redline | 4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18

General

Target

4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe
Size

643KB
MD5

3afaa9ac259d7998352eb34444610e90
SHA1

28ca1f2169ca893b0246e351db284f0acfa3a0f3
SHA256

4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18
SHA512

b33241033afe723f5645cf4fe2548e5b99289227540d53decfe728a0aba07e9b3ff08e80a588a3e537c9049f1da084ab17e823eb1ccbcc4a2c6d1a8ce68629ef
SSDEEP

12288:GMrPy90ZpnkH0gRVkR3uKZKHJ5wnH/HdjMjy9sjr4g+Mi:By6C0MVkRroJYzEcei

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c9c-12.dat	family_redline
behavioral1/memory/5080-15-0x0000000000F40000-0x0000000000F70000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

x5387407.exeg0497330.exe

pid	Process
4204	x5387407.exe
5080	g0497330.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exex5387407.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5387407.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exex5387407.exeg0497330.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5387407.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g0497330.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exex5387407.exe

description	pid	Process	procid_target
PID 1968 wrote to memory of 4204	1968	4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe	83
PID 1968 wrote to memory of 4204	1968	4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe	83
PID 1968 wrote to memory of 4204	1968	4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe	83
PID 4204 wrote to memory of 5080	4204	x5387407.exe	84
PID 4204 wrote to memory of 5080	4204	x5387407.exe	84
PID 4204 wrote to memory of 5080	4204	x5387407.exe	84

C:\Users\Admin\AppData\Local\Temp\4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe
"C:\Users\Admin\AppData\Local\Temp\4ffde68b73fe6a3c75d6d7dbda8a3fd7f7e46ba9df640fbce68e91d94be41d18.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5387407.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5387407.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0497330.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0497330.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5387407.exe

Filesize
384KB

MD5
626158dd8b2fba21dbd2ebc515bff751

SHA1
383dbc5edf3964e53c8c44a5d47ca82162bbcc46

SHA256
015214c90784426d30b9fd06541d04eba2e25c8c6febed2588567b9147dda0bc

SHA512
81d7cadda45cdada436a6f1a7381c9d2335a688e62de29b0d477b3c377d39f8315563b1fe22d65f153260c70c67dbf1b333426fff3a81144e3d6dddb150358ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0497330.exe

Filesize
168KB

MD5
f14b8d917afe5ae55c3efef17a1a5c5a

SHA1
90d99e2b35d528e0a36b5078e39f836bb671ea79

SHA256
b8b160ac4c939ba7c54ea7d18b48e0d0cbbf63578c63d589cc44cfdccd1e57ad

SHA512
306bd44656b500fe1cababe1d8716e1252830e0e8e931f71f8e0246a5cde564cec1a076546360b936a390662b3cfe43ea159f6fe92e37143c904967d678e1429

Download Submit
memory/5080-14-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/5080-15-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/5080-16-0x00000000056E0000-0x00000000056E6000-memory.dmp

Filesize
24KB

Download
memory/5080-17-0x000000000B240000-0x000000000B858000-memory.dmp

Filesize
6.1MB

Download
memory/5080-18-0x000000000ADB0000-0x000000000AEBA000-memory.dmp

Filesize
1.0MB

Download
memory/5080-19-0x000000000ACE0000-0x000000000ACF2000-memory.dmp

Filesize
72KB

Download
memory/5080-20-0x000000000AD40000-0x000000000AD7C000-memory.dmp

Filesize
240KB

Download
memory/5080-21-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-22-0x0000000005220000-0x000000000526C000-memory.dmp

Filesize
304KB

Download
memory/5080-23-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/5080-24-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads