redline | 16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f

General

Target

16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe
Size

641KB
MD5

485012e5c9afe7f588f8df8d7a620b11
SHA1

df5fe32c3cbb101f183e88ae7662c115fbbee894
SHA256

16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f
SHA512

34162505a4ac468d59809002941495188a0d0bde3dbd6886d07702fb63a3834a4cbf974a6720b7f71376ee3738d72d8b87f6ecf2efdf6067d654b6f1e1f0ddb7
SSDEEP

12288:nMrLy90IOBEDAHAHqgEmCeH5p8yho+D9BwpWffokfCpgbvgxZmE3Gj:Ay4BVHoqPNeZmOnD9BwpWfAkf7gxZpGj

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c9e-12.dat	family_redline
behavioral1/memory/3928-15-0x0000000000F30000-0x0000000000F60000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

x8494249.exeg4058056.exe

pid	Process
3480	x8494249.exe
3928	g4058056.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exex8494249.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8494249.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exex8494249.exeg4058056.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8494249.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g4058056.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exex8494249.exe

description	pid	Process	procid_target
PID 4744 wrote to memory of 3480	4744	16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe	83
PID 4744 wrote to memory of 3480	4744	16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe	83
PID 4744 wrote to memory of 3480	4744	16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe	83
PID 3480 wrote to memory of 3928	3480	x8494249.exe	84
PID 3480 wrote to memory of 3928	3480	x8494249.exe	84
PID 3480 wrote to memory of 3928	3480	x8494249.exe	84

C:\Users\Admin\AppData\Local\Temp\16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe
"C:\Users\Admin\AppData\Local\Temp\16fd87d498bef5cea78c3c940ef288823d2c166c9976751003a6832cc1dfad8f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8494249.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8494249.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4058056.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4058056.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8494249.exe

Filesize
383KB

MD5
161240745b6d96687ad915ef9c34f559

SHA1
114611b8b5b654d2c24607062a9ad637dd5f5a11

SHA256
0d9bce24d0ca3ba3d7d872c88c355a9e6791504a16c15c080cd8b50183508739

SHA512
7acb8191326b79f507b6ef0ccd25ee359c7171317f7488e1d8e076f2bb11d95d57c4b511fa33d38def2b99ab3fd87ca53ccb9060ea73bd8ec38634664a9b4630

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4058056.exe

Filesize
168KB

MD5
8978ad6f9e1a679d8c21c672c4e7a58c

SHA1
563f3964012c5a814788379b2c335f57027dd522

SHA256
85d779a1695bda962db69942a31167afbed745ed724afc5f007ad0240f3bfc5f

SHA512
b7fe7272b3b35ca42f37cec819f9f631577cb300526805db527ab2bc9dcd8478dc2b4b88534d24e2970a389aba0fc6b61d9286a4c3acde490ba63c7d1c28574a

Download Submit
memory/3928-14-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3928-15-0x0000000000F30000-0x0000000000F60000-memory.dmp

Filesize
192KB

Download
memory/3928-16-0x0000000001810000-0x0000000001816000-memory.dmp

Filesize
24KB

Download
memory/3928-17-0x000000000B390000-0x000000000B9A8000-memory.dmp

Filesize
6.1MB

Download
memory/3928-18-0x000000000AE80000-0x000000000AF8A000-memory.dmp

Filesize
1.0MB

Download
memory/3928-19-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/3928-20-0x00000000058A0000-0x00000000058DC000-memory.dmp

Filesize
240KB

Download
memory/3928-21-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3928-22-0x00000000015F0000-0x000000000163C000-memory.dmp

Filesize
304KB

Download
memory/3928-23-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3928-24-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads