redline | 49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7

General

Target

49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe
Size

643KB
MD5

a0e92fd46b46d6f1060d039dce57a4ce
SHA1

74936def848766b07dfa6f423787cbf534b22ae6
SHA256

49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7
SHA512

83ac26c14091ccd456ed64b6c2fd6bc02fd57b932d8019d2231d793bd56c8fbd801ed38d68baf8888413249a366bd9f1b434fb9763bc8a13b8eff35f5165d18f
SSDEEP

12288:MMrVy90/0gv7LG6YAHgjqyKAn5RaPVZ/3nFBEy5PaGG9E0zxtpa0JzrPWl:Ryn2GnAHgjnnTatZfnj/1a1hz0CnPWl

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b87-12.dat	family_redline
behavioral1/memory/1412-15-0x0000000000FC0000-0x0000000000FF0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3616	x0403293.exe
1412	g6589506.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0403293.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0403293.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g6589506.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 3616	1592	49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe	83
PID 1592 wrote to memory of 3616	1592	49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe	83
PID 1592 wrote to memory of 3616	1592	49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe	83
PID 3616 wrote to memory of 1412	3616	x0403293.exe	84
PID 3616 wrote to memory of 1412	3616	x0403293.exe	84
PID 3616 wrote to memory of 1412	3616	x0403293.exe	84

C:\Users\Admin\AppData\Local\Temp\49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe
"C:\Users\Admin\AppData\Local\Temp\49ecba691e1eb8df99b908e43bf471ee51a90180e6714ef8ba1924f58f34c1f7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0403293.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0403293.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6589506.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6589506.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0403293.exe

Filesize
384KB

MD5
fb7e9e66e4cb5820bdf2e200aea037ee

SHA1
2dbe556981627d5f72ade53b97e620eb6c9d6ff7

SHA256
22c0f3604d43dcd9ea0707836105e89131c488e23ec729271011fe57ca599ce8

SHA512
b2779cd318dbefe697e5dc8fc78430b1c9ca9c3d551ec162b2fa5e0ab8ac4d0c507bfd05e811ccf70c91889461ecb54a945551756a04e6421a5d359688210216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6589506.exe

Filesize
168KB

MD5
a21438dbf06b12b3209ef10151beb51c

SHA1
1ad979964d637451d4f3dbdb921e63fc9cc90b6d

SHA256
7dad23b0d0cf79b5198c41d4e4e4b0173ea4440953df8e64c7b4ee8152a17a3b

SHA512
78bd18a37706481a54fb7869476e9e1bdcdd3f0da7f7e86ea6ee0d9733287480751e1705c7d023ea90c5e3f143790faac35773954757591a7fedf1578d7ab3d4

Download Submit
memory/1412-14-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/1412-15-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

Filesize
192KB

Download
memory/1412-16-0x0000000001870000-0x0000000001876000-memory.dmp

Filesize
24KB

Download
memory/1412-17-0x000000000B2E0000-0x000000000B8F8000-memory.dmp

Filesize
6.1MB

Download
memory/1412-18-0x000000000AE30000-0x000000000AF3A000-memory.dmp

Filesize
1.0MB

Download
memory/1412-19-0x000000000AD60000-0x000000000AD72000-memory.dmp

Filesize
72KB

Download
memory/1412-20-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1412-21-0x000000000ADC0000-0x000000000ADFC000-memory.dmp

Filesize
240KB

Download
memory/1412-22-0x0000000005380000-0x00000000053CC000-memory.dmp

Filesize
304KB

Download
memory/1412-23-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/1412-24-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads