redline | ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537

General

Target

ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe
Size

874KB
MD5

bed9aa56873df04e017be7fc517bf47b
SHA1

088f97d270a419beaea3c127474600ad32886ade
SHA256

ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537
SHA512

39d147a907d1aaac9a8e398a3aced7c60aef9d67d09a2a29ffda93db8173968144e33b9449cad24762d9df69361dc337be9fe028292715094cf5dd6d78e11c6d
SSDEEP

24576:dyE38ggTTrZa1BbiEp4WOTjeCqHUCdOs4+asEcc:4E3ZgfrZKrpeu0ps4+0

Score

10^/10

redline diora infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diora

C2

185.161.248.75:4132

Attributes

auth_value
4c17e0c4a574a5b11a6e41e692dedcb3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
448	x1481436.exe
1628	x7838362.exe
2824	f4613033.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1481436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1481436.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7838362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7838362.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 448	532	ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe	85
PID 532 wrote to memory of 448	532	ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe	85
PID 532 wrote to memory of 448	532	ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe	85
PID 448 wrote to memory of 1628	448	x1481436.exe	86
PID 448 wrote to memory of 1628	448	x1481436.exe	86
PID 448 wrote to memory of 1628	448	x1481436.exe	86
PID 1628 wrote to memory of 2824	1628	x7838362.exe	87
PID 1628 wrote to memory of 2824	1628	x7838362.exe	87
PID 1628 wrote to memory of 2824	1628	x7838362.exe	87

C:\Users\Admin\AppData\Local\Temp\ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe
"C:\Users\Admin\AppData\Local\Temp\ba57b5f58bc91a90ffabca85121a8af2fa71effe73b0f34d4bdd710e6a822537.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481436.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481436.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7838362.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7838362.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613033.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613033.exe
      4⤵
      Executes dropped EXE
      PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481436.exe

Filesize
478KB

MD5
7ef7d5e36af4de27e88199695638257f

SHA1
2581f6c5fe9672e5fd5e1f8749f125f9063b501f

SHA256
c165ba6f8b3238f27dd9534d3dff4a1fa80c4e5cf7f82e1acc21f9a67d07cf97

SHA512
230c9f0ad7e630558565d1ba89d6e02230079716e6dd3e7fb5523017e01025f70d38ee9d1b03e065c2b25763b8bccd84b6c4441599dde707b4d7f841468366ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481436.exe

Filesize
478KB

MD5
7ef7d5e36af4de27e88199695638257f

SHA1
2581f6c5fe9672e5fd5e1f8749f125f9063b501f

SHA256
c165ba6f8b3238f27dd9534d3dff4a1fa80c4e5cf7f82e1acc21f9a67d07cf97

SHA512
230c9f0ad7e630558565d1ba89d6e02230079716e6dd3e7fb5523017e01025f70d38ee9d1b03e065c2b25763b8bccd84b6c4441599dde707b4d7f841468366ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7838362.exe

Filesize
306KB

MD5
c847b072a35fa35ddac1471b8b0c1991

SHA1
1bd98e385196413adf5b53770767c8c5dd039c99

SHA256
42687acaed5630c1cc69b9e78f1c99bc4b4ce572592947a918987d05968bc29c

SHA512
68226020ee5cebb9270a7e4cfb987bc4973273374b6da09c99f6d272a0ee3c2c3c807f90b66fcd0b515c98f6da0d22ee07b33ac978b77bfe7c2d4190f382ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7838362.exe

Filesize
306KB

MD5
c847b072a35fa35ddac1471b8b0c1991

SHA1
1bd98e385196413adf5b53770767c8c5dd039c99

SHA256
42687acaed5630c1cc69b9e78f1c99bc4b4ce572592947a918987d05968bc29c

SHA512
68226020ee5cebb9270a7e4cfb987bc4973273374b6da09c99f6d272a0ee3c2c3c807f90b66fcd0b515c98f6da0d22ee07b33ac978b77bfe7c2d4190f382ea02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613033.exe

Filesize
145KB

MD5
54e73adb41b0f58c2824fa77a60fe297

SHA1
5181f81e37d039478b2d814f0d9e1fa1cd97a699

SHA256
3e6da13bb13b8090aecf62320fef9e395b6089336367cee46f411221733118fb

SHA512
3012325f7a10503eec04609f4840bed8477f0cf3eb39aaa0fce6d3f0a6958a300c345345fa5e25f3e5a4972870da4341726c41a87978c8c6564e4880eb3f2e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4613033.exe

Filesize
145KB

MD5
54e73adb41b0f58c2824fa77a60fe297

SHA1
5181f81e37d039478b2d814f0d9e1fa1cd97a699

SHA256
3e6da13bb13b8090aecf62320fef9e395b6089336367cee46f411221733118fb

SHA512
3012325f7a10503eec04609f4840bed8477f0cf3eb39aaa0fce6d3f0a6958a300c345345fa5e25f3e5a4972870da4341726c41a87978c8c6564e4880eb3f2e42

Download Submit
memory/2824-154-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/2824-155-0x0000000005040000-0x0000000005658000-memory.dmp

Filesize
6.1MB

Download
memory/2824-156-0x0000000004BC0000-0x0000000004CCA000-memory.dmp

Filesize
1.0MB

Download
memory/2824-157-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/2824-158-0x0000000004F10000-0x0000000004F4C000-memory.dmp

Filesize
240KB

Download
memory/2824-159-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2824-160-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing