redline | f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8

General

Target

f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe
Size

1.0MB
MD5

0e7fd4e7a0fd05c8208f27a3276eb042
SHA1

5a2d9c2b90969502e50b6b8229621faaabdada75
SHA256

f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8
SHA512

6c7043c637d2d180bba8401491efaed150d5c663d499c8325098e69dc4d6ac0c4f5b78e8a9188deae325ef40e0dcf82fe77de10f4329f3447292fe4dd20a0908
SSDEEP

24576:XyySBHEjgQGT0EBpKwggXzlQpjpRmcdJmTff:iyUH7QGv/1ggjloxETf

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1240	x2915446.exe
1836	x1585223.exe
2628	f3613853.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1585223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1585223.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2915446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2915446.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 1240	5000	f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe	83
PID 5000 wrote to memory of 1240	5000	f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe	83
PID 5000 wrote to memory of 1240	5000	f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe	83
PID 1240 wrote to memory of 1836	1240	x2915446.exe	84
PID 1240 wrote to memory of 1836	1240	x2915446.exe	84
PID 1240 wrote to memory of 1836	1240	x2915446.exe	84
PID 1836 wrote to memory of 2628	1836	x1585223.exe	85
PID 1836 wrote to memory of 2628	1836	x1585223.exe	85
PID 1836 wrote to memory of 2628	1836	x1585223.exe	85

C:\Users\Admin\AppData\Local\Temp\f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe
"C:\Users\Admin\AppData\Local\Temp\f1a5cb3d65415fd264e720e5853d9df0646c230f0ff8f1e4af40cfefce3ac2f8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2915446.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2915446.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1585223.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1585223.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3613853.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3613853.exe
      4⤵
      Executes dropped EXE
      PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2915446.exe

Filesize
751KB

MD5
487b069af238a009ccc7b954fe867213

SHA1
8be096b86306a8b7c53a2ea716965960d235f5fd

SHA256
ec58d4492f338d61571a09c6c50afb5f057fa370104332044bc0fa1078d38c41

SHA512
4d67ba667ad4283c09fa3f92f5821aea3a9547cbd3f7411cf24bceba9b400c9b2ee2eeae2c52931d7f1b28c37d186dbc23e6cfca0687720c4ef26d2cf521507d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2915446.exe

Filesize
751KB

MD5
487b069af238a009ccc7b954fe867213

SHA1
8be096b86306a8b7c53a2ea716965960d235f5fd

SHA256
ec58d4492f338d61571a09c6c50afb5f057fa370104332044bc0fa1078d38c41

SHA512
4d67ba667ad4283c09fa3f92f5821aea3a9547cbd3f7411cf24bceba9b400c9b2ee2eeae2c52931d7f1b28c37d186dbc23e6cfca0687720c4ef26d2cf521507d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1585223.exe

Filesize
306KB

MD5
16dfebbacd3efc47ec09c92216bfc468

SHA1
cd5a18b507f024b7e76235ae4d77e70c8031ff22

SHA256
4dd704f40ef071cdba858c1e3f0ddd87b43a69a053cfe14b35bf22caf303899b

SHA512
2eb7ff9c1e843c16c664af1cf6ec2f5b9d026d04483e2e2204343f4155f05e12564417b09c79c08f4c1798c0863dacd3207f1e50734f5d8f40b2d85df28f46df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1585223.exe

Filesize
306KB

MD5
16dfebbacd3efc47ec09c92216bfc468

SHA1
cd5a18b507f024b7e76235ae4d77e70c8031ff22

SHA256
4dd704f40ef071cdba858c1e3f0ddd87b43a69a053cfe14b35bf22caf303899b

SHA512
2eb7ff9c1e843c16c664af1cf6ec2f5b9d026d04483e2e2204343f4155f05e12564417b09c79c08f4c1798c0863dacd3207f1e50734f5d8f40b2d85df28f46df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3613853.exe

Filesize
145KB

MD5
e186cb6ae4dd15a7a09f0007e39cd5e6

SHA1
dd9948fd5f53ebe58c2e38b53bf4af8a63fc7f3c

SHA256
fb9e7b200be90b31890a8243ac14ab49b58352d371134d233537f6660c4ddc60

SHA512
836b8e8ac25c19863cfd667bbdec3352800c1a8bf7b7e85b816f036f9c498a2bc4b0b3983fb17235dfc5a5dcce87e9cdc555f81e1b2d28c44d72517feefaabd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3613853.exe

Filesize
145KB

MD5
e186cb6ae4dd15a7a09f0007e39cd5e6

SHA1
dd9948fd5f53ebe58c2e38b53bf4af8a63fc7f3c

SHA256
fb9e7b200be90b31890a8243ac14ab49b58352d371134d233537f6660c4ddc60

SHA512
836b8e8ac25c19863cfd667bbdec3352800c1a8bf7b7e85b816f036f9c498a2bc4b0b3983fb17235dfc5a5dcce87e9cdc555f81e1b2d28c44d72517feefaabd3

Download Submit
memory/2628-154-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/2628-155-0x00000000053A0000-0x00000000059B8000-memory.dmp

Filesize
6.1MB

Download
memory/2628-156-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-157-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/2628-158-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/2628-159-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2628-160-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing