redline | e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943

General

Target

e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe
Size

568KB
MD5

86ae9a06173c86a913a33582342ef68a
SHA1

cf8576bafbcbb6e3e9f81ac2fcaf8c7a827d2479
SHA256

e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943
SHA512

4c8b2be172ffd78dca48967269fbb92daf4a607924caa35143526fedb925b5c458cb5e14fcb01272704da78a9ccc5ebb6bde24666549982ccb807ab847fa15fa
SSDEEP

12288:2MrHy90B3tsOm7kes9o1ZTggo5dRSwn8wWycyUg:5yDOm7dsHnnntn

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c76-12.dat	family_redline
behavioral1/memory/4952-15-0x0000000000550000-0x0000000000580000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2144	y1649253.exe
4952	k1913373.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1649253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1649253.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1913373.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 2144	3268	e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe	83
PID 3268 wrote to memory of 2144	3268	e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe	83
PID 3268 wrote to memory of 2144	3268	e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe	83
PID 2144 wrote to memory of 4952	2144	y1649253.exe	84
PID 2144 wrote to memory of 4952	2144	y1649253.exe	84
PID 2144 wrote to memory of 4952	2144	y1649253.exe	84

C:\Users\Admin\AppData\Local\Temp\e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe
"C:\Users\Admin\AppData\Local\Temp\e17cc8776b6f2039efa46b7f2c5c3854bcabd32f8b9a2eef8afa3ac1fa196943.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1649253.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1649253.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1913373.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1913373.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1649253.exe

Filesize
308KB

MD5
553c7dd7ac98b7472971116a00bb03fd

SHA1
4c897b6a5814f791e8e76a1293fe179363bb157b

SHA256
b9acb7b78b52c7134f8a94414c0b3f17a6bb9cc69493d4fddbe668d455d717a8

SHA512
52ef67366e2ffdd651bf6ef2bdaed0419268928382f2802b5cce8353602464187396464924419b602053212a086fe7a98171cac1b3b772b87d9a31fb4177445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1913373.exe

Filesize
168KB

MD5
a186a369fbd6368d6722d008200bcc62

SHA1
1ee4b0d6a28b43014c007aeb1d7a56f194bb3c19

SHA256
99654f204c384d1a39868224e85adfe253b312f6facf86682fd6f924bb97ad7f

SHA512
0af30b4af399d2085df47ce88be7f272b5c64d05674d7a83dd26251ca19ba34d799411d14a0a7558e348a645d2a9f51aba97c4e55dc0cb42a5a6cf8c0b714aad

Download Submit
memory/4952-14-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/4952-15-0x0000000000550000-0x0000000000580000-memory.dmp

Filesize
192KB

Download
memory/4952-16-0x0000000002800000-0x0000000002806000-memory.dmp

Filesize
24KB

Download
memory/4952-17-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/4952-18-0x0000000004FF0000-0x00000000050FA000-memory.dmp

Filesize
1.0MB

Download
memory/4952-19-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/4952-21-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/4952-20-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/4952-22-0x0000000004F80000-0x0000000004FCC000-memory.dmp

Filesize
304KB

Download
memory/4952-23-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/4952-24-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads