redline | 089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985

General

Target

089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe
Size

479KB
MD5

282867687dc2d048cbea5d55bf2f362e
SHA1

ba1eddf433cdee82234a10c45fc6492189e8284e
SHA256

089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985
SHA512

93a6956abf10945f93cab17c994b41506690347273014864c048a97bb41d961bccb632e4059bc7095570eb1c86b56c0798c0d8e4ef0b2bd84cab3b71115ad8de
SSDEEP

12288:AMrvy90dMLFlT4pz02iq/5ZQSae5TApV5l:/yJLFlT4R0y/5ZN1NAZl

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c9e-12.dat	family_redline
behavioral1/memory/1940-15-0x0000000000C80000-0x0000000000CB0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3584	x1669469.exe
1940	g7704557.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1669469.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1669469.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7704557.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3584	3036	089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe	84
PID 3036 wrote to memory of 3584	3036	089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe	84
PID 3036 wrote to memory of 3584	3036	089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe	84
PID 3584 wrote to memory of 1940	3584	x1669469.exe	85
PID 3584 wrote to memory of 1940	3584	x1669469.exe	85
PID 3584 wrote to memory of 1940	3584	x1669469.exe	85

C:\Users\Admin\AppData\Local\Temp\089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe
"C:\Users\Admin\AppData\Local\Temp\089a42d3410e19d49665a9564fe931829b62dca0dcfda237acdc9e3b19bfe985.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1669469.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1669469.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7704557.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7704557.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1669469.exe

Filesize
307KB

MD5
edc2eec23af7019ecb641afdcbf4f8b8

SHA1
69e89370e8bb66ad9928b8120ddf808d330f78b8

SHA256
0da968533311d89733288f90c48eb8e070551addd7c8526ec864b9d0a024707f

SHA512
9e9c9f5e8b211ac473de77d5cd03ef80157ec1beff533bff9364e216cb4451bba54a5ff5c52446b803746534d4fac72e108c272dcc92b41c69ca3d01d595952a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7704557.exe

Filesize
168KB

MD5
54d1aaba1b476327501446f42e2b832b

SHA1
bdf17cc777c969237bb8a694b70ac7feca935279

SHA256
9accf433a38132e244617f6035b49ba919b21e5dc24a1981c63c8257a392b7f1

SHA512
70a9607a73bab3a681375855112c8a9a6552df306e48d366b5728a917e2136a6887cf51dc042c08c81a482caf75e58d64faae084af59fa019ef601b88122755d

Download Submit
memory/1940-14-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/1940-15-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/1940-16-0x00000000054A0000-0x00000000054A6000-memory.dmp

Filesize
24KB

Download
memory/1940-17-0x000000000B000000-0x000000000B618000-memory.dmp

Filesize
6.1MB

Download
memory/1940-18-0x000000000AAF0000-0x000000000ABFA000-memory.dmp

Filesize
1.0MB

Download
memory/1940-19-0x000000000AA20000-0x000000000AA32000-memory.dmp

Filesize
72KB

Download
memory/1940-20-0x000000000AA80000-0x000000000AABC000-memory.dmp

Filesize
240KB

Download
memory/1940-21-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-22-0x0000000004FE0000-0x000000000502C000-memory.dmp

Filesize
304KB

Download
memory/1940-23-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/1940-24-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads