redline | 0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8

General

Target

0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Size

643KB
MD5

23693d58857ce79fbb62ad6e1590dabd
SHA1

d31d7b29330c0b864f908604eb73824d23642dc6
SHA256

0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8
SHA512

5d07c656f8de2fc0aaeaadfc01d3b38ef724fecf2dc9dd5427ab6a28d13f45dbd4adb0c30cd508f29ced700e3b3eda54540849ef2b63c6a288726e3914f98979
SSDEEP

12288:vMr3y90nmZ4qQIcn+o5JachYZ3R8keACR966IFyOVMLlzL1fS:UyhXc+o5scEh8X66uyO0L1q

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c79-12.dat	family_redline
behavioral1/memory/1264-15-0x00000000004D0000-0x0000000000500000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3828	x2020685.exe
1264	g7895368.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2020685.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2020685.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7895368.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3828	4804	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	83
PID 4804 wrote to memory of 3828	4804	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	83
PID 4804 wrote to memory of 3828	4804	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	83
PID 3828 wrote to memory of 1264	3828	x2020685.exe	84
PID 3828 wrote to memory of 1264	3828	x2020685.exe	84
PID 3828 wrote to memory of 1264	3828	x2020685.exe	84

C:\Users\Admin\AppData\Local\Temp\0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
"C:\Users\Admin\AppData\Local\Temp\0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
memory/1264-14-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/1264-15-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/1264-16-0x0000000000C90000-0x0000000000C96000-memory.dmp

Filesize
24KB

Download
memory/1264-17-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/1264-18-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/1264-19-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/1264-20-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/1264-21-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/1264-22-0x0000000005040000-0x000000000508C000-memory.dmp

Filesize
304KB

Download
memory/1264-23-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/1264-24-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads