redline | 0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d

General

Target

0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe
Size

566KB
MD5

ffdbf2c5ae59e0d6f7947638752e9249
SHA1

b6afeeec0198029e5ea0315790ef056ef5b64ef8
SHA256

0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d
SHA512

753efa4f5261689f2313359b1be2cae2c690a8fe243ed498597a80fc576571f2ce09c294ab3c774c01529dcd4ec4428911640c365615fb457ce077762ae7b7b6
SSDEEP

12288:6Mr7y90PNOqvGneju5AQBqvoqFcfEBrrE2OHg2yOAYIr6rkBEr:5yQOIG3ADAqFoirrE2h+AYxkC

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000023bbc-12.dat	family_redline
behavioral1/memory/2676-15-0x0000000000E70000-0x0000000000EA0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

y1214601.exek3851575.exe

pid	Process
4808	y1214601.exe
2676	k3851575.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y1214601.exe0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1214601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exey1214601.exek3851575.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1214601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3851575.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exey1214601.exe

description	pid	Process	procid_target
PID 5084 wrote to memory of 4808	5084	0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe	83
PID 5084 wrote to memory of 4808	5084	0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe	83
PID 5084 wrote to memory of 4808	5084	0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe	83
PID 4808 wrote to memory of 2676	4808	y1214601.exe	85
PID 4808 wrote to memory of 2676	4808	y1214601.exe	85
PID 4808 wrote to memory of 2676	4808	y1214601.exe	85

C:\Users\Admin\AppData\Local\Temp\0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe
"C:\Users\Admin\AppData\Local\Temp\0c903acd8212b0e7d09f9a8c6a7ce909377951efb05ddd325ada1f374b06d30d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1214601.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1214601.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3851575.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3851575.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1214601.exe

Filesize
307KB

MD5
580e9fc2578c9f77857adf5a6f5873bd

SHA1
b8832683a163deb49dd6dfd6e1f85ab347bc9813

SHA256
b6fc1473007d2590393b3a4a219a5847845038e2c935d108f690758bace43fd7

SHA512
2d989e87f2a1e83cb569e6d2f0e14f7ade74284bee2ff758d2649fc555205269c8199c9717c836310e779ffa9641f481cf7b4b7ea6514af520bbc09310ffdd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3851575.exe

Filesize
168KB

MD5
653f414b44421769eb7d67bf46ff9d7e

SHA1
1afb6a2c2ffffdebcf317c69afd499123d17f14a

SHA256
ff038c241696e8bb12073f7a6319a8b78aa746f1929456e6552e07b266b73354

SHA512
849a2d33cd59ec68fc59644f3431f369580cee94b526c7b165bba18ddfa4500b418fe3cf80164e21c68586d28c1c5477fd0784ff4883941ba11a8bd7e08bef3d

Download Submit
memory/2676-14-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2676-15-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/2676-16-0x0000000003100000-0x0000000003106000-memory.dmp

Filesize
24KB

Download
memory/2676-17-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/2676-18-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/2676-19-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/2676-20-0x0000000005850000-0x000000000588C000-memory.dmp

Filesize
240KB

Download
memory/2676-21-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/2676-22-0x00000000059D0000-0x0000000005A1C000-memory.dmp

Filesize
304KB

Download
memory/2676-23-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2676-24-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads