redline | ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b

General

Target

ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe
Size

567KB
MD5

79b95c3dc7907f91498bfed1438a5d89
SHA1

da5ee81e79aadb85d137ed5421a8b59a0aabf331
SHA256

ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b
SHA512

8cfae816412b48e7692da3bd6ee52b03a125bcf02988638632fbb900393ebb1522ef1303e03e71f79dcff1035a33e38a03a0c1c5aa5dbd41ef5746c402a78632
SSDEEP

12288:gMrVy90nMY+1bK8SCmN4vXCTKAYTxwOQhGPg00JfG:FyPYaFfmN3CTGOCjfG

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c91-12.dat	family_redline
behavioral1/memory/3828-15-0x00000000009F0000-0x0000000000A20000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2156	y0848720.exe
3828	k2246713.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0848720.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0848720.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k2246713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2156	2360	ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe	83
PID 2360 wrote to memory of 2156	2360	ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe	83
PID 2360 wrote to memory of 2156	2360	ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe	83
PID 2156 wrote to memory of 3828	2156	y0848720.exe	84
PID 2156 wrote to memory of 3828	2156	y0848720.exe	84
PID 2156 wrote to memory of 3828	2156	y0848720.exe	84

C:\Users\Admin\AppData\Local\Temp\ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe
"C:\Users\Admin\AppData\Local\Temp\ec278130c39d3a445edbcfd08c9ddf16066d9730fb4a345a2324e0a5ef5a111b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0848720.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0848720.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2246713.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2246713.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0848720.exe

Filesize
307KB

MD5
b9522cee9cfa06301c97cbb06db5e3be

SHA1
24d4d5283118d0c19ea46dc4e5f3f5cbed5f4505

SHA256
c98dd50d47de8e8ecebed89186a31015334333340d87049b272b48d740e51bde

SHA512
7952184179c57752b9bf7d0dc097ccc6eb984d6fbd781f1b0c4e3c4536d5ba4ad626ab981c2d7e4208450dff97d32323ee3e8f103d0de485f638283767d8635c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2246713.exe

Filesize
168KB

MD5
bb8b11ea4a7ddc78769edaf275af77d1

SHA1
41eac01fd42ebfa404039c80ac31756c8dfc32af

SHA256
6db87dd084ebefe3a06df12a8d2752a3c75cb75959aaf7c500e3277a99950c31

SHA512
2c164b4ff3f49aeb026d032544ad7722513035aad66501951996e9778cfddf72d288edea3b91369ce6f4bfb1f0b560a3c414565916c0ea9a6f765c92e346fddb

Download Submit
memory/3828-14-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/3828-15-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/3828-16-0x0000000005200000-0x0000000005206000-memory.dmp

Filesize
24KB

Download
memory/3828-17-0x00000000059D0000-0x0000000005FE8000-memory.dmp

Filesize
6.1MB

Download
memory/3828-18-0x00000000054C0000-0x00000000055CA000-memory.dmp

Filesize
1.0MB

Download
memory/3828-19-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/3828-20-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/3828-21-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3828-22-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/3828-23-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/3828-24-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads