redline | 79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e

General

Target

79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe
Size

875KB
MD5

c183e5258757bb2e62b68fd1eba81975
SHA1

24524bd5309448440405bd012856afea9119ad84
SHA256

79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e
SHA512

4b9028203e7d36ea71560276446c9ce84ff243fcf6aa578f7f6fd7a22c4a851a2007adf40b9a62cc4680c6572e9ae515acad0f8ace45a8544bfcd1e7cb2c2e07
SSDEEP

24576:nyFy5XL0dkqGoo5n4/Q1tjkIfMUaiYjlUmg:yF+t54/QHjHMWYh

Score

10^/10

redline dimas discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c02-19.dat	family_redline
behavioral1/memory/2904-21-0x0000000000910000-0x000000000093A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1584	x0403965.exe
3120	x6410203.exe
2904	f6999307.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0403965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6410203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0403965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6410203.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6999307.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1584	2940	79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe	83
PID 2940 wrote to memory of 1584	2940	79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe	83
PID 2940 wrote to memory of 1584	2940	79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe	83
PID 1584 wrote to memory of 3120	1584	x0403965.exe	85
PID 1584 wrote to memory of 3120	1584	x0403965.exe	85
PID 1584 wrote to memory of 3120	1584	x0403965.exe	85
PID 3120 wrote to memory of 2904	3120	x6410203.exe	86
PID 3120 wrote to memory of 2904	3120	x6410203.exe	86
PID 3120 wrote to memory of 2904	3120	x6410203.exe	86

C:\Users\Admin\AppData\Local\Temp\79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe
"C:\Users\Admin\AppData\Local\Temp\79df011e73f03a7f4ee6eaccccba7f4e03663d8f1ae3d9bd5841fa7dd12eb26e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0403965.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0403965.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6410203.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6410203.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6999307.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6999307.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0403965.exe

Filesize
478KB

MD5
33d774a6ff7502e8a4a3466a7e894225

SHA1
16bd19225f93a330f2f531256b6ef6c71966a3be

SHA256
241da2f0e756c22e8b2dce8b7f878bc9e4f47d8f6ee6e33de875f2ad57db6085

SHA512
5e3e648d8ae51850cfa56f22fe99a0b1c9e42483c6886082fb93157591c3e2c84d27e611b6162a8baa589a8584b118cca5acb0b55968cc8a9c8387b1cb464b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6410203.exe

Filesize
307KB

MD5
88dcb4061c4954ac11607f919825cd68

SHA1
1fd340cca744abf71d6eec128acf5f677df8974a

SHA256
e75ec74f1ba3760239ba017e7b72a847ab1838ced0a52e1f8a85aa3e12c1a17c

SHA512
dae274868827bcad6ee0767c1228160e0f0fb578bc1fb940a009eb56fc8f33a8ab1c90e8a9663e571b978b280068d6a780ffe536be2e52d9928bbcd8a60bc253

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6999307.exe

Filesize
145KB

MD5
cec548d1db18fc4d333dbe3e514bd7fe

SHA1
9fb85c5533cc736ec6f980e76a558e6165e1f71f

SHA256
ab4e63cfea8c6c9dec5e7da0e98fc7c9749e222eba8ac0258014585a1ae5f48b

SHA512
eab953785590c316af5db12b19b91dba4fbd1acb51c401a73cb3a12b7513208cb8cc0299c3579724c08b1df7c408342c86d468de8fbbfea4db82673401f1f1d1

Download Submit
memory/2904-21-0x0000000000910000-0x000000000093A000-memory.dmp

Filesize
168KB

Download
memory/2904-22-0x0000000005720000-0x0000000005D38000-memory.dmp

Filesize
6.1MB

Download
memory/2904-23-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/2904-24-0x00000000051C0000-0x00000000051D2000-memory.dmp

Filesize
72KB

Download
memory/2904-25-0x0000000005240000-0x000000000527C000-memory.dmp

Filesize
240KB

Download
memory/2904-26-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads