redline | a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23

General

Target

a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe
Size

479KB
MD5

c8874dfad5b5c66af668c96187e6442e
SHA1

ba160bd09471aaf8aaadb000c23887debec44db1
SHA256

a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23
SHA512

28d5e312dce7828a792f0bc124b3f56ea02595083c3af7e671d1d0e9ef932a11d8173b0e4afcaae5b9b51e19be0549bbaadc9e27bcaeb3c725eb664721ab2e7c
SSDEEP

12288:RMr7y90WBAsZriQ6EEG8HY+iL7v6aRWqu8JuV/xXW:ayzAsZm9g84Tj6k1FJuV/xXW

Score

10^/10

redline divan discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes

auth_value
b414986bebd7f5a3ec9aee0341b8e769

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c32-12.dat	family_redline
behavioral1/memory/4284-15-0x0000000000E30000-0x0000000000E5E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1176	x4040055.exe
4284	g0016629.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4040055.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4040055.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g0016629.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1176	4812	a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe	83
PID 4812 wrote to memory of 1176	4812	a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe	83
PID 4812 wrote to memory of 1176	4812	a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe	83
PID 1176 wrote to memory of 4284	1176	x4040055.exe	84
PID 1176 wrote to memory of 4284	1176	x4040055.exe	84
PID 1176 wrote to memory of 4284	1176	x4040055.exe	84

C:\Users\Admin\AppData\Local\Temp\a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe
"C:\Users\Admin\AppData\Local\Temp\a654bb4ea84b0672f08f8f55446768cbd19cb6591d24083c52dad79cc8435f23.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4040055.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4040055.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0016629.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0016629.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4040055.exe

Filesize
307KB

MD5
123103a7278f51ee6d47939ea8f1b438

SHA1
57dd6efcbe80fd3750ee4a0c740aea279a1ffa8f

SHA256
47722f8fcc7f3063ddf0181699214661ab30289089ac5a0ebeed504755e518ea

SHA512
43d3f068c97daa0678a0f290314ad6b637be7d9acc940706d89dec834b16a920b75e2ae127331514c31c8838c7a145ba0c5c6475a53561b78d39730bdbfc8bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0016629.exe

Filesize
168KB

MD5
3d42d0dc0396604e0381c15bddf1e6be

SHA1
0e51a1fbf14506b211e831ba968708564bbc31ae

SHA256
1c37ee82aafe00aa63617f0739e4370f9868d721a1dd69e6cdf656df0818e93b

SHA512
b8f947aec3e362bd2dacda91b1af98a89e11bb13729b63d6ddef53d2be1156b39260a9ff4c2ef9b30c560ceec30559ac956d0dba0ed4da2c650d78006bc02190

Download Submit
memory/4284-14-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/4284-15-0x0000000000E30000-0x0000000000E5E000-memory.dmp

Filesize
184KB

Download
memory/4284-16-0x0000000003220000-0x0000000003226000-memory.dmp

Filesize
24KB

Download
memory/4284-17-0x0000000005EA0000-0x00000000064B8000-memory.dmp

Filesize
6.1MB

Download
memory/4284-18-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/4284-19-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/4284-20-0x0000000005950000-0x000000000598C000-memory.dmp

Filesize
240KB

Download
memory/4284-21-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4284-22-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/4284-23-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/4284-24-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads