29a1d3501f913b
SSDEEP

12288:NMrxy90T5+ewasznSw1vXr9kWogc40OJcPMl7l9p2dEPbIatUYhmwn:kyNvXhkW9sG9wdEPbIatKwn

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c9e-12.dat	family_redline
behavioral1/memory/2372-15-0x0000000000580000-0x00000000005B0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2376	x5962074.exe
2372	g5644177.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5962074.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5962074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g5644177.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2376	4924	e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe	83
PID 4924 wrote to memory of 2376	4924	e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe	83
PID 4924 wrote to memory of 2376	4924	e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe	83
PID 2376 wrote to memory of 2372	2376	x5962074.exe	84
PID 2376 wrote to memory of 2372	2376	x5962074.exe	84
PID 2376 wrote to memory of 2372	2376	x5962074.exe	84

C:\Users\Admin\AppData\Local\Temp\e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe
"C:\Users\Admin\AppData\Local\Temp\e64b5fd46c03309346fd18af82ab0e74594b4951b70d61d0641e32d8df628365.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5962074.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5962074.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5644177.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5644177.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5962074.exe

Filesize
382KB

MD5
01b666f28cd2e05a769ac8816a82806a

SHA1
bdea590fd50689dd866124248bee032ee8754dc0

SHA256
7d3c8d39fa3638a51b7be0c601a56f6e4e971f1803828b7b6d58e3589c295922

SHA512
fba79b9fabfd336374c1014790c43e7b0ce66476d382fcc37225b083e1216cfefa2c969a0e4f94cf9e8799fda112cda7773f7d0abc2177912415d12eef174e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5644177.exe

Filesize
168KB

MD5
f667156175e5b297e8527a2464b90d57

SHA1
4c975c50a1ddcf9f0bf604630eb8cb8fdd9dba76

SHA256
dd0a65a3e602ac295ac944648c59799b248507129ff4f0c2adeedcd872ae62ba

SHA512
336c64491cc4c1cd03e187101b57b4138aa387cba5242b43024d03d9ff1190462fd5199ad88f31f28a626bcdc497f1ae3874f86f4b3eaf9b9b13dee2891012eb

Download Submit
memory/2372-14-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/2372-15-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/2372-16-0x0000000002720000-0x0000000002726000-memory.dmp

Filesize
24KB

Download
memory/2372-17-0x000000000A9D0000-0x000000000AFE8000-memory.dmp

Filesize
6.1MB

Download
memory/2372-18-0x000000000A530000-0x000000000A63A000-memory.dmp

Filesize
1.0MB

Download
memory/2372-19-0x000000000A460000-0x000000000A472000-memory.dmp

Filesize
72KB

Download
memory/2372-20-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2372-21-0x000000000A4C0000-0x000000000A4FC000-memory.dmp

Filesize
240KB

Download
memory/2372-22-0x00000000048A0000-0x00000000048EC000-memory.dmp

Filesize
304KB

Download
memory/2372-23-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/2372-24-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads