redline | 66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2

General

Target

66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe
Size

1.1MB
MD5

9875a70a4089f50591d8e3cfc265c6fa
SHA1

50fea92e5ad909305ad035afe4bfe331b8b1c7dd
SHA256

66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2
SHA512

d20a28eeeb054d9716917c2aa5a214f342c5afa23d67e9a1ae7cd8135acc2abb9bfcb233cd1278022545c19a8d3bfbc3ab612afe55b0f1e595a1dd6791c598ea
SSDEEP

24576:kyQYeG+EkmDbp+KXWJr7lip6GbntRtdjtfkshRO64fR+hj:zLLJz8KGJVYr16p+h

Score

10^/10

redline dizan discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dizan

C2

185.161.248.75:4132

Attributes

auth_value
b14d665c7bca8407646527036302d70c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cc3-19.dat	family_redline
behavioral1/memory/2800-21-0x00000000009E0000-0x0000000000A0A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
972	x0230335.exe
4856	x4996582.exe
2800	f4085456.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0230335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4996582.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0230335.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4996582.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4085456.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 972	856	66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe	85
PID 856 wrote to memory of 972	856	66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe	85
PID 856 wrote to memory of 972	856	66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe	85
PID 972 wrote to memory of 4856	972	x0230335.exe	86
PID 972 wrote to memory of 4856	972	x0230335.exe	86
PID 972 wrote to memory of 4856	972	x0230335.exe	86
PID 4856 wrote to memory of 2800	4856	x4996582.exe	88
PID 4856 wrote to memory of 2800	4856	x4996582.exe	88
PID 4856 wrote to memory of 2800	4856	x4996582.exe	88

C:\Users\Admin\AppData\Local\Temp\66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe
"C:\Users\Admin\AppData\Local\Temp\66b1207ca5f75785cca90d85d7d547857e41f342b5a8d3bd3f26c4356caf55b2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0230335.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0230335.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4996582.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4996582.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4085456.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4085456.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0230335.exe

Filesize
751KB

MD5
cac8598c1e2664f8bc66bb7f13f9edd1

SHA1
92a6230469525834ce586f93b48a1518d0f074f8

SHA256
56c9b7c65d84910b23332b18899cdc38734434c7b76f36ce9066d633b82f57f3

SHA512
73a5753084e6ee1c079c0e809cb28a6e6104207d11e29260ebfcfb4c8679dce851117c46c5a70996bd155c2e1474e5d3ab948861468e00812e0dc2a527b826fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4996582.exe

Filesize
305KB

MD5
bdb5cac2da07eb6d52d09e6a62c2fdb0

SHA1
9a042c3cf28bdaf9de7aeba5213f59b8b5f86db2

SHA256
2cb3649406e693d9c2499e171861a03c7072a0892dc221bc09755f0024db21b9

SHA512
4678390812ba6d7c138ee5e7921bba1d8a57d7d2d6a49fbeaf491eb95350b2b6c1e6b7631ba546a1a6effb32acc57c27ff79a9f6c6654fec7c41a6b40c4beadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4085456.exe

Filesize
145KB

MD5
467e7d22d42273631001450407bcfd8f

SHA1
11c3bada94a7d4c107ae43801949f606d66f4d44

SHA256
e5e249ce8f59ba377c273026a757d20c1750556a212ace01c6273cb856afe101

SHA512
e8a5c5b9f03e685a16eac833b79faacc30d61cfa47510a951c72c681170a92ddaf9aa3c168bcbbc3daf220cb9c3a51d30a3fc96755d3b70d23359da3883ab6c7

Download Submit
memory/2800-21-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/2800-22-0x00000000057F0000-0x0000000005E08000-memory.dmp

Filesize
6.1MB

Download
memory/2800-23-0x0000000005370000-0x000000000547A000-memory.dmp

Filesize
1.0MB

Download
memory/2800-24-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/2800-25-0x0000000005320000-0x000000000535C000-memory.dmp

Filesize
240KB

Download
memory/2800-26-0x0000000005480000-0x00000000054CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads