redline | c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4

General

Target

c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe
Size

479KB
MD5

a965b4a49b8f3edc9d6a25fecb9b88f8
SHA1

3e0ecd0dc2afa7c6a1dbe3e1985f6c67d5dde848
SHA256

c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4
SHA512

a1be38f64acf22a4e9c12561713f7781dd3edf23c2653b79d0d56903bb4b5584288a425db8bd396458053a9b6bc1274e59b8f854a3faa5566285b2159348856d
SSDEEP

12288:xMrDy907k6kCViKjm5t2p3Gg/6TL+yqr6Tlbz6VRHR3z8:yyEtHiL30yTL7vzsRI

Score

10^/10

redline ditro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes

auth_value
8f24ed370a9b24aa28d3d634ea57912e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc4-12.dat	family_redline
behavioral1/memory/3292-15-0x0000000000920000-0x0000000000950000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4656	x5546535.exe
3292	g3117069.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5546535.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g3117069.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5546535.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4656	3388	c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe	85
PID 3388 wrote to memory of 4656	3388	c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe	85
PID 3388 wrote to memory of 4656	3388	c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe	85
PID 4656 wrote to memory of 3292	4656	x5546535.exe	87
PID 4656 wrote to memory of 3292	4656	x5546535.exe	87
PID 4656 wrote to memory of 3292	4656	x5546535.exe	87

C:\Users\Admin\AppData\Local\Temp\c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe
"C:\Users\Admin\AppData\Local\Temp\c26239503045e7e73f02b845d4003312af574fbc43adce4aa0aaed9e54e9c1e4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5546535.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5546535.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3117069.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3117069.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5546535.exe

Filesize
307KB

MD5
3a745d60867d4acbc76320a8de43fd19

SHA1
c838a3aef41cead665f5340dcd38e0f6036647c4

SHA256
9b06beb30ed54910b3a080c3e2ac944599bc3a7444c6a8a3938fb36b37a81f6b

SHA512
3e8e6fa65c2827f7f03da50436b3342a7b989240190f88c03328b2788b85f7aeb2de1b3c41236bb97e265cf5d761ca0f348563b442cce69aad65c584a07e3d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3117069.exe

Filesize
168KB

MD5
8ab0636e3d2422f1b3607c59e78a1db8

SHA1
23f6bc33bbd50f10ed04d5bbcc87ef233182a207

SHA256
8c5907a425cf2383c735541e4db45a4f961d2fb27d5257766108131b4aef8556

SHA512
f440f1a7ba4e1a82c33bd8f304e12ebef330aafcca1402b89b99c44c57d6e9c865732c79d4b1b9ea60c2de87d72406b804f07509ecdf02760edaf404203d81b8

Download Submit
memory/3292-14-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3292-15-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/3292-16-0x0000000005240000-0x0000000005246000-memory.dmp

Filesize
24KB

Download
memory/3292-17-0x000000000AC40000-0x000000000B258000-memory.dmp

Filesize
6.1MB

Download
memory/3292-18-0x000000000A790000-0x000000000A89A000-memory.dmp

Filesize
1.0MB

Download
memory/3292-19-0x000000000A6C0000-0x000000000A6D2000-memory.dmp

Filesize
72KB

Download
memory/3292-20-0x000000000A720000-0x000000000A75C000-memory.dmp

Filesize
240KB

Download
memory/3292-21-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3292-22-0x0000000004C10000-0x0000000004C5C000-memory.dmp

Filesize
304KB

Download
memory/3292-23-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3292-24-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads