redline | f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714

General

Target

f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
Size

642KB
MD5

2f60adf506c995474eca423d1cb4fa44
SHA1

d5fee7b5640fb85743967a48bbb9392956b9f81c
SHA256

f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714
SHA512

27f20daf3606f1f3befaf6fafc5ed4345bcde1f8a05219788b96872b0bf98bf7e02630152d079288ffa567794eb76590c2e7a0f5f67dcceda1b1afd77266b5b2
SSDEEP

12288:eMriy906FiXBPGmb+a6CGiQs9HtDNjt60xYKsDxlklKFl:8yTCJGmaazjHVOYsxlzl

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b9c-12.dat	family_redline
behavioral1/memory/3904-15-0x0000000000AB0000-0x0000000000AE0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4936	x0507876.exe
3904	g2828564.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0507876.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0507876.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2828564.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4936	2924	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	83
PID 2924 wrote to memory of 4936	2924	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	83
PID 2924 wrote to memory of 4936	2924	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	83
PID 4936 wrote to memory of 3904	4936	x0507876.exe	85
PID 4936 wrote to memory of 3904	4936	x0507876.exe	85
PID 4936 wrote to memory of 3904	4936	x0507876.exe	85

C:\Users\Admin\AppData\Local\Temp\f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
"C:\Users\Admin\AppData\Local\Temp\f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe

Filesize
384KB

MD5
493ae8b37e7aa972108b76e1da39ccce

SHA1
5b7d8396b3fe1dc731af4df818bff91a0c0d128f

SHA256
47c36f776af36e36d577dcbbbae3963f7335acb67cc155f83c4a8caec301e8a3

SHA512
ef32dac3472142debbb478b76d5aa972154f5003b51bfc17f359b4c6f4ed6248b3d99bbae100298a8a256c2b8e3bba20613f3ca8f857ffe75b7304a6137a6ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe

Filesize
168KB

MD5
63e0718a036e48ac7d74890f310713f4

SHA1
030a737830cc351829608c766351fae27b32c506

SHA256
7c8de34962c9cca48b9d10f7179a0817d93f9fc98ca3dd5038c2733f5d0efb4d

SHA512
fb47ad2a6db4d2aa45dfb5d865a199bf2e521deef60c5f18fadcbafa6d5eb60ff695471e2c24afde9ec9b9fe393659a54e4ca5b0e861ac52149a661efea345aa

Download Submit
memory/3904-14-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/3904-15-0x0000000000AB0000-0x0000000000AE0000-memory.dmp

Filesize
192KB

Download
memory/3904-16-0x0000000005290000-0x0000000005296000-memory.dmp

Filesize
24KB

Download
memory/3904-17-0x0000000005B90000-0x00000000061A8000-memory.dmp

Filesize
6.1MB

Download
memory/3904-18-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/3904-19-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/3904-20-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/3904-21-0x00000000055D0000-0x000000000560C000-memory.dmp

Filesize
240KB

Download
memory/3904-22-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/3904-23-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/3904-24-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads