redline | 1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3

General

Target

1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe
Size

479KB
MD5

f701a5c9072e1bc7c49dc8d31eb4206c
SHA1

f98b798bfc78f3dd5534c05d3be2bd1da94d13c0
SHA256

1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3
SHA512

999672420eda3cb1b82f3acc5346b5eda4e97d22f6867c4d6b42c16bbaf28b186a86db2549f0676401d155334987c68e17409f14f593e8aa0cea9ec077ad479a
SSDEEP

12288:PMrqy90+RXqWoFKW107kc94WPDFZRk659vj:tyxXqWl7kc94APGuV

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b8a-12.dat	family_redline
behavioral1/memory/4184-15-0x0000000000C90000-0x0000000000CC0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2368	x2249630.exe
4184	g7707544.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2249630.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2249630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7707544.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2368	4464	1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe	83
PID 4464 wrote to memory of 2368	4464	1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe	83
PID 4464 wrote to memory of 2368	4464	1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe	83
PID 2368 wrote to memory of 4184	2368	x2249630.exe	84
PID 2368 wrote to memory of 4184	2368	x2249630.exe	84
PID 2368 wrote to memory of 4184	2368	x2249630.exe	84

C:\Users\Admin\AppData\Local\Temp\1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe
"C:\Users\Admin\AppData\Local\Temp\1daa51d53c5b57c615aa1eb89d52721e1fb93c8bdc32c63877d6b46efc1221e3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2249630.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2249630.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7707544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7707544.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2249630.exe

Filesize
307KB

MD5
9948a154f21593f0e607110a24a436ab

SHA1
10cf526bbaded704b9b81c4c657a9840737cc09b

SHA256
bfe5980d49f7c8e6eef49e171e873c4edbfcda6e21c12256f7c34719d8dd98ee

SHA512
a21c38a5f73ad3e08b81face434029e48945023c50dcf2ef7f91a5cafb8d06a682a15fb9e9ea35bf6628fa670ef6176f73db11f989f1d69c3c2eac763c26d59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7707544.exe

Filesize
168KB

MD5
c2fe5e3796d6092a2185135c008bc3ae

SHA1
a1a1d6cf9a8c49d58b05f1089bac10394d647424

SHA256
a4357f8c846e1b62a51c61de57e151c54b8237074bc5b446bde1df712fcf3821

SHA512
1a7ca314f83a08e3d2147da27122298eb98d2c40eb28172d6a2d492aac9d88aff33959cba73f2ee80652e021f217e3beb394a0ad63ad983b6ceceaf7d4c660a1

Download Submit
memory/4184-14-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/4184-15-0x0000000000C90000-0x0000000000CC0000-memory.dmp

Filesize
192KB

Download
memory/4184-16-0x00000000056A0000-0x00000000056A6000-memory.dmp

Filesize
24KB

Download
memory/4184-17-0x0000000005D70000-0x0000000006388000-memory.dmp

Filesize
6.1MB

Download
memory/4184-18-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/4184-19-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/4184-20-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/4184-21-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4184-22-0x00000000057F0000-0x000000000583C000-memory.dmp

Filesize
304KB

Download
memory/4184-23-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/4184-24-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads