redline | 98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c

General

Target

98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe
Size

479KB
MD5

8a4ae757ab1694f555706deefe1959ae
SHA1

a1f71bed92686b539af5050dc21b6fa234232f57
SHA256

98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c
SHA512

69b9d188a1e0b1f6b1d51c06548e2fa2a97d7a19a1fc5e524778183ec9fa31e65bc32f48eb95305be9267137913bdccfa4934eb09b3f0a191dc12dcae6255f57
SSDEEP

12288:SMrSy90wtv+viv1HVTCZzcXfnesXsS2EnoznAxB89:cy3tv+arTDGY2Eny68

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b74-12.dat	family_redline
behavioral1/memory/1564-15-0x0000000000190000-0x00000000001C0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2020	x9047330.exe
1564	g9511408.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9047330.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g9511408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9047330.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2020	5068	98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe	83
PID 5068 wrote to memory of 2020	5068	98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe	83
PID 5068 wrote to memory of 2020	5068	98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe	83
PID 2020 wrote to memory of 1564	2020	x9047330.exe	84
PID 2020 wrote to memory of 1564	2020	x9047330.exe	84
PID 2020 wrote to memory of 1564	2020	x9047330.exe	84

C:\Users\Admin\AppData\Local\Temp\98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe
"C:\Users\Admin\AppData\Local\Temp\98a1333a4a6560b1cd46031cf3db1988a16f5c345795092a1116e9df6602f35c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9047330.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9047330.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9511408.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9511408.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9047330.exe

Filesize
307KB

MD5
4bd1fe91ce3733f08aaeceb10778c944

SHA1
82d9ca12c3f0025b070f326fb388e876876a2f5c

SHA256
7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b

SHA512
870be95f233d8aa277c2cc428d4fca02d2b6bf61aafc7425a83bb123f2ace371a783fd024e43d73e8410ed531f5d45499478ea705da5396967ffe497c666f46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9511408.exe

Filesize
168KB

MD5
e34ec6b2a643085071d89d8867340811

SHA1
4e10bde66acacf846632fddbf3f2913e5ee7728b

SHA256
d63114558c43a27d78c11eab7ddc35f6ebf7f6447cc8f3a25b17b1518a3f742f

SHA512
219e73524318616080d1367d6d649a0590aec880ddae7c8f97c1b23b9c4d4db6d96e797f1d8c75a5137bdce0b55f8cc0df20c5a555413d847e24a760adb952e4

Download Submit
memory/1564-14-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/1564-15-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/1564-16-0x0000000002430000-0x0000000002436000-memory.dmp

Filesize
24KB

Download
memory/1564-17-0x000000000A5F0000-0x000000000AC08000-memory.dmp

Filesize
6.1MB

Download
memory/1564-18-0x000000000A140000-0x000000000A24A000-memory.dmp

Filesize
1.0MB

Download
memory/1564-19-0x000000000A070000-0x000000000A082000-memory.dmp

Filesize
72KB

Download
memory/1564-20-0x000000000A0D0000-0x000000000A10C000-memory.dmp

Filesize
240KB

Download
memory/1564-21-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1564-22-0x00000000045F0000-0x000000000463C000-memory.dmp

Filesize
304KB

Download
memory/1564-23-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/1564-24-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads