redline | 6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c

General

Target

6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe
Size

566KB
MD5

63f0555484031bbf9205e9a218dad1f7
SHA1

3269c5502c2098634e1f6fd2f5e900bb1a1d92c3
SHA256

6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c
SHA512

5185407e37e71a76b687cb3b218fb1ac52c5162ef9d8dbb3074093cffa75c19a8a066376efd57a2cf0d3f115c73a144e9f436862092e1b70be68625c0e205a67
SSDEEP

12288:BMrjy90AUvBSSLOOmqgHWtVMbVKQJHzgiIayHsW:myw7CqISMhKMUNbsW

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b79-12.dat	family_redline
behavioral1/memory/444-15-0x00000000002E0000-0x0000000000310000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

y8242070.exek8370863.exe

pid	Process
3584	y8242070.exe
444	k8370863.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y8242070.exe6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8242070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exey8242070.exek8370863.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8242070.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8370863.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exey8242070.exe

description	pid	Process	procid_target
PID 3336 wrote to memory of 3584	3336	6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe	83
PID 3336 wrote to memory of 3584	3336	6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe	83
PID 3336 wrote to memory of 3584	3336	6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe	83
PID 3584 wrote to memory of 444	3584	y8242070.exe	84
PID 3584 wrote to memory of 444	3584	y8242070.exe	84
PID 3584 wrote to memory of 444	3584	y8242070.exe	84

C:\Users\Admin\AppData\Local\Temp\6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe
"C:\Users\Admin\AppData\Local\Temp\6b50ba61342fdfe55d968aa0c0edbd5e60abe1b1a8af92ad5fdff73f1f4c553c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8242070.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8242070.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8370863.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8370863.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8242070.exe

Filesize
307KB

MD5
ab8a02300c798a6c857cc6c75cf0c7bf

SHA1
26d186062c11aa14d14420824af12337823b1a24

SHA256
49783223735dfa17a44026eeb1cb7c7af228fbdc21c94d9e18b2692cbc494cbe

SHA512
dfdd194e8fb38837357ffed0c3bdbb5edb3d4f5cf45dea5e4cc472d8a2d66b509b17724df4f34a2f914b91b24beb296d6ce1f7fd6b0092f8485aebc315260546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8370863.exe

Filesize
168KB

MD5
8431cdc33bfe58b5618ed9e0f52d6b6f

SHA1
a911f2b3127e5741335bdc57668b9c7739d01373

SHA256
1110d5edaf00bba40388b115ab1280ea1561675cc273e63c47f05170484088fd

SHA512
80167d47500b372cb0b6ef4280278ee33cfbcc493e6c0c6981bbc0bb7b612d4b8e4fcb67370d7c634033364f09920ebe1db4792071c7e0e256b6a2932dfd7c32

Download Submit
memory/444-14-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/444-15-0x00000000002E0000-0x0000000000310000-memory.dmp

Filesize
192KB

Download
memory/444-16-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/444-17-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/444-18-0x0000000004DC0000-0x0000000004ECA000-memory.dmp

Filesize
1.0MB

Download
memory/444-19-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/444-20-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/444-21-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/444-22-0x0000000004D30000-0x0000000004D7C000-memory.dmp

Filesize
304KB

Download
memory/444-23-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/444-24-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads