redline | ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8

General

Target

ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe
Size

1.0MB
MD5

ad976f34f9f5fa4c53304801195ac1f4
SHA1

c43698a55dd393a18fa04446ccc2e0f2cba8a6a0
SHA256

ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8
SHA512

9c51850c7ba7b1a28556bdb6288e8d17529381d818d250e2390629d7c92abd722ac3f36a7d34d188d29de4fc985923315e2412ad22261bc79d61713bf0559d34
SSDEEP

24576:vyj5J6CIciAMik9BG/UBdeDjWCukaZ2p4+5hTHsL8Uj/v:6aCIciXik9MjWCukaZU5hTHs9

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3448	x3678130.exe
3960	x2871849.exe
1028	f8360514.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2871849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2871849.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3678130.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3678130.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3448	404	ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe	66
PID 404 wrote to memory of 3448	404	ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe	66
PID 404 wrote to memory of 3448	404	ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe	66
PID 3448 wrote to memory of 3960	3448	x3678130.exe	67
PID 3448 wrote to memory of 3960	3448	x3678130.exe	67
PID 3448 wrote to memory of 3960	3448	x3678130.exe	67
PID 3960 wrote to memory of 1028	3960	x2871849.exe	68
PID 3960 wrote to memory of 1028	3960	x2871849.exe	68
PID 3960 wrote to memory of 1028	3960	x2871849.exe	68

C:\Users\Admin\AppData\Local\Temp\ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe
"C:\Users\Admin\AppData\Local\Temp\ecf07812972fc9d75b08ee0837eb1cf0a7237b0748f9eda8e6fb635b7050c6b8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678130.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678130.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2871849.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2871849.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8360514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8360514.exe
      4⤵
      Executes dropped EXE
      PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678130.exe

Filesize
750KB

MD5
e44bbc45c4d00b8957112980e6df186d

SHA1
0e5b08b99f0b92d3be0b0524ba332ffaef76b956

SHA256
db21787f0f82a89ae845abd0b55dba8dacdeccb1ec2a8c5be63f0cddda0e68c8

SHA512
e3ba2ef4fe98be9571d9443d25f056e4e117190589289d80fd3f3c0e85a6e3191ddc025b60fc440f4c30423146fa2dd7a6e0a498fa1a7ca03fe20aa7b9b6bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678130.exe

Filesize
750KB

MD5
e44bbc45c4d00b8957112980e6df186d

SHA1
0e5b08b99f0b92d3be0b0524ba332ffaef76b956

SHA256
db21787f0f82a89ae845abd0b55dba8dacdeccb1ec2a8c5be63f0cddda0e68c8

SHA512
e3ba2ef4fe98be9571d9443d25f056e4e117190589289d80fd3f3c0e85a6e3191ddc025b60fc440f4c30423146fa2dd7a6e0a498fa1a7ca03fe20aa7b9b6bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2871849.exe

Filesize
306KB

MD5
100487d2a15782f106cd81766a638b79

SHA1
f8403140b0b02d0691e680c7f91bfa99e24cd34a

SHA256
4b72cdcf78c57347d1d13691fcdac64d481e41f8ee06933ab6aa3e0995f103b2

SHA512
2724d261777af46f7cac105f10e875c6f2618c4a973bffb9966d4216b6d48dcd7ddee146da1c11d6e3ea323519cf677563805d28c0985ad15bd941f8a98ad752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2871849.exe

Filesize
306KB

MD5
100487d2a15782f106cd81766a638b79

SHA1
f8403140b0b02d0691e680c7f91bfa99e24cd34a

SHA256
4b72cdcf78c57347d1d13691fcdac64d481e41f8ee06933ab6aa3e0995f103b2

SHA512
2724d261777af46f7cac105f10e875c6f2618c4a973bffb9966d4216b6d48dcd7ddee146da1c11d6e3ea323519cf677563805d28c0985ad15bd941f8a98ad752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8360514.exe

Filesize
145KB

MD5
bbee7779281d1bb38f6e6dc8c6f7b710

SHA1
80d7ae82514038c832bcef8bb449982ec29258ef

SHA256
6b1d012ca92deca89f1eb93c5b84b19afbbef0ad8c09d8291addd68a17fd76a1

SHA512
d655c4255dcf4e1b397a8afc0daf3db35dbbb2a00e30bc5ab3e40b35e30d72b0e8c69e59695ba9b3ffdc1abd1f57d4aee18878ecbee55d9d86ba2311333fb543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8360514.exe

Filesize
145KB

MD5
bbee7779281d1bb38f6e6dc8c6f7b710

SHA1
80d7ae82514038c832bcef8bb449982ec29258ef

SHA256
6b1d012ca92deca89f1eb93c5b84b19afbbef0ad8c09d8291addd68a17fd76a1

SHA512
d655c4255dcf4e1b397a8afc0daf3db35dbbb2a00e30bc5ab3e40b35e30d72b0e8c69e59695ba9b3ffdc1abd1f57d4aee18878ecbee55d9d86ba2311333fb543

Download Submit
memory/1028-142-0x0000000000F40000-0x0000000000F6A000-memory.dmp

Filesize
168KB

Download
memory/1028-143-0x0000000005D60000-0x0000000006366000-memory.dmp

Filesize
6.0MB

Download
memory/1028-144-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/1028-145-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/1028-146-0x0000000005810000-0x000000000584E000-memory.dmp

Filesize
248KB

Download
memory/1028-147-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1028-148-0x00000000057B0000-0x00000000057FB000-memory.dmp

Filesize
300KB

Download
memory/1028-149-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing