redline | b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f

General

Target

b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe
Size

567KB
MD5

1481ba15438c991cb67cd4be168b37ec
SHA1

f932a615b942ace5bb4b2eaf34f13e9b09d63cdc
SHA256

b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f
SHA512

20ba6a1514e314ad8c5c60cac555d784efbf1803965804b7055f9472d03360d6c12852e8c2b6f4305b3ccbf5be31f5f5b3b49c52e6a373fabe2892829857e0c5
SSDEEP

12288:SMrZy90YofzybScnxHlgcgT/E6ppYCZyNFkIBBaa0Me9P:TyfeODnFlqTc6vFZyNFKFMe9P

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b65-12.dat	family_redline
behavioral1/memory/2364-15-0x0000000000F70000-0x0000000000FA0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1812	y7929202.exe
2364	k2408264.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7929202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7929202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k2408264.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1812	4564	b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe	83
PID 4564 wrote to memory of 1812	4564	b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe	83
PID 4564 wrote to memory of 1812	4564	b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe	83
PID 1812 wrote to memory of 2364	1812	y7929202.exe	84
PID 1812 wrote to memory of 2364	1812	y7929202.exe	84
PID 1812 wrote to memory of 2364	1812	y7929202.exe	84

C:\Users\Admin\AppData\Local\Temp\b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe
"C:\Users\Admin\AppData\Local\Temp\b56c702616666610a6fc34fe749a5a4baa826d0944ed942d4b4bca127688527f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7929202.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7929202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408264.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408264.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7929202.exe

Filesize
307KB

MD5
5c45afe5cb715dd64acc05c6d2c82981

SHA1
81123c53e6f0027e8ac27a384f63b34cb6e49567

SHA256
4ce77891d302d67c167b79291d0f49e96976808c16daa7280b747f645cb231ae

SHA512
01196cd4e141d79b9c1135046430b1566b18ce43d4dcc7e7b7f69061d8ae7f92a2718bb474cc086f60c6a1bc457e226201e46fe4f21dcb722dd914c54a0ada39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408264.exe

Filesize
168KB

MD5
a5181cd74ac484ed298332a64dd50c92

SHA1
c80ca1979f45645fae5f5a2f2664c5f345cd3257

SHA256
2ad1ccbcbe07a8e86a8624ae119144febf28d83c865e337ff0a2ef701fab1649

SHA512
32b82933a3127745f8f09e92851ef5afedf838293f2aa16379f5595d6a22e85ad792d4f2d42096ab314e5203323107d1121e12f0cb765a68ce213ac3a8cc8967

Download Submit
memory/2364-14-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2364-15-0x0000000000F70000-0x0000000000FA0000-memory.dmp

Filesize
192KB

Download
memory/2364-16-0x00000000031C0000-0x00000000031C6000-memory.dmp

Filesize
24KB

Download
memory/2364-17-0x0000000005F10000-0x0000000006528000-memory.dmp

Filesize
6.1MB

Download
memory/2364-18-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2364-19-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/2364-20-0x0000000005950000-0x000000000598C000-memory.dmp

Filesize
240KB

Download
memory/2364-21-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/2364-22-0x00000000059A0000-0x00000000059EC000-memory.dmp

Filesize
304KB

Download
memory/2364-23-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2364-24-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads