redline | 2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0

General

Target

2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe
Size

479KB
MD5

b8cd775ed179b02f8e4fc4cb5a0a03aa
SHA1

9e66de8732b82e6367ae058e2aa45306725aa00f
SHA256

2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0
SHA512

47ab6c558e03c5316dd1e59f75bb0a24647b51f9070164ddd6a6eae9f0f4d9fb0ba67fa64759f8a8445f0528ca63f557fc584de53a12d698a1311fccf30a2c6c
SSDEEP

12288:jMrSy90IFciQmCCPhNnSfUUn4wD1hImfDJI:lyJ+mtPefUUp1uoDy

Score

10^/10

redline diwer discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diwer

C2

217.196.96.101:4132

Attributes

auth_value
42abfa9e4f2e290c8bdbc776fd9bb6ad

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c98-12.dat	family_redline
behavioral1/memory/3876-15-0x00000000009F0000-0x0000000000A20000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3312	x8743872.exe
3876	g8099307.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8743872.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g8099307.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8743872.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3312	3704	2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe	85
PID 3704 wrote to memory of 3312	3704	2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe	85
PID 3704 wrote to memory of 3312	3704	2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe	85
PID 3312 wrote to memory of 3876	3312	x8743872.exe	86
PID 3312 wrote to memory of 3876	3312	x8743872.exe	86
PID 3312 wrote to memory of 3876	3312	x8743872.exe	86

C:\Users\Admin\AppData\Local\Temp\2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe
"C:\Users\Admin\AppData\Local\Temp\2f153cc643857a2d61e92caab217a73b063884e1ad84201d9ed35835c081d8a0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8743872.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8743872.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8099307.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8099307.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8743872.exe

Filesize
307KB

MD5
7c6a8d595570f29bd68802eb5150d1da

SHA1
029e11a1d53ea2152fb4985769ae337d320ec22b

SHA256
a36e6f13c090e65b63ab29679ac28dd19049bde2fe5bde180964b8247197315f

SHA512
a275558def264c3fc4579f86e1a023035c5cca6c41720ae7ac16268c9497cacdda4a54d5aa406471f80724f8a748558700f53d71078d9ac16293396de7fe98c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8099307.exe

Filesize
168KB

MD5
3334960f1f3dc18637a49af749371f99

SHA1
57a6eabc602446517992b9688c47ea67134c22de

SHA256
6e57089b2d996642390d4423234836c978a4eef15f7a7cde22488bcf3b704212

SHA512
29fa9f39b8f91870160b7f34ce5e6708be622695021e91ae14b2c1afc07492ff17f896070ffbdc900a0f9c40ede07d4275c3fd8da23a91ff09895d7bfea3bfd6

Download Submit
memory/3876-14-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/3876-15-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/3876-16-0x0000000002C70000-0x0000000002C76000-memory.dmp

Filesize
24KB

Download
memory/3876-17-0x00000000059B0000-0x0000000005FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3876-18-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/3876-19-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download
memory/3876-21-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3876-20-0x00000000053D0000-0x000000000540C000-memory.dmp

Filesize
240KB

Download
memory/3876-22-0x0000000005410000-0x000000000545C000-memory.dmp

Filesize
304KB

Download
memory/3876-23-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/3876-24-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads