redline | 3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa

General

Target

3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe
Size

1022KB
MD5

e21ef2e82eb8428418cc2bb419f8219e
SHA1

c8d0baa12a48258c4e442c0f37449eeeab7140f9
SHA256

3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa
SHA512

9338f437b566334157e7d7372a8d27069b8f9c1ae11cddc5499f613c7e283fc4e8129bacec62c0bb73ef66e3d092cdc8c711e1a6f25a153ae5df70f83147e521
SSDEEP

12288:rMrIy906lGJumJac8Z/9rTaAMmO3p1Hxm1Cj3NHo+RZC98qF3jKCBUwZoNAU:vyHGsv9rTruJxjto+rC98UBnZoyU

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1476	x7033862.exe
1740	x1961721.exe
2060	f3729514.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7033862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7033862.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1961721.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1961721.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1476	1308	3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe	66
PID 1308 wrote to memory of 1476	1308	3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe	66
PID 1308 wrote to memory of 1476	1308	3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe	66
PID 1476 wrote to memory of 1740	1476	x7033862.exe	67
PID 1476 wrote to memory of 1740	1476	x7033862.exe	67
PID 1476 wrote to memory of 1740	1476	x7033862.exe	67
PID 1740 wrote to memory of 2060	1740	x1961721.exe	68
PID 1740 wrote to memory of 2060	1740	x1961721.exe	68
PID 1740 wrote to memory of 2060	1740	x1961721.exe	68

C:\Users\Admin\AppData\Local\Temp\3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe
"C:\Users\Admin\AppData\Local\Temp\3ac990d234b64812738c0a185d10289abfb34d5ac6e60b8d52cc65cf455610aa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7033862.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7033862.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1961721.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1961721.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3729514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3729514.exe
      4⤵
      Executes dropped EXE
      PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7033862.exe

Filesize
750KB

MD5
089f4cd26c9202259cd82ae0439500f8

SHA1
ce39cffc5964316f221e8f1466ba55ef821c2575

SHA256
dc9c5c228ec108b034d44421e3481bfa8c292ed67f7af397aadecb4e5e0bb8f6

SHA512
65081d97a3b11612aee5d7f6f6fb6184ec4d6971e47bae0d473bf61349879f3ebf6f4f89c15fb8b4827646d4fad81563302493b4226b03bf42cd51ee85a5441b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7033862.exe

Filesize
750KB

MD5
089f4cd26c9202259cd82ae0439500f8

SHA1
ce39cffc5964316f221e8f1466ba55ef821c2575

SHA256
dc9c5c228ec108b034d44421e3481bfa8c292ed67f7af397aadecb4e5e0bb8f6

SHA512
65081d97a3b11612aee5d7f6f6fb6184ec4d6971e47bae0d473bf61349879f3ebf6f4f89c15fb8b4827646d4fad81563302493b4226b03bf42cd51ee85a5441b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1961721.exe

Filesize
305KB

MD5
a6d79de557c70f6063f80457bdf5b9eb

SHA1
f8b2515c9031e001444407bea68c90292c18f933

SHA256
dd3844151bcd6a83881ced65df76af77eb03598c81a60852181a021c469725d1

SHA512
9b172829f67d0042d8c73bf35e8c499e632a55e279d1cd5b66495019580a7ada333b042ea41bb3c90211ba977404237d4f8aaddd06c501589878ac75cfbbf9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1961721.exe

Filesize
305KB

MD5
a6d79de557c70f6063f80457bdf5b9eb

SHA1
f8b2515c9031e001444407bea68c90292c18f933

SHA256
dd3844151bcd6a83881ced65df76af77eb03598c81a60852181a021c469725d1

SHA512
9b172829f67d0042d8c73bf35e8c499e632a55e279d1cd5b66495019580a7ada333b042ea41bb3c90211ba977404237d4f8aaddd06c501589878ac75cfbbf9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3729514.exe

Filesize
145KB

MD5
6cbbd725bc75c6965a0f0d3b65aa49c6

SHA1
5c6a69c6e4e2a25b2b0a20bbdaaa3f121ab007e3

SHA256
23a73b34100190b211d2eb23b813caf0a73c73f2bbf8d46bc4a1d753f6eb5615

SHA512
09a01b60d42f18398a24702d90298297a1422bef6eeec2e59508f24619d3761763fe5084604a0aff2c6a5142fd50782208a1358a3c39f561e3102ca428995471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3729514.exe

Filesize
145KB

MD5
6cbbd725bc75c6965a0f0d3b65aa49c6

SHA1
5c6a69c6e4e2a25b2b0a20bbdaaa3f121ab007e3

SHA256
23a73b34100190b211d2eb23b813caf0a73c73f2bbf8d46bc4a1d753f6eb5615

SHA512
09a01b60d42f18398a24702d90298297a1422bef6eeec2e59508f24619d3761763fe5084604a0aff2c6a5142fd50782208a1358a3c39f561e3102ca428995471

Download Submit
memory/2060-142-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/2060-143-0x0000000005710000-0x0000000005D16000-memory.dmp

Filesize
6.0MB

Download
memory/2060-144-0x00000000052A0000-0x00000000053AA000-memory.dmp

Filesize
1.0MB

Download
memory/2060-145-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/2060-146-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2060-147-0x0000000005210000-0x000000000524E000-memory.dmp

Filesize
248KB

Download
memory/2060-148-0x0000000005250000-0x000000000529B000-memory.dmp

Filesize
300KB

Download
memory/2060-149-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing