redline | 6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699

General

Target

6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe
Size

642KB
MD5

931ced37f5592da18d4638179cd83b03
SHA1

26f80f9ec71df5cb4c300e5287eb4da1e15458dd
SHA256

6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699
SHA512

84a3d28fc015ef89e382f9d4ef4975710705040256f31243989e6984d708ee21321784ea0b9f1d34ccb5eb7f5a5623bc2a103b6fc3e4cfa36a2d5b102f79f335
SSDEEP

12288:hMrWy90WC4+JqlctSP04v2AjtWlzq8EsCzZkdPTmCU05:Dyg4/ctSP0GIPaZwTmc

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c8a-12.dat	family_redline
behavioral1/memory/3988-15-0x0000000000860000-0x0000000000890000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2296	x0710470.exe
3988	g7273018.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0710470.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0710470.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7273018.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 2296	3484	6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe	84
PID 3484 wrote to memory of 2296	3484	6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe	84
PID 3484 wrote to memory of 2296	3484	6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe	84
PID 2296 wrote to memory of 3988	2296	x0710470.exe	85
PID 2296 wrote to memory of 3988	2296	x0710470.exe	85
PID 2296 wrote to memory of 3988	2296	x0710470.exe	85

C:\Users\Admin\AppData\Local\Temp\6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe
"C:\Users\Admin\AppData\Local\Temp\6bdc304f6dbd8badb29e4470519fb2b82292a914ea456b8084dc49437a250699.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0710470.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0710470.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7273018.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7273018.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0710470.exe

Filesize
384KB

MD5
e804fa8189acc1f6bf5391f728c459f1

SHA1
e514cfe694b1cc49299057aa3b71dbc63288af32

SHA256
61ef8aa1ad373d55851d72c435edc2bdfc43f8abcd83536bae2d31810c6aed11

SHA512
c7350aff565c6504deacd4b34872ba1b6c227c52343f05269116bb1b26baf30b0c4a1742a999d62322542b5c18ca8bf741a94ac0222574cb433d48b841c32e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7273018.exe

Filesize
168KB

MD5
7479b2fc043db5b47a2a469aff80485e

SHA1
b0c1d38f0575cddd36e69b0058e8d1be60395dc2

SHA256
638b3ce5193e2a1ce181964df116f01535784c312791b4983e2077e0f532fa14

SHA512
2400e5ceff8371ae441735afc93d40c22492b338f0c62dcc9d7fed0fff6a514f1f9c209c263001ccc0d1d27c984e23dd2f60a5d1a17e0e6be208d8be9967862b

Download Submit
memory/3988-14-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3988-15-0x0000000000860000-0x0000000000890000-memory.dmp

Filesize
192KB

Download
memory/3988-16-0x0000000002C50000-0x0000000002C56000-memory.dmp

Filesize
24KB

Download
memory/3988-17-0x000000000ACB0000-0x000000000B2C8000-memory.dmp

Filesize
6.1MB

Download
memory/3988-18-0x000000000A810000-0x000000000A91A000-memory.dmp

Filesize
1.0MB

Download
memory/3988-19-0x000000000A740000-0x000000000A752000-memory.dmp

Filesize
72KB

Download
memory/3988-21-0x000000000A7A0000-0x000000000A7DC000-memory.dmp

Filesize
240KB

Download
memory/3988-20-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3988-22-0x0000000004C90000-0x0000000004CDC000-memory.dmp

Filesize
304KB

Download
memory/3988-23-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3988-24-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads