redline | 00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe

General

Target

00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe
Size

876KB
MD5

564643469ac8474d7272a0c04ebaab6b
SHA1

fc985967b2bbbf5de7030ae134a47e6d9fc037c5
SHA256

00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe
SHA512

d2103316bfcd44ab1e7b6a18a3bd43c48396b21b01900b06b7192ceaf5752160f637529cd00f16888628dbb00fa0541c52a06711f376853a40c2336b11aed81f
SSDEEP

24576:Dy4BxxVdXOhqILil5oX3tg1zbvIPjJxUJy8HEV:W4v/d+NLi4tgJbv5sgE

Score

10^/10

redline dimas discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023b9e-19.dat	family_redline
behavioral1/memory/4612-21-0x0000000000110000-0x000000000013A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3684	x4104492.exe
2220	x4914231.exe
4612	f7868768.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4104492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4914231.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4104492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4914231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7868768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3684	1720	00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe	83
PID 1720 wrote to memory of 3684	1720	00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe	83
PID 1720 wrote to memory of 3684	1720	00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe	83
PID 3684 wrote to memory of 2220	3684	x4104492.exe	84
PID 3684 wrote to memory of 2220	3684	x4104492.exe	84
PID 3684 wrote to memory of 2220	3684	x4104492.exe	84
PID 2220 wrote to memory of 4612	2220	x4914231.exe	86
PID 2220 wrote to memory of 4612	2220	x4914231.exe	86
PID 2220 wrote to memory of 4612	2220	x4914231.exe	86

C:\Users\Admin\AppData\Local\Temp\00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe
"C:\Users\Admin\AppData\Local\Temp\00c69aece80cf1caaedd7a82f77c4f9ed4b237d11a19528fc2d450a4cc76fabe.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4104492.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4104492.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4914231.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4914231.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7868768.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7868768.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4104492.exe

Filesize
478KB

MD5
349c40d06c4a4b9dff8155b6bd33a054

SHA1
d679afabdd24fb509da6c20cc0770cc4141da400

SHA256
7dfb835b078f8db120534907988d5b6841e716270c4629c16769079dfbb7da13

SHA512
bd56e8afb786a829fae8cb0d43f9d5dda358b0c9a641befb4d4864d8506631b25934fe996cc38b545c5e80ac5fce8a579eada504d9fd25810a7d04b7198dcb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4914231.exe

Filesize
306KB

MD5
9ab3065511fafea4a2b10780bb0401e8

SHA1
7f7c43ca4332aac3004044b13f673a85ab27ee65

SHA256
d6f221051fddf80607e985abae6daa461eec03d619c5f412899902db127a3778

SHA512
18af86bdf0606fa1f42ca3550c8ca3a56d86d8358f43448c8a4bb174651b59a332e98b626b443773593773e0cf4d2c61d081e43595816e985df30329fc659541

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7868768.exe

Filesize
145KB

MD5
1087ff79d22b13f312a712b256267047

SHA1
96bf9a404a0492d03a501070b18e37efe1d24fec

SHA256
fb375e2215df6990a14a34d2d5d576c0c6d38c6f38064e6a021e82b083b13c19

SHA512
4368dd8fe4af99ba02a9b318bb5a971ca2487cbc939c93e3a6af6098a91cec26ceec4a67c874d6ffd1b81e480ad5f604d3c9435caaaa655f76e2eb2b8d648548

Download Submit
memory/4612-21-0x0000000000110000-0x000000000013A000-memory.dmp

Filesize
168KB

Download
memory/4612-22-0x0000000004F20000-0x0000000005538000-memory.dmp

Filesize
6.1MB

Download
memory/4612-23-0x0000000004AA0000-0x0000000004BAA000-memory.dmp

Filesize
1.0MB

Download
memory/4612-24-0x00000000049F0000-0x0000000004A02000-memory.dmp

Filesize
72KB

Download
memory/4612-25-0x0000000004A10000-0x0000000004A4C000-memory.dmp

Filesize
240KB

Download
memory/4612-26-0x0000000004A50000-0x0000000004A9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads