redline | 9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d

General

Target

9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe
Size

643KB
MD5

e09f36aae516f0c2207df3ca237db8c6
SHA1

92a131d68ab358d49f4398371f086ee53be0aa58
SHA256

9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d
SHA512

5a176e616bb819a4866b8362a63cf9d44513a5ad4176f2266e810beaf56d3df8d98b1184a4b8cee0996070e72f1c8b2a0e06d0ecccc953798456527e4080681a
SSDEEP

12288:BMrVy90sfTJMfhUOprjlH0gs3XRWhYZQR8N1Ytu5xK79XXHdfUz4yhUOCQyG9:wyJTJMZUAPZ0x3cYG8JLg95Uz4yh2QT

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c74-12.dat	family_redline
behavioral1/memory/4284-15-0x0000000000430000-0x0000000000460000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4064	x6273921.exe
4284	g5548773.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6273921.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6273921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g5548773.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4064	4128	9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe	82
PID 4128 wrote to memory of 4064	4128	9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe	82
PID 4128 wrote to memory of 4064	4128	9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe	82
PID 4064 wrote to memory of 4284	4064	x6273921.exe	83
PID 4064 wrote to memory of 4284	4064	x6273921.exe	83
PID 4064 wrote to memory of 4284	4064	x6273921.exe	83

C:\Users\Admin\AppData\Local\Temp\9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe
"C:\Users\Admin\AppData\Local\Temp\9e113f45686de7a5078901beefa2680b367d8215af1ff72ab1096674ace3f19d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6273921.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6273921.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5548773.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5548773.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6273921.exe

Filesize
383KB

MD5
7046a3f2923af33d93273bca8ce8712b

SHA1
a43000d25028559e51fe3ad6d5c465c4a32ff8a9

SHA256
c15084623e0f05a7ef765980d82d00c10c7988e5565d2474f402315afeeb10c2

SHA512
bbe36ad4008b95256efe5a7c8d5874e02b9a66b20f4b421d42003c93b5a6e0370b219a10047dc231251ed88aa287783ab6060c1467d9412fd58d65bf25c68291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5548773.exe

Filesize
168KB

MD5
1b725c93ae0e1a46a55be6cf3e2801aa

SHA1
2caed0329ee053318c43b824b1f928de34dd256c

SHA256
e6c1dcea0324c6cd0d74d0611c03811aa5973f55f33d3bf82d3e8c11be96d7c6

SHA512
2e123fcc1ba04d854716bfd915fe9d4d8775e9dcfabf18f8a2dbf1c3bfad80b2c575290c09d5db0ea251b67124b5930a9b09a497b1622609f2a5ae2450b51cf6

Download Submit
memory/4284-14-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/4284-15-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/4284-16-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

Filesize
24KB

Download
memory/4284-17-0x00000000055B0000-0x0000000005BC8000-memory.dmp

Filesize
6.1MB

Download
memory/4284-18-0x00000000050A0000-0x00000000051AA000-memory.dmp

Filesize
1.0MB

Download
memory/4284-19-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download
memory/4284-20-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4284-21-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download
memory/4284-22-0x0000000004FD0000-0x000000000501C000-memory.dmp

Filesize
304KB

Download
memory/4284-23-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/4284-24-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads