redline | b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00

General

Target

b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe
Size

642KB
MD5

71b9c7a08d4ca044ef3a748fd3f458c3
SHA1

6442795333fded41c22adc47ccef8556908905bc
SHA256

b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00
SHA512

032c5ca7ef349b0dda32f21d1a8d4ce330faaebac2865bb8896ce0237f19eabe18d6c72aa3db2dd32a829460ac0692314f5a9c5c5e80ece92621eb492bd12255
SSDEEP

12288:sMrFy90OHm6myiHXg4i6X8Lro7VUQLegvklac4:xyBWXK6X8ro726tvX

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023bd1-12.dat	family_redline
behavioral1/memory/4856-15-0x0000000000A40000-0x0000000000A70000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
824	x1988380.exe
4856	g3106983.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1988380.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1988380.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g3106983.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 824	1528	b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe	83
PID 1528 wrote to memory of 824	1528	b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe	83
PID 1528 wrote to memory of 824	1528	b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe	83
PID 824 wrote to memory of 4856	824	x1988380.exe	84
PID 824 wrote to memory of 4856	824	x1988380.exe	84
PID 824 wrote to memory of 4856	824	x1988380.exe	84

C:\Users\Admin\AppData\Local\Temp\b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe
"C:\Users\Admin\AppData\Local\Temp\b04d292ebb745b28099104e579b5d0aea75e8dc164bace5a943eb46767825c00.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1988380.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1988380.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3106983.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3106983.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1988380.exe

Filesize
384KB

MD5
f49d93995772b7eb7806761db438a04a

SHA1
4c8abe9e2d3b960edf671b748fe67cea5b0cc6bc

SHA256
41dafbd88d1a14c7679f374d3098dc737e04526fe0b25b81b514665fc4e760e0

SHA512
11c14301095c36de347fbcc991c3ddc33501151a199a433d129d572f4936067ae12000a3e6088e8d1c3d70989a52d60c30a21ae33ba44026a3d9e266fe360768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3106983.exe

Filesize
168KB

MD5
8afc11fa6dd7adad707148376d6d63ba

SHA1
62f575d6863b9b1f8a97baf7c80859a5ce6786e5

SHA256
71dce959317710ddab525b44b2be45e522a6aef21c6cb2972001af5ce8e37b37

SHA512
6e5ff94c3be788539c4580bc056721e7fd6c76cb16116b1c9c6eda28bfa386868baa4c177d1800d6782cc4d979888e931d079f4e305ff3d7d7919ff6a3c6ca21

Download Submit
memory/4856-14-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4856-15-0x0000000000A40000-0x0000000000A70000-memory.dmp

Filesize
192KB

Download
memory/4856-16-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/4856-17-0x0000000005B40000-0x0000000006158000-memory.dmp

Filesize
6.1MB

Download
memory/4856-18-0x0000000005630000-0x000000000573A000-memory.dmp

Filesize
1.0MB

Download
memory/4856-19-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/4856-20-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/4856-21-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4856-22-0x00000000055B0000-0x00000000055FC000-memory.dmp

Filesize
304KB

Download
memory/4856-23-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4856-24-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads