redline | e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295

General

Target

e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe
Size

566KB
MD5

2fb5c99a4246af5d4c67694c6a959fb1
SHA1

d43a2f6a604963a6aa4b8d2ae183f4e061a18512
SHA256

e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295
SHA512

f4ba416382c1928aff12e67c6acaf290cdd51663ad16394803c956eb18d18c62a7200925507e109bcbb4f09ab53d772d9430f8b80ede80adf522603ce3b30aa9
SSDEEP

12288:0MrLy90WKWk05bNU04dbUXrSiWS2ATTGXjVcW:HydKW/4K7Lds

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b88-12.dat	family_redline
behavioral1/memory/2796-15-0x0000000000060000-0x0000000000090000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
368	y3686297.exe
2796	k4630618.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3686297.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3686297.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4630618.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 368	1112	e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe	84
PID 1112 wrote to memory of 368	1112	e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe	84
PID 1112 wrote to memory of 368	1112	e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe	84
PID 368 wrote to memory of 2796	368	y3686297.exe	85
PID 368 wrote to memory of 2796	368	y3686297.exe	85
PID 368 wrote to memory of 2796	368	y3686297.exe	85

C:\Users\Admin\AppData\Local\Temp\e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe
"C:\Users\Admin\AppData\Local\Temp\e672f587f110093013168e7c191981845ee75e9844437248acc073152e9b4295.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3686297.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3686297.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4630618.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4630618.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3686297.exe

Filesize
307KB

MD5
8b5f2d6613aff48acc13548812714759

SHA1
d8c40a725472f82cff9c5203973cf77d197fc36d

SHA256
ab2106cb99016f89c3c38b80b59c2722764c07b515cfa6fa2f2a5f86b18bb0f2

SHA512
9de7a23fd7c03a3f237871dec52bdf32bcf46300c5859594bcd62b133fdc1a3f46d69ecda7a494666190fa6159c3b4613a6fee6fa67131d7b562d2d634f1d7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4630618.exe

Filesize
168KB

MD5
9b16ad996581a94b97baa4c409e36238

SHA1
1a30bdda468ffde313da8b56a3b4661b18319cae

SHA256
ab86288d78f57a2c18a77bf3500547560585029d631437bca4094d555b22f294

SHA512
099c4a9a76c103386b7f526c3e35731dc266aeb1bd984ceae1e18e6c4a5361133e5fb750052fbfc2aa5773037ccbdd49b083bd2563447abaa19fbdfe12b04124

Download Submit
memory/2796-14-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2796-15-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/2796-16-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/2796-17-0x000000000A4A0000-0x000000000AAB8000-memory.dmp

Filesize
6.1MB

Download
memory/2796-18-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/2796-19-0x0000000009F30000-0x0000000009F42000-memory.dmp

Filesize
72KB

Download
memory/2796-21-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2796-20-0x0000000009F90000-0x0000000009FCC000-memory.dmp

Filesize
240KB

Download
memory/2796-22-0x0000000004320000-0x000000000436C000-memory.dmp

Filesize
304KB

Download
memory/2796-23-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2796-24-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads