redline | b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262

General

Target

b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe
Size

644KB
MD5

d290283528bccc37f8a35362fa8cbbba
SHA1

c5a5d0d3ae1ec6a2de124e0beabaeca30c6c1291
SHA256

b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262
SHA512

a19b1d76b38700d1cb73b8cbc288e78bf7916987ea77d2956f560be7bda5c48f7a6b51441872c2e4ae097f10e76af3524702b60e5d9040671d8adf32dd5463d3
SSDEEP

12288:HMrDy901VGmEoMEfafp5qNcqA26W0jGlA2jtcR7aqKZcMJPGb:QywA0Sxgagl/jtc1ahpJPW

Score

10^/10

redline darm discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c7a-12.dat	family_redline
behavioral1/memory/4224-15-0x0000000000C10000-0x0000000000C40000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

Processes:

x4747134.exeg5271420.exe

pid	Process
2228	x4747134.exe
4224	g5271420.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exex4747134.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4747134.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exex4747134.exeg5271420.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4747134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g5271420.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exex4747134.exe

description	pid	Process	procid_target
PID 3824 wrote to memory of 2228	3824	b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe	83
PID 3824 wrote to memory of 2228	3824	b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe	83
PID 3824 wrote to memory of 2228	3824	b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe	83
PID 2228 wrote to memory of 4224	2228	x4747134.exe	84
PID 2228 wrote to memory of 4224	2228	x4747134.exe	84
PID 2228 wrote to memory of 4224	2228	x4747134.exe	84

C:\Users\Admin\AppData\Local\Temp\b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe
"C:\Users\Admin\AppData\Local\Temp\b91c6ca12c29921a9b567423fcee5ec849621211c45de05407e153f042ae0262.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4747134.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4747134.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5271420.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5271420.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4747134.exe

Filesize
384KB

MD5
16e3f1d95de4ed6e9d308c154a44d10f

SHA1
3907900348907d5b7778fa35ba26bb7e498676a0

SHA256
5a7c8860d4ed9c47f5d2836f69b141a0a3773b833376284abe9ac9e676b23cc1

SHA512
907a4dad14af1f336540ba742fa13b712868ba4e91c7594b34e186b1a1dfdbff47ad8b41b4d4e744e043a5d39d17238a00d1e4064241965e14dc47d58d589e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5271420.exe

Filesize
168KB

MD5
4335cd113529c7b0d0a9235f57e1c49b

SHA1
b24a83d3ce0839186e1ae61009dc7e1d81f86d79

SHA256
438c2a40914fabbbcebd9fb75ffbfb1c3e95d271cc016e49d359d108a78cfa1b

SHA512
50c53214810aa3d63d1f0e77f4e17899214071a723fbc623669ac747a9a16455aed8ec0780815f34acc72f2edfd8015c091d50dc25c87d9c0a9c26dcbc81ca13

Download Submit
memory/4224-14-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4224-15-0x0000000000C10000-0x0000000000C40000-memory.dmp

Filesize
192KB

Download
memory/4224-16-0x0000000002F50000-0x0000000002F56000-memory.dmp

Filesize
24KB

Download
memory/4224-17-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

Filesize
6.1MB

Download
memory/4224-18-0x000000000ABC0000-0x000000000ACCA000-memory.dmp

Filesize
1.0MB

Download
memory/4224-19-0x000000000AAF0000-0x000000000AB02000-memory.dmp

Filesize
72KB

Download
memory/4224-20-0x000000000AB50000-0x000000000AB8C000-memory.dmp

Filesize
240KB

Download
memory/4224-21-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4224-22-0x0000000001650000-0x000000000169C000-memory.dmp

Filesize
304KB

Download
memory/4224-23-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4224-24-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads