redline | 7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574

General

Target

7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe
Size

566KB
MD5

4acd7cb8ba4f991136a4034983994a2e
SHA1

08e573339181465569095ce7b8b637b44cca7d4e
SHA256

7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574
SHA512

be483cc561a562e7a62ebdba82eb71dae18662303de669336e86b4ad4eb5de1430e1196d524cf0e81e90dda67818eae86a4967f94183a0a23812513e86c664f7
SSDEEP

12288:eMrZy90Iy1qAA5ZGkHm8cNNcXvrl7KaGAD4pfZAuv:ny333lm86qJXGUa

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb0-12.dat	family_redline
behavioral1/memory/3512-15-0x0000000000130000-0x0000000000160000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1064	y6857793.exe
3512	k0444212.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6857793.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6857793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0444212.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1064	4196	7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe	83
PID 4196 wrote to memory of 1064	4196	7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe	83
PID 4196 wrote to memory of 1064	4196	7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe	83
PID 1064 wrote to memory of 3512	1064	y6857793.exe	85
PID 1064 wrote to memory of 3512	1064	y6857793.exe	85
PID 1064 wrote to memory of 3512	1064	y6857793.exe	85

C:\Users\Admin\AppData\Local\Temp\7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe
"C:\Users\Admin\AppData\Local\Temp\7f112eae96e60e1e4b2428e255097329312874605766f789c630a663b8b0d574.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6857793.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6857793.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0444212.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0444212.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6857793.exe

Filesize
307KB

MD5
f159cfd157fb0389b463db849421c23e

SHA1
72d44b971e06ec2dd779241f773501a0627131b6

SHA256
ea4860986f0bd6a5c7e32bbacd1f2d674977faa10e2c5beaa831335777d752de

SHA512
7154a0ce5e00b26c96b34b422e23e0f006f8575600bad9d54dd130b781ee72a1d2055ac198b12cfade77ed320527f51996a13534a98a8a37da4dd8a151166669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0444212.exe

Filesize
168KB

MD5
868cf65e4b1e44c7f26ef1933cef9aa5

SHA1
d9cc371d79b99efd6af8c32dbcdcc32dbe781066

SHA256
cc5abd037d9266545f647d1623b6f68466020cf3753a285344793b68446bc143

SHA512
25e27226b91ef9d5b614bedfc6d605887e4e983b2b895b4cc6a6f3b9110940d0fbea73033ca74bb37240540230457aa1d9804cb395395ae0d3620039975acd92

Download Submit
memory/3512-14-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/3512-15-0x0000000000130000-0x0000000000160000-memory.dmp

Filesize
192KB

Download
memory/3512-16-0x00000000023E0000-0x00000000023E6000-memory.dmp

Filesize
24KB

Download
memory/3512-17-0x00000000050E0000-0x00000000056F8000-memory.dmp

Filesize
6.1MB

Download
memory/3512-18-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download
memory/3512-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/3512-20-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

Filesize
240KB

Download
memory/3512-21-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3512-22-0x0000000004B60000-0x0000000004BAC000-memory.dmp

Filesize
304KB

Download
memory/3512-23-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/3512-24-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads