redline | 24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b

General

Target

24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe
Size

568KB
MD5

16bef00e5fcffac8e9b4533151d8f414
SHA1

315dac2a295cc4df0d8b51da19d4896cd40c96e2
SHA256

24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b
SHA512

da3626b06b673f7da08959ffe1d7ca3d135f5866e3a6f8d89e79ef95ec039c6d8012cd3f3c8760ad594cedccefa6629f85dd548a3f2af19cab2d645eccd8aadf
SSDEEP

12288:AMrhy90IPeLij20KQqogS3vkb0NeJb0fVfCPu:xyRmLijhKQqIc0gWf1

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b83-12.dat	family_redline
behavioral1/memory/2928-15-0x0000000000C30000-0x0000000000C60000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3220	y5811858.exe
2928	k2903186.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5811858.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5811858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k2903186.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3220	1784	24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe	83
PID 1784 wrote to memory of 3220	1784	24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe	83
PID 1784 wrote to memory of 3220	1784	24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe	83
PID 3220 wrote to memory of 2928	3220	y5811858.exe	84
PID 3220 wrote to memory of 2928	3220	y5811858.exe	84
PID 3220 wrote to memory of 2928	3220	y5811858.exe	84

C:\Users\Admin\AppData\Local\Temp\24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe
"C:\Users\Admin\AppData\Local\Temp\24f689fc4dc8c179f88dadf08abbbec375b5d5b80ee52ada0268a220bb19ac0b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5811858.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5811858.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2903186.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2903186.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5811858.exe

Filesize
308KB

MD5
022f8a2c96bb06e727bfa4e501b6a4b4

SHA1
e3886f82f8884fa3ac2a11f5da46319e8ddb9e9c

SHA256
c20818d093994fd8e765c5896e56ebe7771b86a573acd25d594edca121c65dc4

SHA512
54f07db302af873b97364cf32cb7fab47bc1316379c05d7e0a3e8ebc634a363b1bf111462b6c18feb364fc2ee216268c5659807332b9ef1679b687aa0500238e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2903186.exe

Filesize
168KB

MD5
25fce5ae4f8f4757e54b04380f210baa

SHA1
f844b9a945478e9552bda99fdf70d71ed20e5a2f

SHA256
99e55be7ead48c70b8134f8cd061c33c2735cb1c8eacae314edf7549a4dcea14

SHA512
abf7379392b0e3bdf15d92c938033a74afe4e3fa6fca4e0789de6c3dcc633cd5d46e85e4cc3903ddb67f2079a4f2387cdcd342f167f693e4ca99ff36615c1304

Download Submit
memory/2928-14-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2928-15-0x0000000000C30000-0x0000000000C60000-memory.dmp

Filesize
192KB

Download
memory/2928-16-0x0000000005650000-0x0000000005656000-memory.dmp

Filesize
24KB

Download
memory/2928-17-0x000000000B0A0000-0x000000000B6B8000-memory.dmp

Filesize
6.1MB

Download
memory/2928-18-0x000000000ABE0000-0x000000000ACEA000-memory.dmp

Filesize
1.0MB

Download
memory/2928-19-0x000000000AB10000-0x000000000AB22000-memory.dmp

Filesize
72KB

Download
memory/2928-20-0x000000000AB70000-0x000000000ABAC000-memory.dmp

Filesize
240KB

Download
memory/2928-21-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/2928-22-0x0000000002EC0000-0x0000000002F0C000-memory.dmp

Filesize
304KB

Download
memory/2928-23-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2928-24-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads