redline | 27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8

General

Target

27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe
Size

556KB
MD5

6676097d327c9e618258d9f1424cee56
SHA1

87b1c39fb6e3d7e92862066a7c7877c0f6861acd
SHA256

27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8
SHA512

86ddfa41d358e7ab40dd7f14e4a8338c58550774b7cf609674b7eb003a5d52f9021ce053c57192636e162f66f21a1a0975d2268d4b1614a79fbe3ed4c57f4c86
SSDEEP

12288:+Mr2y908ftABu/bh9ZzATaua8F/2FSuVqjnm0//jVrRqq:cyff5/lATauadVqjl//5Rqq

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca0-12.dat	family_redline
behavioral1/memory/4256-15-0x0000000000040000-0x0000000000070000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4876	x4967959.exe
4256	g3525379.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4967959.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4967959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g3525379.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4876	1228	27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe	83
PID 1228 wrote to memory of 4876	1228	27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe	83
PID 1228 wrote to memory of 4876	1228	27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe	83
PID 4876 wrote to memory of 4256	4876	x4967959.exe	84
PID 4876 wrote to memory of 4256	4876	x4967959.exe	84
PID 4876 wrote to memory of 4256	4876	x4967959.exe	84

C:\Users\Admin\AppData\Local\Temp\27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe
"C:\Users\Admin\AppData\Local\Temp\27ad0243f221f0bceeb66229e9c46e21024647de65bc90f5e382b6816ad8ffc8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4967959.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4967959.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3525379.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3525379.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4967959.exe

Filesize
384KB

MD5
cac02aa56f16911f4e97f9d8f6d4d6f6

SHA1
30b99709b471b7aa4e1c434cf74be1f23ec5159c

SHA256
386d4d25438a73cf550531d36a4347ba8bdab19ab8612c8bfd5df4f0f291b1f5

SHA512
ff35ce05edd029684995a9f92774b0bd83a3edee21d4ca7579d23340d94c5e65bfed209172d51b84aaf0ebb6a3cdde9fb3488fc02e836b7b1192cf1543d00dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3525379.exe

Filesize
168KB

MD5
9e795215d2376f3b022e03543b3016ff

SHA1
f1cb1be4c39e0b616383aa96f9a432e90aab6959

SHA256
1b8a4823b5b9934a7ad75d5e97c61f0a30143c0b73e9d50fb92217e24a6263fb

SHA512
e48a024808b36f66b8aeb62d532645f30664ae6c5bc5a5aff30437eced36ddc31b3d76583119af7df854c926a50be91222022f0ccff4a1fc7ed6aaee8bd730f1

Download Submit
memory/4256-14-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/4256-15-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/4256-16-0x00000000023D0000-0x00000000023D6000-memory.dmp

Filesize
24KB

Download
memory/4256-17-0x000000000A390000-0x000000000A9A8000-memory.dmp

Filesize
6.1MB

Download
memory/4256-18-0x0000000009EB0000-0x0000000009FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4256-19-0x0000000009DE0000-0x0000000009DF2000-memory.dmp

Filesize
72KB

Download
memory/4256-20-0x0000000009E40000-0x0000000009E7C000-memory.dmp

Filesize
240KB

Download
memory/4256-21-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4256-22-0x00000000021F0000-0x000000000223C000-memory.dmp

Filesize
304KB

Download
memory/4256-23-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/4256-24-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads