redline | ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c

General

Target

ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe
Size

554KB
MD5

5a9a3d394854a9a8d9de32922c512ec0
SHA1

5b67a447c69affc95f35a2127dafaeacf4fe268d
SHA256

ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c
SHA512

fed2af2aeaedde9077a91da3628177ffec1e3839bbf5bc43bf452b1a26ce20122c7470325b5399e9253235dc49a0f9e15612df0a49d5d3b7a0e53a4c446fa14e
SSDEEP

12288:TMr4y90A0QQjS868XuUSxnEFpAWqJ/2+Q4J7DgRDh/hCIA:DyPweb8XZE2T0e+Q+wlh/cIA

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c62-12.dat	family_redline
behavioral1/memory/3136-15-0x0000000000F50000-0x0000000000F80000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3624	x6033253.exe
3136	g7044346.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6033253.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6033253.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7044346.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3624	3396	ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe	83
PID 3396 wrote to memory of 3624	3396	ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe	83
PID 3396 wrote to memory of 3624	3396	ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe	83
PID 3624 wrote to memory of 3136	3624	x6033253.exe	84
PID 3624 wrote to memory of 3136	3624	x6033253.exe	84
PID 3624 wrote to memory of 3136	3624	x6033253.exe	84

C:\Users\Admin\AppData\Local\Temp\ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe
"C:\Users\Admin\AppData\Local\Temp\ec02bed9a1cf512f70ea5915c3075e3b039ffdbc514b5a53bd55143d82b8322c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6033253.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6033253.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7044346.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7044346.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6033253.exe

Filesize
382KB

MD5
13e75a61a4661e284caec4b810d0d038

SHA1
e289ed15fd49747eceefdb87208a8917b1521414

SHA256
55f46fde29d65d4acce8643263fac1de7d938f640889ce6c57032c6a84d450d1

SHA512
3175c557cf9536d29a431e33b198bc05a17b8ba2fa0952460c318373d18996c6b0714b30af81babcaf7cc7267e9c919429d42c8af887b92ad88bc555888b1018

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7044346.exe

Filesize
168KB

MD5
326adc058120375439e4b3fd28c589a6

SHA1
140a31b3eeafa37266af6a08a7483cae2363eed6

SHA256
6a97038108bc05671efb6f4c106631045d8cfccb7c4104d8d8f7f80acdc83999

SHA512
cee7f04fff9ede2fa56196b5ba2e458b5507e8e4050c33442f5a0d00d8dbe7fbdb1e886ea8e4bb3527d166bf95d0d972bbacb9c71e98be9e911510d95a93d2b2

Download Submit
memory/3136-14-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

Filesize
4KB

Download
memory/3136-15-0x0000000000F50000-0x0000000000F80000-memory.dmp

Filesize
192KB

Download
memory/3136-16-0x0000000005730000-0x0000000005736000-memory.dmp

Filesize
24KB

Download
memory/3136-17-0x0000000005F30000-0x0000000006548000-memory.dmp

Filesize
6.1MB

Download
memory/3136-18-0x0000000005A20000-0x0000000005B2A000-memory.dmp

Filesize
1.0MB

Download
memory/3136-19-0x00000000057C0000-0x00000000057D2000-memory.dmp

Filesize
72KB

Download
memory/3136-20-0x0000000005950000-0x000000000598C000-memory.dmp

Filesize
240KB

Download
memory/3136-21-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/3136-22-0x0000000005990000-0x00000000059DC000-memory.dmp

Filesize
304KB

Download
memory/3136-23-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

Filesize
4KB

Download
memory/3136-24-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads