redline | 2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c

General

Target

2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe
Size

567KB
MD5

dd76f10ea56a61daf4771201f0c7d404
SHA1

ff47594cb73469c2e3729ebb17060fa23d334c2a
SHA256

2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c
SHA512

9744884d77e28033d9dd1f09d07cfb2f5d621fff7ad9641f279b587265e01607d5a9e972fcbc79c88ca5515c2f34c0475a6ccba22123e71e697c324423ba281b
SSDEEP

12288:BMrxy90Hn3i0kdIzZG0XHR+hjTSj6WGoSh6lMJwnUnjq:8yMRkudfHR6jTS+BMGCnUnjq

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca2-12.dat	family_redline
behavioral1/memory/4836-15-0x0000000000E00000-0x0000000000E30000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1020	y3949061.exe
4836	k1432945.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3949061.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3949061.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1432945.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1020	1416	2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe	83
PID 1416 wrote to memory of 1020	1416	2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe	83
PID 1416 wrote to memory of 1020	1416	2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe	83
PID 1020 wrote to memory of 4836	1020	y3949061.exe	84
PID 1020 wrote to memory of 4836	1020	y3949061.exe	84
PID 1020 wrote to memory of 4836	1020	y3949061.exe	84

C:\Users\Admin\AppData\Local\Temp\2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe
"C:\Users\Admin\AppData\Local\Temp\2ca1cc33308c5659d242382bbbaefaa2fbe79a94280a433960fd80a749294e5c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3949061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3949061.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1432945.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1432945.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3949061.exe

Filesize
307KB

MD5
e0c1028a27cc2bc37135cdea785518a7

SHA1
4cf5461739106820f4928e8f4f2e03eca0bca04d

SHA256
18b1f9a35471e12347ca8ad1cfbb74f3de9789f1108fc14f0356622d6635415a

SHA512
f5aba63bed774ecbd82404147e9088adbb3aa37b9e28af0e3b349d2cc9200c37ab640512f1fbc1d64f0b2f4fe48cae54196a212fddb5e15885dcae8059cd34ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1432945.exe

Filesize
168KB

MD5
a58d88523c9d687caed53d6d1cbb155a

SHA1
8c3b67ddd2c32633c0e25e0d7859043b366fe74f

SHA256
bee636368463b1636b9d0dfc9000242ffef582c6b9c39ca72223ab31fb99aaad

SHA512
0393f511fadca02afec41efcab75a4867ca1d930c6478702487c3f4ac4d372fb22a28ad0525b21f363792b643acbc3979e3fad4b6f24e53842280da9b505794e

Download Submit
memory/4836-14-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/4836-15-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/4836-16-0x0000000001800000-0x0000000001806000-memory.dmp

Filesize
24KB

Download
memory/4836-17-0x0000000005EC0000-0x00000000064D8000-memory.dmp

Filesize
6.1MB

Download
memory/4836-18-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4836-19-0x00000000058C0000-0x00000000058D2000-memory.dmp

Filesize
72KB

Download
memory/4836-20-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/4836-21-0x0000000005920000-0x000000000595C000-memory.dmp

Filesize
240KB

Download
memory/4836-22-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/4836-23-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/4836-24-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads