redline | af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c

General

Target

af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe
Size

993KB
MD5

e01bd22ea0b25ffb5d7f722c1eff8164
SHA1

29712e60decc9479a64ae525518e87fdebcef707
SHA256

af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c
SHA512

1419023d79a22c80252e2d6b255edcb166e8d8b6066f0fea7faf60e6e70523419f3380ede4895989cd962a8cd80faf3b116153ebe239adeff90c86a624053051
SSDEEP

24576:yyURNHWE4HMSgat9gAnSMFZ5ClouF83hwUlZVRCYYWn:ZCxwMQ2ebFGouF0hwUlIY

Score

10^/10

redline diora discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diora

C2

185.161.248.75:4132

Attributes

auth_value
4c17e0c4a574a5b11a6e41e692dedcb3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0032000000023b72-19.dat	family_redline
behavioral1/memory/4268-21-0x0000000000DC0000-0x0000000000DEA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2756	x7179312.exe
5016	x2425512.exe
4268	f1676155.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7179312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2425512.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7179312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2425512.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1676155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2756	3444	af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe	84
PID 3444 wrote to memory of 2756	3444	af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe	84
PID 3444 wrote to memory of 2756	3444	af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe	84
PID 2756 wrote to memory of 5016	2756	x7179312.exe	86
PID 2756 wrote to memory of 5016	2756	x7179312.exe	86
PID 2756 wrote to memory of 5016	2756	x7179312.exe	86
PID 5016 wrote to memory of 4268	5016	x2425512.exe	87
PID 5016 wrote to memory of 4268	5016	x2425512.exe	87
PID 5016 wrote to memory of 4268	5016	x2425512.exe	87

C:\Users\Admin\AppData\Local\Temp\af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe
"C:\Users\Admin\AppData\Local\Temp\af13c261b6153e2fc310dd137236f9b83875c59128d0be78193b31a70db7573c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7179312.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7179312.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2425512.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2425512.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1676155.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1676155.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7179312.exe

Filesize
597KB

MD5
0c0e394c74416952135fd8c1c8550575

SHA1
de5a72c10c492f681332b3fdda95b261f4e3edd9

SHA256
83e23fe7a618d9f91da4c2cad1f7f5fdc05fece54be28f2040895200e7c30b73

SHA512
a15a149663aefb48f5ebf9f1b6cb8885ac2f9bed010a23acfc527539d4517e3a66cde13f78a90260f69821761953aab7382aa5e3d7810e3c80c62b3a311bfe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2425512.exe

Filesize
426KB

MD5
99175de4629908db81fc456e89544e36

SHA1
5e2f015002e0d3f59ff02d3221c99409f4f28630

SHA256
2873be5e2ed59bec21d0ce319db221471dc7e675452dbb6faa9d5d56eba480cd

SHA512
eb75a03e9979dc91f0a7e1c53aa301a880f769648c43a560b388cd7609630362efbffa79ae1ebd2acaa7fe20686d425bbf7f5c7a7f3c7e59d3f3b73b002fa773

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1676155.exe

Filesize
145KB

MD5
3165bec2d3f53e9dc32192380d12f306

SHA1
db267aa4970e5a096aa65f45648403fa364a5141

SHA256
f07fe9ca0f8ae09aef8b68a4edf7325f5200fb6f5306d751ea0aaa38f7452955

SHA512
e501e031b14beb947208e69f3f01872e4be736b53033e64b4dcc17856c5d1a904d76ac1816c7aac5d583c56152a0efa099df03580b3a9b1a653d262f3a3fe861

Download Submit
memory/4268-21-0x0000000000DC0000-0x0000000000DEA000-memory.dmp

Filesize
168KB

Download
memory/4268-22-0x0000000005BE0000-0x00000000061F8000-memory.dmp

Filesize
6.1MB

Download
memory/4268-23-0x0000000005740000-0x000000000584A000-memory.dmp

Filesize
1.0MB

Download
memory/4268-24-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/4268-25-0x00000000056E0000-0x000000000571C000-memory.dmp

Filesize
240KB

Download
memory/4268-26-0x0000000005850000-0x000000000589C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads