redline | 25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b

General

Target

25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe
Size

480KB
MD5

4e2a9858d15dbd49285cb82bf0ab2aed
SHA1

dce756c132a3e1e411ce9d5d41ed23e68032819d
SHA256

25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b
SHA512

418d2296c4a723cafe5d3ff600d5a7f46e5a8eb788c0bb3d239c9a2aa5dc1ec4a4b54f0ec283b0cf3903564e048769af955f8715c45fc4d58b1e5f8b33be3b0f
SSDEEP

12288:tMrSy90if+pHkqt/9Nt1oYju79lbluGaZr:byvf0HPHz1oYjc9FkGk

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb0-12.dat	family_redline
behavioral1/memory/2196-15-0x00000000002E0000-0x0000000000310000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4120	x8640158.exe
2196	g6683340.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8640158.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8640158.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g6683340.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4120	4384	25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe	83
PID 4384 wrote to memory of 4120	4384	25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe	83
PID 4384 wrote to memory of 4120	4384	25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe	83
PID 4120 wrote to memory of 2196	4120	x8640158.exe	84
PID 4120 wrote to memory of 2196	4120	x8640158.exe	84
PID 4120 wrote to memory of 2196	4120	x8640158.exe	84

C:\Users\Admin\AppData\Local\Temp\25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe
"C:\Users\Admin\AppData\Local\Temp\25a840ef9ad8bcb00e42b3c203b688c0f8601ef1904d92b5fe94eaca6bf22f6b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8640158.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8640158.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6683340.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6683340.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8640158.exe

Filesize
308KB

MD5
f2dd4c41c7689b7db83c985c0b970266

SHA1
d5808f1269486dafc55ddd62f59c8c741e1f4ef0

SHA256
7bb106aad99d788a331a8713ae69489c9ee76886f9b1b4f27e21534d03c29e9c

SHA512
837ffa5558bbdfc4d575661169eb1f2772ee35595b56b7d452deea12de732c560061a2c1f7344af8a80c1890043c288cc07a09c66a275fa1871e8a0cf12a4af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6683340.exe

Filesize
168KB

MD5
9b27944a29eb764fe52526ed8a3295cd

SHA1
aa44960e70353b025e0eb8a1d58937290a5ed927

SHA256
305cfa72138cdb9e577ebd7504264c3cbf136741e7832656caf0d27066d4461a

SHA512
49fea4094b93608ce0240fff1f1ae8b34369470407569f07257451b53e82fa3dd2f79cf6d9f26f5e99b21ffb0a4fc75dd384111fd31a7764100ea55dfeea63c9

Download Submit
memory/2196-14-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/2196-15-0x00000000002E0000-0x0000000000310000-memory.dmp

Filesize
192KB

Download
memory/2196-16-0x00000000027B0000-0x00000000027B6000-memory.dmp

Filesize
24KB

Download
memory/2196-17-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/2196-18-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

Filesize
1.0MB

Download
memory/2196-19-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/2196-20-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/2196-21-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2196-22-0x0000000004E60000-0x0000000004EAC000-memory.dmp

Filesize
304KB

Download
memory/2196-23-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/2196-24-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads