redline | b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa

General

Target

b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe
Size

567KB
MD5

0b57becc7d85d419d6e9082ac627fbcd
SHA1

1fa10dd69bfce73846ee6cc6811d4dc4b3104d4e
SHA256

b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa
SHA512

40ff9eab2bd7499ee0fe121c59c59e736c8a3c503fca6aeeee8be96156bdb9181e077315741de876bda87ac6adcfe622b31a9802d6239e6c5b680fb484b42a4c
SSDEEP

12288:2Mruy901zaIMeci1JMD637ehUT2xzHmapdTkHUg2jhRrWhJVn/i:4y+hM5eJtehUT8/pdTQGRW3/i

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023bbc-12.dat	family_redline
behavioral1/memory/2536-15-0x0000000000CA0000-0x0000000000CD0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3648	y7567095.exe
2536	k5966966.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7567095.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7567095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k5966966.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3648	4564	b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe	83
PID 4564 wrote to memory of 3648	4564	b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe	83
PID 4564 wrote to memory of 3648	4564	b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe	83
PID 3648 wrote to memory of 2536	3648	y7567095.exe	84
PID 3648 wrote to memory of 2536	3648	y7567095.exe	84
PID 3648 wrote to memory of 2536	3648	y7567095.exe	84

C:\Users\Admin\AppData\Local\Temp\b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe
"C:\Users\Admin\AppData\Local\Temp\b12ca221f4a3c59402b215a2a34b4d3424b4aa4efeac8b7c09c35f6b713ccbaa.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7567095.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7567095.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5966966.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5966966.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7567095.exe

Filesize
307KB

MD5
1779a2cc522ac740ab5a1408b69a367a

SHA1
f7a4a3a5eec5bca3f47de25d35b2e961d351fdc9

SHA256
b75337fe4323c63ad73576e8eeb81144f9826c0c51df918653153951f4dcf285

SHA512
4a485048d4df0e6362dc91b7f30a8fba3430519ad80b9f037895779c2f0ba01c8373716b0ddb7ec2df8fefb9db79746fbfec7fd60a76fae31735eacb7d1395c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5966966.exe

Filesize
168KB

MD5
c3763ce720db164599f16406419fd56e

SHA1
b7aa18327a12d1692bd998b820d0b674b4c3579d

SHA256
72e68de4b3ae4d690c38bcb07a11ecdf6181efbbe5197faa07bc592eab15f285

SHA512
992e700f8460f5cca50cf0b2ba482751166dff5f9c3e109996101ae337f0d82701df3f053b167501d94c502a4cc97c9644f8dba535c1a6d3418529d400b93d5f

Download Submit
memory/2536-14-0x0000000073CFE000-0x0000000073CFF000-memory.dmp

Filesize
4KB

Download
memory/2536-15-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

Filesize
192KB

Download
memory/2536-16-0x0000000002F50000-0x0000000002F56000-memory.dmp

Filesize
24KB

Download
memory/2536-17-0x0000000005C10000-0x0000000006228000-memory.dmp

Filesize
6.1MB

Download
memory/2536-18-0x0000000005700000-0x000000000580A000-memory.dmp

Filesize
1.0MB

Download
memory/2536-19-0x0000000005620000-0x0000000005632000-memory.dmp

Filesize
72KB

Download
memory/2536-21-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-20-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/2536-22-0x0000000005810000-0x000000000585C000-memory.dmp

Filesize
304KB

Download
memory/2536-23-0x0000000073CFE000-0x0000000073CFF000-memory.dmp

Filesize
4KB

Download
memory/2536-24-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads