redline | 3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5

General

Target

3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe
Size

567KB
MD5

aae1ad883c1daa0012704108bb3a973c
SHA1

bedbe912ccd2f17fe5cf1a9e6cbfeac3cbe9fcaf
SHA256

3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5
SHA512

ef5d7f73fa0dc38aeec6e9e030bb83a474f4eef84ae983e560b3b815067464f2544d8051ec4b9de1b994d6d05ca82afc6046b99777647f3266b2ba4279a28e82
SSDEEP

12288:EMrCy90w93yeLUtoBMI5jkdCNCxqYTW6NTYx2ilq44VicBS:Oyn93lUtW5jkoYTMx2yp4xk

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b84-12.dat	family_redline
behavioral1/memory/1440-15-0x0000000000230000-0x0000000000260000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1028	y2612280.exe
1440	k2383322.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2612280.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2612280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k2383322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1028	2316	3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe	83
PID 2316 wrote to memory of 1028	2316	3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe	83
PID 2316 wrote to memory of 1028	2316	3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe	83
PID 1028 wrote to memory of 1440	1028	y2612280.exe	84
PID 1028 wrote to memory of 1440	1028	y2612280.exe	84
PID 1028 wrote to memory of 1440	1028	y2612280.exe	84

C:\Users\Admin\AppData\Local\Temp\3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe
"C:\Users\Admin\AppData\Local\Temp\3b6f93a85fa42b6a5dadf1cea4a4935edf1d158b9776030253b0b2f85c074ca5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2612280.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2612280.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2383322.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2383322.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2612280.exe

Filesize
307KB

MD5
ff03f96135c69eff8bbdb9cb3095e648

SHA1
98ae6e3099dabb4bed9fe5e460741c909c24e5c4

SHA256
a0952de9f08649b9dbc06c06de07cfd62c153cd854b7686e82dc87dedfd3dfba

SHA512
5ec954b48af52678e27644ef3283ebfd2b35af565914396c93a3f99725b341fcfd737a08cba3fb423e062d5662b4b02fcc542d01390c0f67222a4808990bcb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2383322.exe

Filesize
168KB

MD5
2e9981563b8a34be7d1cc51cc985f7b8

SHA1
1818ccd1e48fb4a529cbf19cb53b5b856736552f

SHA256
7bf6e280c99d997cf5e3c2a448ebe3e33ce909ddf9ab4e182129036392448709

SHA512
1020e3759406b82577acc65b005975f183193b4f34f67c639612185c15c3d4dc330b1f691a96abd4fdfb3b99ca159dbf6b7c88ec29e9b6f7a1d28acb4891fd34

Download Submit
memory/1440-14-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/1440-15-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1440-16-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download
memory/1440-17-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/1440-18-0x0000000004D60000-0x0000000004E6A000-memory.dmp

Filesize
1.0MB

Download
memory/1440-19-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

Filesize
72KB

Download
memory/1440-20-0x0000000004B00000-0x0000000004B3C000-memory.dmp

Filesize
240KB

Download
memory/1440-21-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/1440-22-0x0000000004C60000-0x0000000004CAC000-memory.dmp

Filesize
304KB

Download
memory/1440-23-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/1440-24-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads