redline | 894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb

General

Target

894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe
Size

479KB
MD5

c84429a913f460ead8e3020e7cebed93
SHA1

fa2215f1188a95e2c07e0a971dc482fd39ec42d5
SHA256

894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb
SHA512

4f38d9e45d03a89b24481f5fc3c165d256309492884c510e67e4e3a61f06f68eca669d314a8402398837c29ee04b08aa0e7f59107889dfb58975fd6d46deac7c
SSDEEP

12288:TMrqy90TeM1d9XVfZy+V9xycz5uMAQyz0BRAYP:FyYBNZZ4czmkRAYP

Score

10^/10

redline divan discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes

auth_value
b414986bebd7f5a3ec9aee0341b8e769

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b92-12.dat	family_redline
behavioral1/memory/4728-15-0x00000000003E0000-0x000000000040E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4148	x4742056.exe
4728	g2385599.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4742056.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4742056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2385599.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4148	1268	894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe	83
PID 1268 wrote to memory of 4148	1268	894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe	83
PID 1268 wrote to memory of 4148	1268	894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe	83
PID 4148 wrote to memory of 4728	4148	x4742056.exe	84
PID 4148 wrote to memory of 4728	4148	x4742056.exe	84
PID 4148 wrote to memory of 4728	4148	x4742056.exe	84

C:\Users\Admin\AppData\Local\Temp\894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe
"C:\Users\Admin\AppData\Local\Temp\894acd8b3c8107fb68ff3fbf2ac9513643ed74132f08d23c8858548e301e0fcb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4742056.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4742056.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2385599.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2385599.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4742056.exe

Filesize
307KB

MD5
e22edd1e9e9109b1e0284135ae6b7daf

SHA1
19218311ce848a8edcd385711bb03d7a48cd0263

SHA256
0e118fe947b19f2a334bdb15bd6c3654053401f5f624a437d4daf2506e50fca5

SHA512
da26653c5ae57a58aff4da7b72564e6c4245beb469d30d14c9ac9e13a8b81969ce994c5a3f87fc6263aae5c849c5f5d99d3036e9b6914e8c552df0008610ebab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2385599.exe

Filesize
168KB

MD5
31a439a2e64f6a2960441281c15ec75d

SHA1
051cea04988c2ddbdd13c57db1ae5864f8b349b4

SHA256
b5f265c11397fa6373569fac627f60ba6609e63584d0058394ba69cfb4adfea0

SHA512
76d027b0e804c5e00ce8ed323f9efc13e512cdaaf407c3a993780e4328c962fd21bfc0c59391d33283f91edb07988f98c88fb4eb11373f0e2eb3e1f4113af21c

Download Submit
memory/4728-14-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/4728-15-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/4728-16-0x0000000002680000-0x0000000002686000-memory.dmp

Filesize
24KB

Download
memory/4728-17-0x000000000A880000-0x000000000AE98000-memory.dmp

Filesize
6.1MB

Download
memory/4728-18-0x000000000A390000-0x000000000A49A000-memory.dmp

Filesize
1.0MB

Download
memory/4728-19-0x000000000A2C0000-0x000000000A2D2000-memory.dmp

Filesize
72KB

Download
memory/4728-20-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/4728-21-0x000000000A320000-0x000000000A35C000-memory.dmp

Filesize
240KB

Download
memory/4728-22-0x00000000026C0000-0x000000000270C000-memory.dmp

Filesize
304KB

Download
memory/4728-23-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/4728-24-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads