redline | 011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83

General

Target

011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe
Size

479KB
MD5

9a007d54d45ef2ab873bcf0ae83d59ad
SHA1

53ff750d8a2d1412450e34c8137d56112c72ba49
SHA256

011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83
SHA512

e8e337b61e6dc2c30b9ea85bd443784e9649d504298f39fddda0cf137e19a977260acd3595cc9ada0f79bdc5b21e62984ecf1f38ca4d94a4550c6513c8961bd0
SSDEEP

12288:8MrWy90R0XJuYxXS8INl79eFs48Oj2ebZst:KyZFtvINyFL8Oj2etM

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c2c-12.dat	family_redline
behavioral1/memory/3324-15-0x00000000006C0000-0x00000000006F0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
928	x4430672.exe
3324	g5082622.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4430672.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4430672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g5082622.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 928	316	011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe	84
PID 316 wrote to memory of 928	316	011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe	84
PID 316 wrote to memory of 928	316	011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe	84
PID 928 wrote to memory of 3324	928	x4430672.exe	85
PID 928 wrote to memory of 3324	928	x4430672.exe	85
PID 928 wrote to memory of 3324	928	x4430672.exe	85

C:\Users\Admin\AppData\Local\Temp\011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe
"C:\Users\Admin\AppData\Local\Temp\011c8b7a5f8c6bf211aac0c935a2b232099953cf3d4bcbd1cd81df1950588b83.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4430672.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4430672.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5082622.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5082622.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4430672.exe

Filesize
308KB

MD5
bf213e332b71c93c14c026a0b427d658

SHA1
ae34cd377f7b20b5b8a81358b8bdafe6be1aafec

SHA256
9d6afd1420e18fda8a0152bdc3b547297e421610061cd389e9f0db943203b513

SHA512
ad046ba01dea269aeab62d478752b6056fccde8e385d2e9b30db1fb166152edb1882ddcc599685e61c70ee64fa792c6aca975844e76f9988ad18d36550520831

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5082622.exe

Filesize
168KB

MD5
2035e0c97fca9abfb0a9e1806cd2dd8f

SHA1
4edbd31ca2a045290beb1b6c945549df80563757

SHA256
b0609f3a7244339eac3fd8f35a7d054fb6422ff6e69f82228727fafc07387f2b

SHA512
05aa18db2a3509d30a13aa36879b77eb8271bc66d1d3445c863d2df3bf79374a30ad94d9135f3578d22b5d2e706474501dabfa48d1630b6520a575445443cd63

Download Submit
memory/3324-14-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/3324-15-0x00000000006C0000-0x00000000006F0000-memory.dmp

Filesize
192KB

Download
memory/3324-16-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/3324-17-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/3324-18-0x0000000005180000-0x000000000528A000-memory.dmp

Filesize
1.0MB

Download
memory/3324-19-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/3324-21-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3324-20-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/3324-22-0x00000000050F0000-0x000000000513C000-memory.dmp

Filesize
304KB

Download
memory/3324-23-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/3324-24-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads