redline | 7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c

General

Target

7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe
Size

567KB
MD5

fe3229bbd14f818dcf11ae66c574f246
SHA1

443ce1259689bcfabe1eda4fa6e0a77dee414957
SHA256

7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c
SHA512

d861475c25cb9a3861c19f1fc9f599ed3fbc9bcbf1ba01c31dd16b3e7623bbb70232386b5e85b88e24c05001a2bac0ae8cf60fc602b1e3665fd124d4eec35447
SSDEEP

12288:kMr1y90onZ46HdgkAmTx68TKZN1ci6uf:pyXnxdF9TxgMPuf

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cab-12.dat	family_redline
behavioral1/memory/4776-15-0x0000000000340000-0x0000000000370000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2356	y4178893.exe
4776	k4843255.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4178893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y4178893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4843255.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2356	4752	7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe	83
PID 4752 wrote to memory of 2356	4752	7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe	83
PID 4752 wrote to memory of 2356	4752	7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe	83
PID 2356 wrote to memory of 4776	2356	y4178893.exe	84
PID 2356 wrote to memory of 4776	2356	y4178893.exe	84
PID 2356 wrote to memory of 4776	2356	y4178893.exe	84

C:\Users\Admin\AppData\Local\Temp\7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe
"C:\Users\Admin\AppData\Local\Temp\7b3bddd75effc105077d4f624ed5f3cff3092521a48a07409ae2349ebc02640c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4178893.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4178893.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4843255.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4843255.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4178893.exe

Filesize
307KB

MD5
66e3f729cfeba25345c8aed978a220f6

SHA1
12da9a876cae88c5f3c067b5482f290922fe9625

SHA256
ae3c5711ef8a9cab2f4d9aecca88052c2a476359a4a1558d549ed359eb466b74

SHA512
963c30f86656318b5d44dcecb0812720385a412ccbe9efadababf551d2d433616dea0be9e397a31e8c101fbad69e155e8a36a4063b237efc391442a8fb5ef21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4843255.exe

Filesize
168KB

MD5
d5a70e9c0a50f0358fe1cac71558fc42

SHA1
ef225b6949bf63efb8cae47d3b5eb4ab17a46612

SHA256
7d363509e65f1ae8e81d5795d052f71973498bf397d13c100a38da41e9b1de68

SHA512
5ce2ff6bea6bb741562da0ac4bd2a9c6f39a1f34a1b7565b81122fa8a939e06cfa0c37dd2397fd9c45a110d46846e50a08be49fbe449e92a49fe9c380c27038f

Download Submit
memory/4776-14-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/4776-15-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/4776-16-0x0000000004C60000-0x0000000004C66000-memory.dmp

Filesize
24KB

Download
memory/4776-17-0x000000000A790000-0x000000000ADA8000-memory.dmp

Filesize
6.1MB

Download
memory/4776-18-0x000000000A2F0000-0x000000000A3FA000-memory.dmp

Filesize
1.0MB

Download
memory/4776-19-0x000000000A220000-0x000000000A232000-memory.dmp

Filesize
72KB

Download
memory/4776-20-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4776-21-0x000000000A280000-0x000000000A2BC000-memory.dmp

Filesize
240KB

Download
memory/4776-22-0x0000000002610000-0x000000000265C000-memory.dmp

Filesize
304KB

Download
memory/4776-23-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/4776-24-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads