redline | f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a

General

Target

f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe
Size

587KB
MD5

0c4463b97da636848bb35ad674006461
SHA1

b4feb5969ee0ad757a5c2d8c25cc7355ffa8846b
SHA256

f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a
SHA512

3b4711d4ca769d7520101ca3a43ded15aadfc4d8fa62c7e9195c9ef01a7ae761cda92226b959bf8d11353da067fccde7ce791eaa5335d96095188f095e4dddcf
SSDEEP

12288:vMrxy90pNihi1R7NPEOjAtnOiYzPjs3ebL2yv78aKp:yykoeR9EOjUfYQe32yv78ac

Score

10^/10

redline daris discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c7f-12.dat	family_redline
behavioral1/memory/4020-15-0x0000000000320000-0x000000000034E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4272	x9464524.exe
4020	g1626533.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9464524.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9464524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g1626533.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4272	4644	f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe	83
PID 4644 wrote to memory of 4272	4644	f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe	83
PID 4644 wrote to memory of 4272	4644	f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe	83
PID 4272 wrote to memory of 4020	4272	x9464524.exe	84
PID 4272 wrote to memory of 4020	4272	x9464524.exe	84
PID 4272 wrote to memory of 4020	4272	x9464524.exe	84

C:\Users\Admin\AppData\Local\Temp\f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe
"C:\Users\Admin\AppData\Local\Temp\f95e1c1618ded394d2dbf84fc637edf71d3d9197a70cddebcede0c8460ebfb1a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9464524.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9464524.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1626533.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1626533.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9464524.exe

Filesize
416KB

MD5
42c1ff15e5f9bfde3d7874570d86b843

SHA1
ea72c1a6de23b00ff3e7a323620535a9e39cda66

SHA256
499dc1efff394d26f78074251586b6522c4e34fb0ce87eaae4dc9a7b1966bbec

SHA512
6f719a3609c421a62f6303861d8d7b5209d9cd6dbcf45095fe5eb4cef52ea9e6029c670761b9982947e3ba834203dc525da5b2c375b50eeb4e67712e9916dd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1626533.exe

Filesize
168KB

MD5
acd2704e24cfb8bdbc8c0733e5dd878f

SHA1
9ccd77bb194bca40005cbfb67fa254e10f14be72

SHA256
03255434b4d646b570d20a95ccbc1d373ab43e5be8557c9b3f26608c717d711a

SHA512
d0993b9a3846a7a1891dae20000c24edf004175fde4866c5d41580c07466e09a114a058544cbd23b963ac57c2c8cf732f79d654efcd5fd71d22e8546cb4409ed

Download Submit
memory/4020-14-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/4020-15-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/4020-16-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/4020-17-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/4020-18-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/4020-19-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/4020-20-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/4020-21-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4020-22-0x0000000004E90000-0x0000000004EDC000-memory.dmp

Filesize
304KB

Download
memory/4020-23-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/4020-24-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads