redline | 33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d

General

Target

33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe
Size

479KB
MD5

2f6a263f0ec86f2b68a6b076e2bf9aa7
SHA1

8a725c5f5c9f663b8dcc47261b81fe5a8f1b522d
SHA256

33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d
SHA512

81b373b3ac1e7811b1fe3f92a818699dd599a14cc00d7520c44e1737308b089a30cc391ed46862570a6d99b7828824e317475635b450467fadeb22eac1ebd0d8
SSDEEP

12288:QMrwy90Y7yEq9svNkd/sL0rDidfcLT1qR:wyv2ylEsLg08+

Score

10^/10

redline dariy discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dariy

C2

217.196.96.101:4132

Attributes

auth_value
2f34aa0d1cb1023a826825b68ebedcc8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca2-12.dat	family_redline
behavioral1/memory/5108-15-0x0000000000620000-0x000000000064E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4904	x9039323.exe
5108	g0692913.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9039323.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9039323.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g0692913.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4904	3296	33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe	84
PID 3296 wrote to memory of 4904	3296	33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe	84
PID 3296 wrote to memory of 4904	3296	33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe	84
PID 4904 wrote to memory of 5108	4904	x9039323.exe	85
PID 4904 wrote to memory of 5108	4904	x9039323.exe	85
PID 4904 wrote to memory of 5108	4904	x9039323.exe	85

C:\Users\Admin\AppData\Local\Temp\33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe
"C:\Users\Admin\AppData\Local\Temp\33e4a4b7324d07b7822898341f1ec228e203752bd76fa02d875f8c3b594fc44d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9039323.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9039323.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0692913.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0692913.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9039323.exe

Filesize
307KB

MD5
c48da00787bcac4a4ee633c7b29575c2

SHA1
412c18e485b5dc3d8e80f300cfc36abdae5114f3

SHA256
d541026fa19cf92d9cf1ab4d8247a8b5979525b46aadc40464a5c14e34aab1e2

SHA512
afde137ec0dd505708e50ef47c5f75d03792329cf75607341f1a5028d894c9309d9eb6d6f3b87238c964d165d3cf9ca00d607187721b921c3c6d70a33a07b7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0692913.exe

Filesize
168KB

MD5
8469c7060b9e6ecf8e59c9f87cd967d7

SHA1
bfb23a7f0bfc4935d3654fbb352a2683e5bc4408

SHA256
77c1960da7a7e252c6ede19453d258c1b8cc17a40e7125c3cb08971f20f0a054

SHA512
6f0c262863fa75afaded3324cca410cc0b42702a6b241841b752b6d4dba277d5b640c410ff0781c21e8b01878109b38b36cf217358d69fcb08b25c845c3669ed

Download Submit
memory/5108-14-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/5108-15-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/5108-16-0x0000000002880000-0x0000000002886000-memory.dmp

Filesize
24KB

Download
memory/5108-17-0x000000000AA60000-0x000000000B078000-memory.dmp

Filesize
6.1MB

Download
memory/5108-18-0x000000000A5D0000-0x000000000A6DA000-memory.dmp

Filesize
1.0MB

Download
memory/5108-19-0x000000000A500000-0x000000000A512000-memory.dmp

Filesize
72KB

Download
memory/5108-21-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-20-0x000000000A560000-0x000000000A59C000-memory.dmp

Filesize
240KB

Download
memory/5108-22-0x0000000004A70000-0x0000000004ABC000-memory.dmp

Filesize
304KB

Download
memory/5108-23-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/5108-24-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads