redline | c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4

General

Target

c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe
Size

567KB
MD5

bdd3b76782069e58bb176e3603b4939b
SHA1

d020a6002597ab1b4d209803bffdc9d45b5f152d
SHA256

c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4
SHA512

6e27c6bb0c99d4bd03b64f819a1ead686ceb23c5bb2cd0305f3564fd669370ab5e08b06f816d5e47315fbf8e2c573b0fa9214f9c175aedaf9b19e7521c62dc4b
SSDEEP

12288:0Mrpy90FG67SL5ODLG4nE4IAj9eaJi2WyLXR8w:Ny6YELG4nt3nJpVz

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b88-12.dat	family_redline
behavioral1/memory/1920-15-0x0000000000040000-0x0000000000070000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2832	y5101184.exe
1920	k4523257.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5101184.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5101184.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4523257.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 2832	4328	c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe	83
PID 4328 wrote to memory of 2832	4328	c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe	83
PID 4328 wrote to memory of 2832	4328	c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe	83
PID 2832 wrote to memory of 1920	2832	y5101184.exe	84
PID 2832 wrote to memory of 1920	2832	y5101184.exe	84
PID 2832 wrote to memory of 1920	2832	y5101184.exe	84

C:\Users\Admin\AppData\Local\Temp\c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe
"C:\Users\Admin\AppData\Local\Temp\c87115c625629f94b55a7dfe3760e08425288218eb3435f982ebb7309f41cfd4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5101184.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5101184.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4523257.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4523257.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5101184.exe

Filesize
307KB

MD5
5b004b36681c48d66e51ec374390a265

SHA1
a5d46f5befeb96ee05872993e65f404e81f32219

SHA256
858ccd5104f354357b2d3536c4cc55ed14ac9417e28e364b800bdff65b07a8a9

SHA512
547355eaf3d14cc358a816706baef478773a7580489a4e3aa7d51009855ad8df4ea7cf0eee373b818e503fa28d18564cd536dfb542ebb4aedf5cac509713e767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4523257.exe

Filesize
168KB

MD5
88b3ed7a81562b66dd943b5a9b7e0597

SHA1
ef0f50937e999504f5a9c182e12f7cbbe93a98ba

SHA256
3bc751eafb45cbfcb09901adb3109bc97c6c72729fe6584e64c4ad311c85d9a8

SHA512
ee1bfdf215c08890045d9c7b0383f1f9cf09114f4d3ff5ab577dac4f66b49ec45bb4dcf9baa9fd7e3a91f2897a938883a2012462da042fb89a13867dff842699

Download Submit
memory/1920-14-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/1920-15-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/1920-16-0x0000000002430000-0x0000000002436000-memory.dmp

Filesize
24KB

Download
memory/1920-17-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/1920-18-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/1920-19-0x00000000049F0000-0x0000000004A02000-memory.dmp

Filesize
72KB

Download
memory/1920-20-0x0000000004B70000-0x0000000004BAC000-memory.dmp

Filesize
240KB

Download
memory/1920-21-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-22-0x0000000004BB0000-0x0000000004BFC000-memory.dmp

Filesize
304KB

Download
memory/1920-23-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/1920-24-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads