redline | 3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d

General

Target

3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe
Size

567KB
MD5

db017e3808310c8621e9a960491f0a6a
SHA1

c6c770f51ee29ae77905e84a56ee6f25ab3e5352
SHA256

3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d
SHA512

616c829c930d37b1f7f0829dd6624b7f9b6baf4c5c74e1e4b8d3ea5d161b28fbc1b6a1fd53bae3f79f1d83d31ab0f1dd1b7f89b05dcf39f4ff1bcf3a92571fd9
SSDEEP

12288:7MrVy90XNqj7yRblWYYQpWqLik+A0dns2Wl74WWysCK3MpyjF:6y+NYmRhWApV+k+AqsRBv5K3yW

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cd3-12.dat	family_redline
behavioral1/memory/3596-15-0x0000000000270000-0x00000000002A0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2920	y3859441.exe
3596	k2730293.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3859441.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3859441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k2730293.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2920	1256	3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe	83
PID 1256 wrote to memory of 2920	1256	3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe	83
PID 1256 wrote to memory of 2920	1256	3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe	83
PID 2920 wrote to memory of 3596	2920	y3859441.exe	84
PID 2920 wrote to memory of 3596	2920	y3859441.exe	84
PID 2920 wrote to memory of 3596	2920	y3859441.exe	84

C:\Users\Admin\AppData\Local\Temp\3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe
"C:\Users\Admin\AppData\Local\Temp\3db129db09679de68914a37eeec7e17d667f78657ea51d76a58325d4e7181c4d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3859441.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3859441.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2730293.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2730293.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3859441.exe

Filesize
307KB

MD5
effd2d36df36529a6364260190d9ea35

SHA1
172542107a5db8c83b65dce613f24e4c68cb04ff

SHA256
6727d6686d0b3a7c87c65cee4bc5a1a19c2fba861c604f0b78ac884b1514f629

SHA512
15382a372add5175134e158a98b154df9828dd621d0cc7109f2bbc17b0fd19df2971049992eec3af8e9dbccf288a79e77f5c16aa9fa22324f7e9f7bbd6122925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2730293.exe

Filesize
168KB

MD5
4934a3dcfaf262899ecbb44d1f0d9f9d

SHA1
4174b98c0a23ea8275e8aba1890faa8d0d5b6dbd

SHA256
2c776863ac7c071c8a4b93c010c818a9b4bb633b4a5e7be67690f11be2e75efd

SHA512
b341e7ddd3a248e7c246a17e0efce968371cbc6ae9d1ae868d797cd778b6011b32233041d6df376a81c308cde3361cc2b1e48f6c70b6ef2bda7826326d5955a8

Download Submit
memory/3596-14-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/3596-15-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/3596-16-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/3596-17-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/3596-18-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/3596-19-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/3596-21-0x0000000074150000-0x0000000074900000-memory.dmp

Filesize
7.7MB

Download
memory/3596-20-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

Filesize
240KB

Download
memory/3596-22-0x0000000004E10000-0x0000000004E5C000-memory.dmp

Filesize
304KB

Download
memory/3596-23-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/3596-24-0x0000000074150000-0x0000000074900000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads