redline | b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da

General

Target

b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
Size

1.0MB
MD5

d81c9d46b46e296dc3588a5dab2b0b6a
SHA1

90c289b1dd93d84b40b944dc140533997e40c17e
SHA256

b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da
SHA512

e35d3d9e62e3155ffeef411e1be2e64f8e8bb98e4f9406b44935fc78875ab780578888f5ff30cc284a6e565b59708e5a91e5dfe8c23c443ad5492d19f263ea3f
SSDEEP

24576:7y1052CbEaOWloqv/5W71SXFTgnCjVnQIl/61K9uuasVK16u+XB0:u1052QEaOFqpmSFsnChP8K9X/VKr

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
372	x8120205.exe
3324	x8876127.exe
1432	f3392090.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8120205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8120205.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8876127.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8876127.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 372	2128	b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe	84
PID 2128 wrote to memory of 372	2128	b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe	84
PID 2128 wrote to memory of 372	2128	b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe	84
PID 372 wrote to memory of 3324	372	x8120205.exe	85
PID 372 wrote to memory of 3324	372	x8120205.exe	85
PID 372 wrote to memory of 3324	372	x8120205.exe	85
PID 3324 wrote to memory of 1432	3324	x8876127.exe	86
PID 3324 wrote to memory of 1432	3324	x8876127.exe	86
PID 3324 wrote to memory of 1432	3324	x8876127.exe	86

C:\Users\Admin\AppData\Local\Temp\b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe
"C:\Users\Admin\AppData\Local\Temp\b2bede1a82b9bb07606b8b177ef40abeb2c4d2c72264aead0fd66d6360c558da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe
      4⤵
      Executes dropped EXE
      PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe

Filesize
751KB

MD5
a011a31a374ee03b60fbd5d2d23de0d9

SHA1
b3c7703a1df73c9ad4001215ec0be98dd7d0cb29

SHA256
efea2ee21fa334d821184055f47feb71beb4d54a173614d8cbc05c886f9532b5

SHA512
1d659d9d6be7ed40f6afa8a0d9cc8f2941003962ef9d3f254c3b7f2942ca0d8a1c3c381fbf4e46e425887a0b30815fed42da2660b384a2d651a2c45ee4965fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8120205.exe

Filesize
751KB

MD5
a011a31a374ee03b60fbd5d2d23de0d9

SHA1
b3c7703a1df73c9ad4001215ec0be98dd7d0cb29

SHA256
efea2ee21fa334d821184055f47feb71beb4d54a173614d8cbc05c886f9532b5

SHA512
1d659d9d6be7ed40f6afa8a0d9cc8f2941003962ef9d3f254c3b7f2942ca0d8a1c3c381fbf4e46e425887a0b30815fed42da2660b384a2d651a2c45ee4965fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe

Filesize
306KB

MD5
ea18a923b80bcb79834ed198fe659c14

SHA1
307e96eba9ef432a88ee0bc01a9f28d71bc81d92

SHA256
f07ba0416ef19a025d30f5a1cfc3f5848df3ad1a614b2dc23d6bd2e14d5b5d2d

SHA512
5d7ca1faaf928d29860ff94afdb76a471ec6b77193f135c8546e98896548c2c3120caa585b0c880c5821a667729036482c81fb62aaa9d2998e49db8b848c337f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8876127.exe

Filesize
306KB

MD5
ea18a923b80bcb79834ed198fe659c14

SHA1
307e96eba9ef432a88ee0bc01a9f28d71bc81d92

SHA256
f07ba0416ef19a025d30f5a1cfc3f5848df3ad1a614b2dc23d6bd2e14d5b5d2d

SHA512
5d7ca1faaf928d29860ff94afdb76a471ec6b77193f135c8546e98896548c2c3120caa585b0c880c5821a667729036482c81fb62aaa9d2998e49db8b848c337f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe

Filesize
145KB

MD5
0d8c942aeb27bb4cd9ecc7703125d3cd

SHA1
41c00f1972e9f9350c907ddcc2974da78cb965cc

SHA256
b8a0672eaddb2752d790dd3edc91d8a257b0a87901a6ff9243dfa5983475a6cb

SHA512
196979adeb8b0dadb08e8a1e00f9673e9e08c773ed254fa69c52d4b56c99e3c073d9aa1c87a2df9f5527b757450606f9c3930083b1c3d88190f8fa3ebf1d176d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3392090.exe

Filesize
145KB

MD5
0d8c942aeb27bb4cd9ecc7703125d3cd

SHA1
41c00f1972e9f9350c907ddcc2974da78cb965cc

SHA256
b8a0672eaddb2752d790dd3edc91d8a257b0a87901a6ff9243dfa5983475a6cb

SHA512
196979adeb8b0dadb08e8a1e00f9673e9e08c773ed254fa69c52d4b56c99e3c073d9aa1c87a2df9f5527b757450606f9c3930083b1c3d88190f8fa3ebf1d176d

Download Submit
memory/1432-154-0x0000000000810000-0x000000000083A000-memory.dmp

Filesize
168KB

Download
memory/1432-155-0x0000000005730000-0x0000000005D48000-memory.dmp

Filesize
6.1MB

Download
memory/1432-156-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/1432-157-0x00000000051E0000-0x00000000051F2000-memory.dmp

Filesize
72KB

Download
memory/1432-158-0x0000000005240000-0x000000000527C000-memory.dmp

Filesize
240KB

Download
memory/1432-159-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/1432-160-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing