redline | 19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620

General

Target

19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe
Size

479KB
MD5

1259f8c92ea8397cb6e42cd8cd9f09c2
SHA1

e7a836cbadf53a6937a0ae0eac9e93ca7d8c5cd0
SHA256

19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620
SHA512

87a7640a9d89ff723ff41ab16dec26d29d223b6138cd54d897f2b3bd1bcb8560a0f57e9b448b8c7d5055f5513654f4a0b942b6f79ea9acf8a9c2c8b4903b108b
SSDEEP

12288:mMrKy90386MjnOdtTgRzSqiRcZ8VghJ6zgcdqP:QyWcCs2q4iOUcdG

Score

10^/10

redline divan discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes

auth_value
b414986bebd7f5a3ec9aee0341b8e769

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca1-12.dat	family_redline
behavioral1/memory/1568-15-0x0000000000820000-0x000000000084E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1272	x8631375.exe
1568	g5845085.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8631375.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8631375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g5845085.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1272	2880	19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe	83
PID 2880 wrote to memory of 1272	2880	19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe	83
PID 2880 wrote to memory of 1272	2880	19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe	83
PID 1272 wrote to memory of 1568	1272	x8631375.exe	84
PID 1272 wrote to memory of 1568	1272	x8631375.exe	84
PID 1272 wrote to memory of 1568	1272	x8631375.exe	84

C:\Users\Admin\AppData\Local\Temp\19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe
"C:\Users\Admin\AppData\Local\Temp\19ba81305f49ec9c5d2810e89f7f03a2dc4c989d589c888bf716e1e5104b9620.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8631375.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8631375.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5845085.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5845085.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8631375.exe

Filesize
307KB

MD5
4d8344f4e9d795399ec49df0a79684ab

SHA1
81a3467fcca1876a351e9b251862712bc8414ac1

SHA256
9700f0bcb6096a5c30961dda3ee539ebf88d9e02f05d6408ab19c107110a0094

SHA512
0e220352cbc6dd289bb31ed89cd156c6d0203cbbe8c875a82a689f7202e09e642888f48ee804c3241662e11aa1788b86b51476f54d0166336b674818c6603fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5845085.exe

Filesize
168KB

MD5
8715d5a14bc0fb64073d77e1855a59f7

SHA1
4bccbb3a1e6239a8834270507997482da6327c3a

SHA256
defc8fba961782d3cfc49e25b9970a5f16fdaade7c98588ffe8b3ffb65b9d62d

SHA512
215de2e5e1aab3e59ce7209cfb306bbffa1bf3c88828b2768a6c78caf438e391da3d5bd07b1eddad978a6f92c4c75d6cc250a7312f074c0df7dac5902fc16c0b

Download Submit
memory/1568-14-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1568-15-0x0000000000820000-0x000000000084E000-memory.dmp

Filesize
184KB

Download
memory/1568-16-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download
memory/1568-17-0x00000000057E0000-0x0000000005DF8000-memory.dmp

Filesize
6.1MB

Download
memory/1568-18-0x00000000052D0000-0x00000000053DA000-memory.dmp

Filesize
1.0MB

Download
memory/1568-19-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/1568-21-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1568-20-0x0000000005200000-0x000000000523C000-memory.dmp

Filesize
240KB

Download
memory/1568-22-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download
memory/1568-23-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1568-24-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads