redline | af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018

General

Target

af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe
Size

566KB
MD5

2802db07c4930a2ad0233379140e419a
SHA1

7399f4e047bdcbd66512b87b8e86c0b2c75d6891
SHA256

af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018
SHA512

9fe46f0811e7ff70e2074e9904ce27c7678e33263800363a593a60aee6e5a819eb83510c6b611cd23159128643bf1382674ddc0b3fe41c1411237226dd16a90d
SSDEEP

12288:VMrPy90dw1OVF4GBQK4qG0D6J63Tl+OpDwhHpX/L8G1VJXN:aypDmQK4l0GiTl+Omxx/LT1z9

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b75-12.dat	family_redline
behavioral1/memory/2044-15-0x00000000009B0000-0x00000000009E0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

y2316556.exek9036474.exe

pid	Process
4672	y2316556.exe
2044	k9036474.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exey2316556.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2316556.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exey2316556.exek9036474.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2316556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k9036474.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exey2316556.exe

description	pid	Process	procid_target
PID 1736 wrote to memory of 4672	1736	af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe	83
PID 1736 wrote to memory of 4672	1736	af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe	83
PID 1736 wrote to memory of 4672	1736	af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe	83
PID 4672 wrote to memory of 2044	4672	y2316556.exe	84
PID 4672 wrote to memory of 2044	4672	y2316556.exe	84
PID 4672 wrote to memory of 2044	4672	y2316556.exe	84

C:\Users\Admin\AppData\Local\Temp\af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe
"C:\Users\Admin\AppData\Local\Temp\af3ca7a97193fb6a1b0ef5a9b9f003a9dfdceb66f94c71ffe4dfd6f994e0e018.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2316556.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2316556.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9036474.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9036474.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2316556.exe

Filesize
307KB

MD5
792ea3f9bfc5b916cba09b3c109879ec

SHA1
a321b11978169805f959cb6e7e4291a42e9d731f

SHA256
893929be0caf9857041b42cf6148528f930327098d76f7e8cc9325c405cf76aa

SHA512
30dbe37e85be452f78d80527c8d1d5e2bc39f9521cd2a999e469c22dda64e892444ed5cdfbc04a60045f772434a0fe556f1f04cd89a4ab287d75ccf5270dd612

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9036474.exe

Filesize
168KB

MD5
13d62f7e7c5670ba54a89536a707c8fe

SHA1
cc38deb348ae57a346651237e0a2d7c2f278e52b

SHA256
27425bffd674f7e7f37768a35c94f0d9d6a936a10cb54b04a1f0c927f49bfd81

SHA512
6d3436386217f14627f873475165a29b746846da73d00ddc8522defe73c18e574cb0c64acf3553f8404361d1c7c7d4e38242ab7dae7aaf1d832f57a3f39ca237

Download Submit
memory/2044-14-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2044-15-0x00000000009B0000-0x00000000009E0000-memory.dmp

Filesize
192KB

Download
memory/2044-16-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

Filesize
24KB

Download
memory/2044-17-0x0000000005B60000-0x0000000006178000-memory.dmp

Filesize
6.1MB

Download
memory/2044-18-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/2044-19-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/2044-20-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/2044-21-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2044-22-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/2044-23-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2044-24-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads