redline | 057bac45b0f9d57d7027659e80d87f61ee6e9a47eb36fcbbce8e1ef9104836d5

Analysis

max time kernel
152s
max time network
163s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-05-2023 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

multiplayer398.exe
Size

1.0MB
MD5

39197cee6c710965e2499e3e4dbe00dd
SHA1

9a7897a25e72948ed36e2b5e0a958868df4a04d2
SHA256

057bac45b0f9d57d7027659e80d87f61ee6e9a47eb36fcbbce8e1ef9104836d5
SHA512

c11b0bc11c74ba26c6259bd2884f2177fe2e8595d12123fc8d83aa5e9b5af6c4a57175fa8a8f5a8ef11ff0d8ba92962a2aaf8dadbeb3adc099d5bad10ff0b498
SSDEEP

24576:ryFtiPTCNcjsptyfN1Fq2TO4Ewma8cHE:eFtgwXC1Fd8c

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1932	x6176102.exe
524	x1242833.exe
588	f9606238.exe

Loads dropped DLL 6 IoCs

pid	Process
2000	multiplayer398.exe
1932	x6176102.exe
1932	x6176102.exe
524	x1242833.exe
524	x1242833.exe
588	f9606238.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6176102.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1242833.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1242833.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	multiplayer398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	multiplayer398.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6176102.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 2000 wrote to memory of 1932	2000	multiplayer398.exe	28
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 1932 wrote to memory of 524	1932	x6176102.exe	29
PID 524 wrote to memory of 588	524	x1242833.exe	30
PID 524 wrote to memory of 588	524	x1242833.exe	30
PID 524 wrote to memory of 588	524	x1242833.exe	30
PID 524 wrote to memory of 588	524	x1242833.exe	30
PID 524 wrote to memory of 588	524	x1242833.exe	30
PID 524 wrote to memory of 588	524	x1242833.exe	30
PID 524 wrote to memory of 588	524	x1242833.exe	30

C:\Users\Admin\AppData\Local\Temp\multiplayer398.exe
"C:\Users\Admin\AppData\Local\Temp\multiplayer398.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6176102.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6176102.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1242833.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1242833.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9606238.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9606238.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6176102.exe

Filesize
751KB

MD5
c1b96fbe8992b3ea0846dd6185e76c52

SHA1
2096e845071e9605704069b89ac288829e80e47b

SHA256
4b5d23e591a2097cf57ec511ae47543f0604d6bc24b4245a4aa94b9a07daece3

SHA512
5beda60f5c03f95afd8f18987982394f18b96bf7f9b5a498e448b0171e2a5f3c2ef1ce57382a830c41ad35c9e555d915e6650b4e3486b0800d52c8466d716c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6176102.exe

Filesize
751KB

MD5
c1b96fbe8992b3ea0846dd6185e76c52

SHA1
2096e845071e9605704069b89ac288829e80e47b

SHA256
4b5d23e591a2097cf57ec511ae47543f0604d6bc24b4245a4aa94b9a07daece3

SHA512
5beda60f5c03f95afd8f18987982394f18b96bf7f9b5a498e448b0171e2a5f3c2ef1ce57382a830c41ad35c9e555d915e6650b4e3486b0800d52c8466d716c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1242833.exe

Filesize
306KB

MD5
58041e69e010b5bddc091aa7d1cc12d5

SHA1
8869b02f7572f08717798e62221e7f753aef2299

SHA256
56e008f37006b6fb7b4f2cae40fea0bde43195220b4b777570d958dd743093da

SHA512
79eb583fcce7c00b421747167e0016b1e81c9f938ef1032872a77bf498885f205784f3fac44224c1a1a384d842ef9215946f38d9eb8023ba9b11ab95297cee57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1242833.exe

Filesize
306KB

MD5
58041e69e010b5bddc091aa7d1cc12d5

SHA1
8869b02f7572f08717798e62221e7f753aef2299

SHA256
56e008f37006b6fb7b4f2cae40fea0bde43195220b4b777570d958dd743093da

SHA512
79eb583fcce7c00b421747167e0016b1e81c9f938ef1032872a77bf498885f205784f3fac44224c1a1a384d842ef9215946f38d9eb8023ba9b11ab95297cee57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9606238.exe

Filesize
145KB

MD5
30e6319128d3e2d4b3e666aba77f3e0b

SHA1
f03d9a046b6a8c0e5fb0767bb184032b2e7a6d9d

SHA256
822499d6196a586b35e23d27e8cb74e38abd062423b97a58824aa7a27e57ebd0

SHA512
0ef66db9fe20ca12ed3bceb8d541bcd7ceca8cd6629e7b669640059b6f7836fd5c36a4b93f88e870f849dcbd59f049de05d3855c572e3267177053782637896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9606238.exe

Filesize
145KB

MD5
30e6319128d3e2d4b3e666aba77f3e0b

SHA1
f03d9a046b6a8c0e5fb0767bb184032b2e7a6d9d

SHA256
822499d6196a586b35e23d27e8cb74e38abd062423b97a58824aa7a27e57ebd0

SHA512
0ef66db9fe20ca12ed3bceb8d541bcd7ceca8cd6629e7b669640059b6f7836fd5c36a4b93f88e870f849dcbd59f049de05d3855c572e3267177053782637896c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6176102.exe

Filesize
751KB

MD5
c1b96fbe8992b3ea0846dd6185e76c52

SHA1
2096e845071e9605704069b89ac288829e80e47b

SHA256
4b5d23e591a2097cf57ec511ae47543f0604d6bc24b4245a4aa94b9a07daece3

SHA512
5beda60f5c03f95afd8f18987982394f18b96bf7f9b5a498e448b0171e2a5f3c2ef1ce57382a830c41ad35c9e555d915e6650b4e3486b0800d52c8466d716c1d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6176102.exe

Filesize
751KB

MD5
c1b96fbe8992b3ea0846dd6185e76c52

SHA1
2096e845071e9605704069b89ac288829e80e47b

SHA256
4b5d23e591a2097cf57ec511ae47543f0604d6bc24b4245a4aa94b9a07daece3

SHA512
5beda60f5c03f95afd8f18987982394f18b96bf7f9b5a498e448b0171e2a5f3c2ef1ce57382a830c41ad35c9e555d915e6650b4e3486b0800d52c8466d716c1d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1242833.exe

Filesize
306KB

MD5
58041e69e010b5bddc091aa7d1cc12d5

SHA1
8869b02f7572f08717798e62221e7f753aef2299

SHA256
56e008f37006b6fb7b4f2cae40fea0bde43195220b4b777570d958dd743093da

SHA512
79eb583fcce7c00b421747167e0016b1e81c9f938ef1032872a77bf498885f205784f3fac44224c1a1a384d842ef9215946f38d9eb8023ba9b11ab95297cee57

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1242833.exe

Filesize
306KB

MD5
58041e69e010b5bddc091aa7d1cc12d5

SHA1
8869b02f7572f08717798e62221e7f753aef2299

SHA256
56e008f37006b6fb7b4f2cae40fea0bde43195220b4b777570d958dd743093da

SHA512
79eb583fcce7c00b421747167e0016b1e81c9f938ef1032872a77bf498885f205784f3fac44224c1a1a384d842ef9215946f38d9eb8023ba9b11ab95297cee57

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9606238.exe

Filesize
145KB

MD5
30e6319128d3e2d4b3e666aba77f3e0b

SHA1
f03d9a046b6a8c0e5fb0767bb184032b2e7a6d9d

SHA256
822499d6196a586b35e23d27e8cb74e38abd062423b97a58824aa7a27e57ebd0

SHA512
0ef66db9fe20ca12ed3bceb8d541bcd7ceca8cd6629e7b669640059b6f7836fd5c36a4b93f88e870f849dcbd59f049de05d3855c572e3267177053782637896c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9606238.exe

Filesize
145KB

MD5
30e6319128d3e2d4b3e666aba77f3e0b

SHA1
f03d9a046b6a8c0e5fb0767bb184032b2e7a6d9d

SHA256
822499d6196a586b35e23d27e8cb74e38abd062423b97a58824aa7a27e57ebd0

SHA512
0ef66db9fe20ca12ed3bceb8d541bcd7ceca8cd6629e7b669640059b6f7836fd5c36a4b93f88e870f849dcbd59f049de05d3855c572e3267177053782637896c

Download Submit
memory/588-84-0x0000000001150000-0x000000000117A000-memory.dmp

Filesize
168KB

Download
memory/588-85-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download
memory/588-86-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download