redline | 3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26

General

Target

3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
Size

479KB
MD5

c3bee8f6205cea445b6d4bff688a7c86
SHA1

2e60eb8161dd24c073d73b62cf485dcee00cd6e3
SHA256

3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26
SHA512

d21b03111b0e70397b5af9e94c47060adca3e58f56898d6416777ff6691753b6e2a2f2f6f9f84121a5f5207ac1bdff3d918fc3016d957e353d953bab484f28e1
SSDEEP

6144:Khy+bnr+Mp0yN90QEBsBdsFepZkeP93bUjqodCOcKyBIv1ijn0t8TlXwIpxZ54UW:DMrYy90bsBeKgdqKyU9t8xXwyrHWJLl

Score

10^/10

redline ditro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes

auth_value
8f24ed370a9b24aa28d3d634ea57912e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b33-12.dat	family_redline
behavioral1/memory/3716-15-0x00000000006C0000-0x00000000006F0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2916	x4668442.exe
3716	g3699705.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4668442.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g3699705.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4668442.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2916	4532	3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe	84
PID 4532 wrote to memory of 2916	4532	3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe	84
PID 4532 wrote to memory of 2916	4532	3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe	84
PID 2916 wrote to memory of 3716	2916	x4668442.exe	86
PID 2916 wrote to memory of 3716	2916	x4668442.exe	86
PID 2916 wrote to memory of 3716	2916	x4668442.exe	86

C:\Users\Admin\AppData\Local\Temp\3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe
"C:\Users\Admin\AppData\Local\Temp\3481ffb7a478ee0108aa887764f7684a0203a03712b92c77ba385ea73f8e5f26.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4668442.exe

Filesize
307KB

MD5
7eba13a60814a7418dba53127b7ff414

SHA1
b07e5405219a1200dd7fdd2822245390f734088a

SHA256
9b96aa472959f67beb89020203c273c46ea4c613e3c7c09cb8a6520feb02b662

SHA512
9affd1556ad7ace39db17e294364c4e306f542c5241370f89165a6b4f0c7132952e34d0866b46adfd0a170ec1d17c685878fb0ea4b0fa943a1d7e00b192baf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3699705.exe

Filesize
168KB

MD5
d70db3f8bdc6c5588913335d99b15713

SHA1
50a768f2a8e589d04c6578b5f6ec919df28dd36b

SHA256
cf798dc4dd5690baab0342eae5f7fecd39630b08b9bab9daaf1fa8008cde8433

SHA512
54c55be93e2b3ca511040da3c5df7351c0aad0414e504e9956cb8e81661a6610a4d49715730a5662dd7125bef31eb3222e8a1cad3a5ec30de6c9a06f84653b55

Download Submit
memory/3716-14-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/3716-15-0x00000000006C0000-0x00000000006F0000-memory.dmp

Filesize
192KB

Download
memory/3716-16-0x00000000029E0000-0x00000000029E6000-memory.dmp

Filesize
24KB

Download
memory/3716-17-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/3716-18-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download
memory/3716-19-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/3716-20-0x0000000005200000-0x000000000523C000-memory.dmp

Filesize
240KB

Download
memory/3716-21-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/3716-22-0x0000000005240000-0x000000000528C000-memory.dmp

Filesize
304KB

Download
memory/3716-23-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/3716-24-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads