redline | e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486

General

Target

e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe
Size

479KB
MD5

95a75dff602c460433500f604f72bb66
SHA1

9f6807dc26b665ee4abbe59b9d030c077c87e9e0
SHA256

e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486
SHA512

c494416c8cf7a9ded33e2f7dc48f88a056600d80f22cb35ca7d12decf6679621ef084c842c799f0ee6734539412fd4d0941de30a23c485078de317071f066ed4
SSDEEP

12288:EMr1y906H6EyWgyNAv2BHVX8Ept3aKOIJTvKvo:5yPH6pWg+PBOEpt3O8v6o

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023baa-12.dat	family_redline
behavioral1/memory/3728-15-0x0000000000C80000-0x0000000000CB0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2972	x0880951.exe
3728	g7672357.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0880951.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0880951.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g7672357.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 2972	4204	e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe	84
PID 4204 wrote to memory of 2972	4204	e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe	84
PID 4204 wrote to memory of 2972	4204	e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe	84
PID 2972 wrote to memory of 3728	2972	x0880951.exe	85
PID 2972 wrote to memory of 3728	2972	x0880951.exe	85
PID 2972 wrote to memory of 3728	2972	x0880951.exe	85

C:\Users\Admin\AppData\Local\Temp\e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe
"C:\Users\Admin\AppData\Local\Temp\e01204beb5fc8cae5d39dd316c744784fd58e10cdc59dd83137de73192435486.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0880951.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0880951.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7672357.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7672357.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0880951.exe

Filesize
308KB

MD5
c20d1913b451777d80ff88d6538b075a

SHA1
659fc7ad7b1e91bb410b3af8293d051e7985f8f1

SHA256
5f1e56932982eef12ffb24dd776fdb5a799b2444912e4e173aa93b4aadc1f858

SHA512
11dea1cdb3e84df0941813af8234e1b34bd017a622b233e323f111847a04e03eea51589f0f88204bf1eed41501a758414bb9cad23a05f64e17cda64086950875

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7672357.exe

Filesize
168KB

MD5
1eea9c478651f4f7419e0461fbbc2798

SHA1
8b51c44f32f3992e2fbb1f6917422d193ebafaf2

SHA256
4ad5a03020f0038cb7a347b88a578a82b99c1b827a6672b76524c72ba690d22e

SHA512
dfdf20abca7cb205b7e004316bad775030bf6618db39953fa000d84ce66d18a5d658617b0a12c029346982db791fbf5ec6b31653db9c07f64243898e929c3194

Download Submit
memory/3728-14-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/3728-15-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/3728-16-0x00000000014C0000-0x00000000014C6000-memory.dmp

Filesize
24KB

Download
memory/3728-17-0x000000000AF70000-0x000000000B588000-memory.dmp

Filesize
6.1MB

Download
memory/3728-18-0x000000000AAF0000-0x000000000ABFA000-memory.dmp

Filesize
1.0MB

Download
memory/3728-19-0x000000000AA20000-0x000000000AA32000-memory.dmp

Filesize
72KB

Download
memory/3728-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3728-21-0x000000000AA80000-0x000000000AABC000-memory.dmp

Filesize
240KB

Download
memory/3728-22-0x0000000004FC0000-0x000000000500C000-memory.dmp

Filesize
304KB

Download
memory/3728-23-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/3728-24-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads