redline | e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77

General

Target

e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe
Size

566KB
MD5

508a5e495d09319f6dbeae8652653c53
SHA1

cd6fc8051cb9feaad3b40878b44998be184a3103
SHA256

e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77
SHA512

ee05e30f3973d91ad4bfa20666a77c5bfc33ded4ec43d0f5ea275045087e7a2464d5b2a986f9c15a723822b0e4bd40a8dc8773be3ed8d9d13d306e22837f32e0
SSDEEP

12288:BMrjy9006dP5KhfrUk+9ePDFIShUhV8hwrX9TjKV4QcqP:6yadIGfsSS2HCwpTm+Xm

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023ca9-12.dat	family_redline
behavioral1/memory/2916-15-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

y7630541.exek9355722.exe

pid	Process
3552	y7630541.exe
2916	k9355722.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exey7630541.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7630541.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exey7630541.exek9355722.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7630541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k9355722.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exey7630541.exe

description	pid	Process	procid_target
PID 828 wrote to memory of 3552	828	e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe	83
PID 828 wrote to memory of 3552	828	e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe	83
PID 828 wrote to memory of 3552	828	e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe	83
PID 3552 wrote to memory of 2916	3552	y7630541.exe	84
PID 3552 wrote to memory of 2916	3552	y7630541.exe	84
PID 3552 wrote to memory of 2916	3552	y7630541.exe	84

C:\Users\Admin\AppData\Local\Temp\e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe
"C:\Users\Admin\AppData\Local\Temp\e341189857efc26e05e358776c34570cefb0972d3183add22cc20e6883d1de77.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7630541.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7630541.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9355722.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9355722.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7630541.exe

Filesize
307KB

MD5
7a77b9727a132a08f4356e7d6e3b94c4

SHA1
e58040d4e59f00e62eeb50dfeb7a5e81fc05cb31

SHA256
24df3b16933f6e900eb9ea2a78ec85500dd3ea6e8bac6ec628650f3a2d15f17e

SHA512
a5306a9d2293c1885995f187a107d1c33b04a81e24095f26244764db981c93a57aa60e1f5a8b7f12ac4540368062255ea6974dc7b69ee3399f7665d630fd36ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9355722.exe

Filesize
168KB

MD5
de46b5fbd507126a6b4de8b46e19f6f8

SHA1
b357f651ace18c16cc8db12714ce777a7e2b4003

SHA256
88bf48813952ddabfc05fc4e5f07043a4dea5db7d0e4363daa7bd09466389c5b

SHA512
aa3e5fd230bb934f2f279f238f1eb018ca07652a3ed70b30575adfc1f57827c7c1606dbe67fd4474edbc5f5adb81fdc725b3b494bbadc558159c7f38e7d98041

Download Submit
memory/2916-14-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/2916-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2916-16-0x00000000025A0000-0x00000000025A6000-memory.dmp

Filesize
24KB

Download
memory/2916-17-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/2916-18-0x0000000004FB0000-0x00000000050BA000-memory.dmp

Filesize
1.0MB

Download
memory/2916-19-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/2916-20-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/2916-21-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/2916-22-0x00000000050C0000-0x000000000510C000-memory.dmp

Filesize
304KB

Download
memory/2916-23-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/2916-24-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads