redline | b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5

General

Target

b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe
Size

1.0MB
MD5

a86543f18bcf1c82a76708447739b4b8
SHA1

1529a2375f04dd798d4d415886f7aa7be485332f
SHA256

b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5
SHA512

3c97908cd51e651731570baf066854865ba3a3e011b06e684efef05b8e66b5b1e69e79fdea4cbf551c77b13bbbefce4f80bd103937b455350e18d2b4eb786f7a
SSDEEP

24576:NymbOPN9BXyVPFRE1cp3jKmXQDaOjjRtc/4nTw+TX8puvt3:oKO1rXeclsQDaq764nTw+TXGGt

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2668	x0656257.exe
3944	x0094521.exe
2456	f3055567.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0656257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0656257.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0094521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0094521.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2668	1628	b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe	85
PID 1628 wrote to memory of 2668	1628	b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe	85
PID 1628 wrote to memory of 2668	1628	b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe	85
PID 2668 wrote to memory of 3944	2668	x0656257.exe	86
PID 2668 wrote to memory of 3944	2668	x0656257.exe	86
PID 2668 wrote to memory of 3944	2668	x0656257.exe	86
PID 3944 wrote to memory of 2456	3944	x0094521.exe	87
PID 3944 wrote to memory of 2456	3944	x0094521.exe	87
PID 3944 wrote to memory of 2456	3944	x0094521.exe	87

C:\Users\Admin\AppData\Local\Temp\b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe
"C:\Users\Admin\AppData\Local\Temp\b0df9fb8a49400c9708a6873f317900d698a5760cd05a4823e70cd5e52c4e3c5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0656257.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0656257.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0094521.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0094521.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3055567.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3055567.exe
      4⤵
      Executes dropped EXE
      PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0656257.exe

Filesize
751KB

MD5
de0d968caec6e25af11c47259a9b5d0b

SHA1
cc5fafc37954c1b5c0c5d8be2aff2c864c69679f

SHA256
33583c50cc7e48aafeb583ce9bb5b9f9c4f2ed20f0fe33ef3080a828ececa6a2

SHA512
5dddbe19969c9b4c33f9b0bb7862ee2c2117726b21445d62a3cab657657f74929eb434f1412e60b6193e4bc9be92b9df2acd460a898f86059bf235c79889fe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0656257.exe

Filesize
751KB

MD5
de0d968caec6e25af11c47259a9b5d0b

SHA1
cc5fafc37954c1b5c0c5d8be2aff2c864c69679f

SHA256
33583c50cc7e48aafeb583ce9bb5b9f9c4f2ed20f0fe33ef3080a828ececa6a2

SHA512
5dddbe19969c9b4c33f9b0bb7862ee2c2117726b21445d62a3cab657657f74929eb434f1412e60b6193e4bc9be92b9df2acd460a898f86059bf235c79889fe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0094521.exe

Filesize
306KB

MD5
c666493b4124f8c9afb3061c36744b28

SHA1
a4def37ab29b4c336c5c0a565d1a46ab95b58d48

SHA256
f61ebbfb3941569d6e95b03a70c1e24ae8362cb9d14ce81a74c99a625d9c1b44

SHA512
a1824da75ab089c580ef06fa76e0c9fc972684051d3c93d233dd2698d4ecf61f196a09ee812d1eacdaac042db9def4d1ba8780824728a37d31027a75f0077c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0094521.exe

Filesize
306KB

MD5
c666493b4124f8c9afb3061c36744b28

SHA1
a4def37ab29b4c336c5c0a565d1a46ab95b58d48

SHA256
f61ebbfb3941569d6e95b03a70c1e24ae8362cb9d14ce81a74c99a625d9c1b44

SHA512
a1824da75ab089c580ef06fa76e0c9fc972684051d3c93d233dd2698d4ecf61f196a09ee812d1eacdaac042db9def4d1ba8780824728a37d31027a75f0077c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3055567.exe

Filesize
145KB

MD5
cf51b1482a1b99481bd3e354af1fc1e6

SHA1
099741788639fc44621b1c5bfebb6d6984ae2840

SHA256
fb281c86a03f33d25225f0be9a951d8d13707e99d5f95a4047f06114dddf141f

SHA512
22b5baf843a1a08a965bc47ff5b8d41a79353af106a75b9834570f28c1e1927d62d8486f8cc3c34aff4f9b1519a767c99ab7e9d3028e56ac8d74d73983ecdee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3055567.exe

Filesize
145KB

MD5
cf51b1482a1b99481bd3e354af1fc1e6

SHA1
099741788639fc44621b1c5bfebb6d6984ae2840

SHA256
fb281c86a03f33d25225f0be9a951d8d13707e99d5f95a4047f06114dddf141f

SHA512
22b5baf843a1a08a965bc47ff5b8d41a79353af106a75b9834570f28c1e1927d62d8486f8cc3c34aff4f9b1519a767c99ab7e9d3028e56ac8d74d73983ecdee5

Download Submit
memory/2456-154-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/2456-155-0x0000000005660000-0x0000000005C78000-memory.dmp

Filesize
6.1MB

Download
memory/2456-156-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/2456-157-0x0000000005110000-0x0000000005122000-memory.dmp

Filesize
72KB

Download
memory/2456-158-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/2456-159-0x0000000005170000-0x00000000051AC000-memory.dmp

Filesize
240KB

Download
memory/2456-160-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing