redline | c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161

General

Target

c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe
Size

1.0MB
MD5

80dc22efc81ed2bf30b7a969c50f4deb
SHA1

4635b28401f2a4cb87cd5a3673aba87970ccb271
SHA256

c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161
SHA512

6b16c87b0f3fcf7feb64cfd9e789678e3d1fefa94fc20fbc9fadaa636c4561d08d7d0c828709ac2b3d13b161692933e15b81969cdd5df107ba41e0a0dc879627
SSDEEP

24576:Ty3VHq01WAahu1Y+83ubdHO+WhcrVhaVHK3uuheaqGk:mlHq01ay8+bdHO+dLa83BuG

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2340	x5816800.exe
2580	x1467105.exe
2772	f5600755.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5816800.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5816800.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1467105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1467105.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2340	1840	c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe	66
PID 1840 wrote to memory of 2340	1840	c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe	66
PID 1840 wrote to memory of 2340	1840	c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe	66
PID 2340 wrote to memory of 2580	2340	x5816800.exe	67
PID 2340 wrote to memory of 2580	2340	x5816800.exe	67
PID 2340 wrote to memory of 2580	2340	x5816800.exe	67
PID 2580 wrote to memory of 2772	2580	x1467105.exe	68
PID 2580 wrote to memory of 2772	2580	x1467105.exe	68
PID 2580 wrote to memory of 2772	2580	x1467105.exe	68

C:\Users\Admin\AppData\Local\Temp\c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe
"C:\Users\Admin\AppData\Local\Temp\c542eccaf0f58d9b2a69559fe3816ed78c0b06b80555ca3fd496cfe3e749e161.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5816800.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5816800.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1467105.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1467105.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5600755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5600755.exe
      4⤵
      Executes dropped EXE
      PID:2772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5816800.exe

Filesize
751KB

MD5
690e151bb66caa9db509762b75726648

SHA1
6bcfbb5c176c55dc9d5f73ef54fbee5630d09aa1

SHA256
1e617c96ea99a3fa1f142064bf30abac2a06bcf9aa64717a2ac5234209f46d32

SHA512
c0c918c861c497e801bb3b1f8cf3afa7bdee4f64ed7adb2dade166203839fdbda462107516de350c2e4898560a1ea0e0536a586ae227c7287729ae9f70025d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5816800.exe

Filesize
751KB

MD5
690e151bb66caa9db509762b75726648

SHA1
6bcfbb5c176c55dc9d5f73ef54fbee5630d09aa1

SHA256
1e617c96ea99a3fa1f142064bf30abac2a06bcf9aa64717a2ac5234209f46d32

SHA512
c0c918c861c497e801bb3b1f8cf3afa7bdee4f64ed7adb2dade166203839fdbda462107516de350c2e4898560a1ea0e0536a586ae227c7287729ae9f70025d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1467105.exe

Filesize
306KB

MD5
9e7f5b3ee34af9dced51a0f32681c792

SHA1
20254105bee75b4927ad1d2cd3a009a0334dc6cd

SHA256
c8dea410a9d6fd91c71165e4fded623e6ee7ff70d1a4196a5c56560093394b57

SHA512
4a6c8cbcc008032d303640d795e17564086526572d1615accff04cf9fa69091df16c8e9ce4b44616402f808374fe215b18becfa1783bb6860adcfe384a5e5228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1467105.exe

Filesize
306KB

MD5
9e7f5b3ee34af9dced51a0f32681c792

SHA1
20254105bee75b4927ad1d2cd3a009a0334dc6cd

SHA256
c8dea410a9d6fd91c71165e4fded623e6ee7ff70d1a4196a5c56560093394b57

SHA512
4a6c8cbcc008032d303640d795e17564086526572d1615accff04cf9fa69091df16c8e9ce4b44616402f808374fe215b18becfa1783bb6860adcfe384a5e5228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5600755.exe

Filesize
145KB

MD5
42c7edcc7fc1b012a8bea7b458e429fa

SHA1
eb31f2a466d4921156e57677af8bdbef66a9b5d1

SHA256
1649da722b0099eab96a4362a93911d062baf0201da4f3a9333b2a29e06037a0

SHA512
1b399050b08733ad68236224f5e209a02476a88a30d2468df8bfd8431729561409fefc3b10d4af83743d45b23e518aee509aaa4b8f27d0d864a68f2a644ebf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5600755.exe

Filesize
145KB

MD5
42c7edcc7fc1b012a8bea7b458e429fa

SHA1
eb31f2a466d4921156e57677af8bdbef66a9b5d1

SHA256
1649da722b0099eab96a4362a93911d062baf0201da4f3a9333b2a29e06037a0

SHA512
1b399050b08733ad68236224f5e209a02476a88a30d2468df8bfd8431729561409fefc3b10d4af83743d45b23e518aee509aaa4b8f27d0d864a68f2a644ebf32

Download Submit
memory/2772-142-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2772-143-0x0000000005180000-0x0000000005786000-memory.dmp

Filesize
6.0MB

Download
memory/2772-144-0x0000000004D10000-0x0000000004E1A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-145-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/2772-146-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2772-147-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/2772-148-0x0000000004E20000-0x0000000004E6B000-memory.dmp

Filesize
300KB

Download
memory/2772-149-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing