redline | f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3

General

Target

f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
Size

874KB
MD5

904efa646fc488d033278c3f41c6b417
SHA1

b4a48616721006d7410096cb30c43dd9e40448d4
SHA256

f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3
SHA512

7d6bb25d97af9df757a714e885ee2bb67c876b2e4b72b7b9704a25cd232af5252886bcafe5750327ac2b4276c6b505b2218a2929a1956e1ba6e14fd38e233ca8
SSDEEP

12288:pMrRy90f0fYbkniFF6HCntDTGv6mneYqQE0ScsnUI7q2I3cAd3Mc2d82AwMDEk6b:4yo0PiFQHC5T2zEasBusu2d9AwMDtUr

Score

10^/10

redline dimas discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c79-19.dat	family_redline
behavioral1/memory/1936-21-0x0000000000BF0000-0x0000000000C1A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1376	x6152510.exe
2572	x4204127.exe
1936	f7328863.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6152510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4204127.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7328863.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6152510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4204127.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1376	1560	f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe	83
PID 1560 wrote to memory of 1376	1560	f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe	83
PID 1560 wrote to memory of 1376	1560	f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe	83
PID 1376 wrote to memory of 2572	1376	x6152510.exe	84
PID 1376 wrote to memory of 2572	1376	x6152510.exe	84
PID 1376 wrote to memory of 2572	1376	x6152510.exe	84
PID 2572 wrote to memory of 1936	2572	x4204127.exe	85
PID 2572 wrote to memory of 1936	2572	x4204127.exe	85
PID 2572 wrote to memory of 1936	2572	x4204127.exe	85

C:\Users\Admin\AppData\Local\Temp\f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe
"C:\Users\Admin\AppData\Local\Temp\f695e647ab0629c91106452e581aad62cadd1dc70bfe7d06e3c6e7242d56abc3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152510.exe

Filesize
478KB

MD5
69e88c2ea5bf082cb306716997b360e5

SHA1
c781f4d1ec06f28a07af4d1bee93bd858960302c

SHA256
047f119faef59c0c01357f5ad5d516fae188a8e994e905d91d4ebc8304c844c8

SHA512
9d03473c029e2e215301b34d61d0fe44c2bf7172e31d0e64933641a675babd525661f98b6581832e84393219e019b8541c3c1783af80fec62482a1da1246f19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4204127.exe

Filesize
306KB

MD5
19130eaa61cbd72db23bad9e04ebfced

SHA1
752a75cf5919a332242b1b18da9657118eb356d2

SHA256
e104ce2163b0c7ab4df1e3ce429d4c9b4b2a948f1ae9d9bbfa97464a25fe487a

SHA512
8e870d5b5754778d957335479545bab2f2412d580ddac728426f51af559932c0cf6dac9b3555e1d1b4c7a94c644335688f82d7dd0a7fa1d9323e20a292b8a2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7328863.exe

Filesize
145KB

MD5
387ab8a0bdfbd57b7bd2ed64ce490a7e

SHA1
66abeb8ef2e93bb1d3ec1fbd92816ad8bc72da1c

SHA256
a9f30d2be1cadd3afc50b94647964fe4e77aece8a5fbd9f972a387d54c8eba53

SHA512
e7fc74d0420bd6653038ebff567cc8ff87f7dae21dc3221dfb1b1293d3711412966cf2ef1a487048c0349bb184e4a800e9a9243fa142c4f229625b6cc1640a95

Download Submit
memory/1936-21-0x0000000000BF0000-0x0000000000C1A000-memory.dmp

Filesize
168KB

Download
memory/1936-22-0x0000000005B40000-0x0000000006158000-memory.dmp

Filesize
6.1MB

Download
memory/1936-23-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/1936-24-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/1936-25-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/1936-26-0x00000000057D0000-0x000000000581C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads