redline | 49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4

General

Target

49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe
Size

479KB
MD5

d930dec26163c0c3e8caba4014435d2b
SHA1

97337f9da1aefd6fd0799066e6a609c913e1f6f5
SHA256

49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4
SHA512

129bef481acc2d7068f72c43ee77f0864a9f2c9ec6e137e4508cd2fd113831f2cde46d4ac17a7e048349afc7fcb34311a293ac15d1c6b1378bf971bd4aa005be
SSDEEP

6144:Kwy+bnr+3p0yN90QEbakbxXXoasnkfjVIIkZ3ioBOLXvuHAo25e5CXI/jXAyR971:MMrPy90x9X3aIM3gr45vxRhyk2gsnu

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b96-12.dat	family_redline
behavioral1/memory/3572-15-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2788	x4326537.exe
3572	g1202367.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4326537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4326537.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g1202367.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 2788	972	49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe	83
PID 972 wrote to memory of 2788	972	49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe	83
PID 972 wrote to memory of 2788	972	49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe	83
PID 2788 wrote to memory of 3572	2788	x4326537.exe	84
PID 2788 wrote to memory of 3572	2788	x4326537.exe	84
PID 2788 wrote to memory of 3572	2788	x4326537.exe	84

C:\Users\Admin\AppData\Local\Temp\49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe
"C:\Users\Admin\AppData\Local\Temp\49355a53aea2cc14545d6aef2c5ace67c3638eb3e2c4f26e1f2b2e890bcaadd4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4326537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4326537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1202367.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1202367.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4326537.exe

Filesize
307KB

MD5
26b41fbae967484c080bcd889a9716d1

SHA1
74061ce8c3215e1bdba09895faa6a8f7495e6cf4

SHA256
f2ba6b8b10e55c0fd70f6c1069711d390f47058761881bbf9106a80c6deffa6d

SHA512
ca3923aa741168004c6076470e21a774c571f6ddd5ab1c62ea51d5d41b8741676030653a26e6368476d7f596bc5090731c7d66ff7bf3d0a14f7595234cc217f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1202367.exe

Filesize
168KB

MD5
9aaff39d721091248b7ab74214959343

SHA1
7ad9271a3772c68ffde6e8f158deb4618b29c7a5

SHA256
14048c68d7eba28cf5fb2253e5052b81bdcaa9cbd5af4fd8ebbedef78eddb538

SHA512
4e6eb38530eaa1987fa7e4377ed5bcbbad95acde0cf06e84e36a03f6f24d3e4f31be7a41b3b77ce4939ec4b185bcb4613e7cc57a99d1998cb0813681b27e2500

Download Submit
memory/3572-14-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3572-15-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/3572-16-0x0000000004B10000-0x0000000004B16000-memory.dmp

Filesize
24KB

Download
memory/3572-17-0x000000000A690000-0x000000000ACA8000-memory.dmp

Filesize
6.1MB

Download
memory/3572-18-0x000000000A180000-0x000000000A28A000-memory.dmp

Filesize
1.0MB

Download
memory/3572-19-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/3572-21-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3572-20-0x000000000A0F0000-0x000000000A12C000-memory.dmp

Filesize
240KB

Download
memory/3572-22-0x00000000045D0000-0x000000000461C000-memory.dmp

Filesize
304KB

Download
memory/3572-23-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3572-24-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads