redline | 141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39e917e1f2bb93063b7e0

General

Target

141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe
Size

774KB
MD5

85ee14a1ce8affbcaff2e82a6774a25a
SHA1

23bee76adcdf317310416845044c2da54909cf31
SHA256

141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39e917e1f2bb93063b7e0
SHA512

19e550aeb6669103f543b9822647ea136b802a3aa872357009bb968c163c170432bcc1c50118ccaddd619236fba07a722434492f041186daea2c6432d226afe4
SSDEEP

12288:+Mrby90eC20WEIpWZobIJ5KuhFLSS3ECEAhnuLzuM5zd7VtiZm:1y2IpWBJ5KuPb0CuzJ5Vd

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

217.196.96.56:4138

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1700	y1249747.exe
1512	k7763474.exe

Loads dropped DLL 4 IoCs

pid	Process
1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe
1700	y1249747.exe
1700	y1249747.exe
1512	k7763474.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1249747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1249747.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1764 wrote to memory of 1700	1764	141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe	28
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29
PID 1700 wrote to memory of 1512	1700	y1249747.exe	29

C:\Users\Admin\AppData\Local\Temp\141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe
"C:\Users\Admin\AppData\Local\Temp\141d2394effa1553b9a0fe07b200174e2ecc2f0eb2f39.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1249747.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1249747.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7763474.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7763474.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1249747.exe

Filesize
308KB

MD5
b9223f22997364387984eec1ce6986d8

SHA1
129f7603ed95b0aeef27c6dc064564dbf0f792e3

SHA256
0b171bbc077279195e4894ec1fe84bcedbf722b2b24a4bd08396bc192533a71d

SHA512
ddafa4002cc7c402600a7e73b8f7cae5f1e3fc05caf33dc4cd2f7a0308fc295e2b407fc407ed5393581c606074e2953bf518db6a38a05bcb26245e4645a33d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1249747.exe

Filesize
308KB

MD5
b9223f22997364387984eec1ce6986d8

SHA1
129f7603ed95b0aeef27c6dc064564dbf0f792e3

SHA256
0b171bbc077279195e4894ec1fe84bcedbf722b2b24a4bd08396bc192533a71d

SHA512
ddafa4002cc7c402600a7e73b8f7cae5f1e3fc05caf33dc4cd2f7a0308fc295e2b407fc407ed5393581c606074e2953bf518db6a38a05bcb26245e4645a33d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7763474.exe

Filesize
170KB

MD5
811a39411f3e51bc1d4c88ef4a45c605

SHA1
d8e4d044d3eba56831191807797058ae034c956a

SHA256
52905ea3524de76754b3082e250ef7badcf878b8fba258539c8b2d427c3808d3

SHA512
31a263acfb3e1431ce40ba8d784d2dcbdb34b0eba9725a78c5816434ec8472164b3e6ad2c9ea9747056db1d1567a0ec0dc6975ede5264f7962dea3ecc94dd36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7763474.exe

Filesize
170KB

MD5
811a39411f3e51bc1d4c88ef4a45c605

SHA1
d8e4d044d3eba56831191807797058ae034c956a

SHA256
52905ea3524de76754b3082e250ef7badcf878b8fba258539c8b2d427c3808d3

SHA512
31a263acfb3e1431ce40ba8d784d2dcbdb34b0eba9725a78c5816434ec8472164b3e6ad2c9ea9747056db1d1567a0ec0dc6975ede5264f7962dea3ecc94dd36a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1249747.exe

Filesize
308KB

MD5
b9223f22997364387984eec1ce6986d8

SHA1
129f7603ed95b0aeef27c6dc064564dbf0f792e3

SHA256
0b171bbc077279195e4894ec1fe84bcedbf722b2b24a4bd08396bc192533a71d

SHA512
ddafa4002cc7c402600a7e73b8f7cae5f1e3fc05caf33dc4cd2f7a0308fc295e2b407fc407ed5393581c606074e2953bf518db6a38a05bcb26245e4645a33d4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1249747.exe

Filesize
308KB

MD5
b9223f22997364387984eec1ce6986d8

SHA1
129f7603ed95b0aeef27c6dc064564dbf0f792e3

SHA256
0b171bbc077279195e4894ec1fe84bcedbf722b2b24a4bd08396bc192533a71d

SHA512
ddafa4002cc7c402600a7e73b8f7cae5f1e3fc05caf33dc4cd2f7a0308fc295e2b407fc407ed5393581c606074e2953bf518db6a38a05bcb26245e4645a33d4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7763474.exe

Filesize
170KB

MD5
811a39411f3e51bc1d4c88ef4a45c605

SHA1
d8e4d044d3eba56831191807797058ae034c956a

SHA256
52905ea3524de76754b3082e250ef7badcf878b8fba258539c8b2d427c3808d3

SHA512
31a263acfb3e1431ce40ba8d784d2dcbdb34b0eba9725a78c5816434ec8472164b3e6ad2c9ea9747056db1d1567a0ec0dc6975ede5264f7962dea3ecc94dd36a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7763474.exe

Filesize
170KB

MD5
811a39411f3e51bc1d4c88ef4a45c605

SHA1
d8e4d044d3eba56831191807797058ae034c956a

SHA256
52905ea3524de76754b3082e250ef7badcf878b8fba258539c8b2d427c3808d3

SHA512
31a263acfb3e1431ce40ba8d784d2dcbdb34b0eba9725a78c5816434ec8472164b3e6ad2c9ea9747056db1d1567a0ec0dc6975ede5264f7962dea3ecc94dd36a

Download Submit
memory/1512-74-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/1512-75-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1512-76-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1512-77-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing