redline | a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e

General

Target

a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe
Size

479KB
MD5

579b5ba4582a5ef58becc58e47716615
SHA1

5cca8b93a4bf1f29a8fc17d6fdea11e9b75f28bd
SHA256

a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e
SHA512

18bbd579d17a3ccb53e93037468d7a6efb29bf31da05eda3ccbdf9ec5d1a57ef65bdfc7d088588b57199149b5a62b688364b04d6b5fabbab41dc94f464ba8e42
SSDEEP

6144:Kry+bnr+np0yN90QEXgvQsddokWsjZNoH5B+dmFgxZ4ohYKE4Ss5fys1D2OmwpYC:NMrPy90FgvQs/9D9Yzy5fuvljzOdaM

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca7-12.dat	family_redline
behavioral1/memory/2588-15-0x0000000000F60000-0x0000000000F90000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3240	x7696524.exe
2588	g2549171.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7696524.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x7696524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2549171.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3240	2116	a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe	83
PID 2116 wrote to memory of 3240	2116	a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe	83
PID 2116 wrote to memory of 3240	2116	a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe	83
PID 3240 wrote to memory of 2588	3240	x7696524.exe	84
PID 3240 wrote to memory of 2588	3240	x7696524.exe	84
PID 3240 wrote to memory of 2588	3240	x7696524.exe	84

C:\Users\Admin\AppData\Local\Temp\a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe
"C:\Users\Admin\AppData\Local\Temp\a48e5d76494c7094c39175043a6b6f85cfa5d52e975ea84752185fb545c4074e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7696524.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7696524.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2549171.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2549171.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7696524.exe

Filesize
308KB

MD5
c1afb04be8e0f542c560b205c8b33343

SHA1
51da106660866d2d5c10d83450ca8f6b856b42e5

SHA256
d445ab1d4b9907f81c624290aa128f3dbb4b5a44f813a18b383d792f60b35e05

SHA512
6a844a083727876b4d1a7691f8131c6ac3f43077c39e64c4456396ae30b2c3100168e652543735ed1fe2af642c1f469aef6946535638dcb0af0a7853f3543d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2549171.exe

Filesize
168KB

MD5
f46c88c6be03669173df1347cf6f85db

SHA1
6b5605dd30419d5370f05dbb629c99637ee90cf1

SHA256
470734cdfabd9b590218c7adef03f33638a338e7e2729cc7b70a19abd7823bbc

SHA512
f1b0bffa83d765f5f35959b2ad9e20499455a06b72f137d41b0862886ed91fde5a89a03b3333330e5aa181179700910fa7fe9ad53e305afa39d2ad96c0ed76e2

Download Submit
memory/2588-14-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2588-15-0x0000000000F60000-0x0000000000F90000-memory.dmp

Filesize
192KB

Download
memory/2588-16-0x0000000003330000-0x0000000003336000-memory.dmp

Filesize
24KB

Download
memory/2588-17-0x000000000B450000-0x000000000BA68000-memory.dmp

Filesize
6.1MB

Download
memory/2588-18-0x000000000AF40000-0x000000000B04A000-memory.dmp

Filesize
1.0MB

Download
memory/2588-19-0x000000000AE50000-0x000000000AE62000-memory.dmp

Filesize
72KB

Download
memory/2588-20-0x0000000073F60000-0x0000000074710000-memory.dmp

Filesize
7.7MB

Download
memory/2588-21-0x000000000AEB0000-0x000000000AEEC000-memory.dmp

Filesize
240KB

Download
memory/2588-22-0x00000000032A0000-0x00000000032EC000-memory.dmp

Filesize
304KB

Download
memory/2588-23-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2588-24-0x0000000073F60000-0x0000000074710000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads