redline | 85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776

General

Target

85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe
Size

479KB
MD5

10f967e3b223a60bc709aedf8d953bea
SHA1

d0d812536ab2b38703cccb680760a956a7ab825f
SHA256

85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776
SHA512

4d10ea79c90d4d46605e795aedc43b9c1a1e7aec1b396fb6ede38ffed846cfd60ec1dcda8d0ec54f7d1e6d42adc31f79544c3d793e60195a622fd2f4fd607072
SSDEEP

12288:IMrNy90F6DZIELA8Cz85U5zqFDI07R1XRPtt:VyQQbZ5lFDT77BPL

Score

10^/10

redline ditro discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes

auth_value
8f24ed370a9b24aa28d3d634ea57912e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b91-12.dat	family_redline
behavioral1/memory/1932-15-0x0000000000820000-0x0000000000850000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4656	x2033035.exe
1932	g6527987.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2033035.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2033035.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g6527987.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4656	3776	85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe	83
PID 3776 wrote to memory of 4656	3776	85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe	83
PID 3776 wrote to memory of 4656	3776	85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe	83
PID 4656 wrote to memory of 1932	4656	x2033035.exe	85
PID 4656 wrote to memory of 1932	4656	x2033035.exe	85
PID 4656 wrote to memory of 1932	4656	x2033035.exe	85

C:\Users\Admin\AppData\Local\Temp\85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe
"C:\Users\Admin\AppData\Local\Temp\85b6f9cfc6534db16b6ea64cb2a8df7849d85ceda2d7f4531ab2a9ed9de56776.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2033035.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2033035.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6527987.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6527987.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2033035.exe

Filesize
307KB

MD5
5132f36a8997e6ccc017882aba449024

SHA1
7e7e26b361b27edc19d2d3a8ef49d662bfe42b22

SHA256
8bf684bd976bd0da862736f73b15fc7cefcb32f3064e6f291c469c2e6a15b609

SHA512
bc83f762d3a03faa8040f56ad4f127093ea5b591c5defb5cb90296ce1a0bf37fc7423eb378f3daa2e63e317130f518ea261d82efd722813132c79a3f71f1128b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6527987.exe

Filesize
168KB

MD5
3310df40387b35c422cdd5f9043bf60b

SHA1
5e2647f26460fa0ec8cf5a2804e76c4228d301e5

SHA256
2ccb1224131b41c3a9ab237890b77af7bc591bd817055683859cbc39a1dde171

SHA512
56cb04ace475e0cf5f2ec8b3eaf9fd890f9b39ae5e308fd772d1725b9e06d37ee2acb536021d8389f2aeeddcf85131e92c5d89577ad9d735beef2d6896c95a72

Download Submit
memory/1932-14-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/1932-15-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/1932-16-0x0000000005040000-0x0000000005046000-memory.dmp

Filesize
24KB

Download
memory/1932-17-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/1932-18-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download
memory/1932-19-0x0000000005090000-0x00000000050A2000-memory.dmp

Filesize
72KB

Download
memory/1932-20-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/1932-21-0x0000000005200000-0x000000000523C000-memory.dmp

Filesize
240KB

Download
memory/1932-22-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download
memory/1932-23-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/1932-24-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads