redline | 4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786

General

Target

4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe
Size

554KB
MD5

94310ae6b4d8e2065e7d68dbb2f98bdb
SHA1

af130dcaba092c39fb20b3d0e2484d9f2af4f5d2
SHA256

4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786
SHA512

c182dbc1a14c356c7e9ecdcf7cab66b2943758db59e3f7386584c813fff7763f5a900e4b744dada7729c9b0004411ddd3344736a22add61c18b5618c89de9045
SSDEEP

12288:vMrWy90Egpj6H9gMIOqJ5U6TWCxI8mkElrbub:5ylE+9zlqJ5hWCPgA

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023ccd-12.dat	family_redline
behavioral1/memory/2068-15-0x0000000000FA0000-0x0000000000FD0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

x2322183.exeg3263993.exe

pid	Process
4072	x2322183.exe
2068	g3263993.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x2322183.exe4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2322183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exex2322183.exeg3263993.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2322183.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g3263993.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exex2322183.exe

description	pid	Process	procid_target
PID 1172 wrote to memory of 4072	1172	4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe	83
PID 1172 wrote to memory of 4072	1172	4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe	83
PID 1172 wrote to memory of 4072	1172	4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe	83
PID 4072 wrote to memory of 2068	4072	x2322183.exe	84
PID 4072 wrote to memory of 2068	4072	x2322183.exe	84
PID 4072 wrote to memory of 2068	4072	x2322183.exe	84

C:\Users\Admin\AppData\Local\Temp\4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe
"C:\Users\Admin\AppData\Local\Temp\4437ddff709750539d3bae9b3fdd8e9fa8e16943b1e0799bdbaecca3f61e3786.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322183.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322183.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3263993.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3263993.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322183.exe

Filesize
382KB

MD5
1c5de7a18101f6d52d2d86b6947a0d24

SHA1
897315109fb2db2bc952e4759a7b5a5479bfa168

SHA256
d15322c38e1ebcdabdc624374a5c0ce3c0c4c6d49b44568a02de9bc1845ca941

SHA512
7af603522a23a3aea52de53ea411a57e8ec68e3a4f1196e206091b4254dd09c2d240ff13b3872f84bb453d4073c8895ad710351d59a9e0aff224d70943baadd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3263993.exe

Filesize
168KB

MD5
a7a2dd45054990e5079caaa137bfe6b0

SHA1
d3e9ca6c78bfca08c31c9540c6f0110347502d57

SHA256
18adb80fa1d4b6b8598242bf1debc610a8ade191fcb2e7960d9e0ac9adba352d

SHA512
d3423716fb2609654df7752ec1a48e599cb9d067a2a84c6cbe942d7f05ed95a8124735b957df6babdf60a87096de980ea4c2aa39b54c69b8d2b5a32c364adedc

Download Submit
memory/2068-14-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

Filesize
4KB

Download
memory/2068-15-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

Filesize
192KB

Download
memory/2068-16-0x0000000003140000-0x0000000003146000-memory.dmp

Filesize
24KB

Download
memory/2068-17-0x0000000005F60000-0x0000000006578000-memory.dmp

Filesize
6.1MB

Download
memory/2068-18-0x0000000005A50000-0x0000000005B5A000-memory.dmp

Filesize
1.0MB

Download
memory/2068-19-0x0000000005910000-0x0000000005922000-memory.dmp

Filesize
72KB

Download
memory/2068-20-0x0000000073D60000-0x0000000074510000-memory.dmp

Filesize
7.7MB

Download
memory/2068-21-0x0000000005980000-0x00000000059BC000-memory.dmp

Filesize
240KB

Download
memory/2068-22-0x00000000059D0000-0x0000000005A1C000-memory.dmp

Filesize
304KB

Download
memory/2068-23-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

Filesize
4KB

Download
memory/2068-24-0x0000000073D60000-0x0000000074510000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads