redline | de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa

General

Target

de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe
Size

479KB
MD5

5b6deb42600590edf9a9cd8da9bc5a96
SHA1

c717b55950dff70c95ea862e87273fd64f153e7e
SHA256

de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa
SHA512

380fc12c3184c5f17ef5a21276e6b97c5ff09c3e78f5d7b04cdc57456928c877559dd3bf7c407ab189d9ef218cc63cf09b6275cbb3071e74e80de972728b1d40
SSDEEP

12288:wMrsy909qePvdGLlJJs13zXzeI5/1Zt24JXcICN3Ls+wys:MySP1klEqInZoIUs+wys

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b60-12.dat	family_redline
behavioral1/memory/3264-15-0x0000000000B20000-0x0000000000B50000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1564	x9295573.exe
3264	g7712324.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9295573.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7712324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9295573.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1564	888	de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe	83
PID 888 wrote to memory of 1564	888	de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe	83
PID 888 wrote to memory of 1564	888	de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe	83
PID 1564 wrote to memory of 3264	1564	x9295573.exe	84
PID 1564 wrote to memory of 3264	1564	x9295573.exe	84
PID 1564 wrote to memory of 3264	1564	x9295573.exe	84

C:\Users\Admin\AppData\Local\Temp\de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe
"C:\Users\Admin\AppData\Local\Temp\de611fb0fd14adeff9ba768278bf95ba439ba644e5c630b621e2b6111d6963aa.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9295573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9295573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7712324.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7712324.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9295573.exe

Filesize
307KB

MD5
09608dd13af432d6424e51b3a81f5d4f

SHA1
f46281be5764fa643b8adb4a2354d5c8549a37c6

SHA256
75cb088fe615dbdd3935db119b3f69067d546b4e23c5861ea31116bf9e813cb6

SHA512
8a4ffc96cd3e3142b8726dce4f36c3ea7ce27fc9e7bdfe59e00f15958285d360532df44831171a69e8f6006f413427ac89377f47b5efea8a9f15a3c52f3f3ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7712324.exe

Filesize
168KB

MD5
e35c39d7ee65f6cd02e16fe591f9d90d

SHA1
d51bffcf2da78e5f5a11812d81bd4d03a2f99419

SHA256
150ac3907b3f8e3e9ec5862f35de9a3f181946f12f5739aa92188cae68dc6b60

SHA512
4ddafd7a3c923a2dd98862a7c3560e62d74db160ccfc9ec52c8904956defdd69beb02d2c43396f5aecc9123ca749242bf813b21748d0606f5d23f90e1b28409a

Download Submit
memory/3264-14-0x000000007410E000-0x000000007410F000-memory.dmp

Filesize
4KB

Download
memory/3264-15-0x0000000000B20000-0x0000000000B50000-memory.dmp

Filesize
192KB

Download
memory/3264-16-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/3264-17-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/3264-18-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3264-19-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/3264-20-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/3264-21-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/3264-22-0x0000000005690000-0x00000000056DC000-memory.dmp

Filesize
304KB

Download
memory/3264-23-0x000000007410E000-0x000000007410F000-memory.dmp

Filesize
4KB

Download
memory/3264-24-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads