redline | 07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726

General

Target

07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe
Size

1.0MB
MD5

34ebde00807d6763e6a4371a8187e81b
SHA1

03893273b15834d66a151c5f0d3411fbabd13736
SHA256

07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726
SHA512

b3d13c628294570f578dd7b7aecc9879eae5dab74e4fe00f16ba59bb142c334bd484b4b3b207b31c8e197d2b8ccf62b6723d39f149678f30284f432b8dd2e736
SSDEEP

24576:EypsyZZK0nEfg1/kTdx11e1NYS9JFR+W3HPR/VdjvVtitw:TpsyUmMDfeQ8R9tdtit

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1148	x6100534.exe
1564	x7248735.exe
2264	f5899326.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6100534.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6100534.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7248735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7248735.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1148	3888	07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe	80
PID 3888 wrote to memory of 1148	3888	07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe	80
PID 3888 wrote to memory of 1148	3888	07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe	80
PID 1148 wrote to memory of 1564	1148	x6100534.exe	81
PID 1148 wrote to memory of 1564	1148	x6100534.exe	81
PID 1148 wrote to memory of 1564	1148	x6100534.exe	81
PID 1564 wrote to memory of 2264	1564	x7248735.exe	82
PID 1564 wrote to memory of 2264	1564	x7248735.exe	82
PID 1564 wrote to memory of 2264	1564	x7248735.exe	82

C:\Users\Admin\AppData\Local\Temp\07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe
"C:\Users\Admin\AppData\Local\Temp\07a1878ca14469f06c3abfdc9df9af655f776ae76d790e3a90f888b3b049c726.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6100534.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6100534.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7248735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7248735.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5899326.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5899326.exe
      4⤵
      Executes dropped EXE
      PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6100534.exe

Filesize
751KB

MD5
6ab37c68c6c34af3d71a30719de6f290

SHA1
918211039c661d158b3fa581ba64c56257fc3742

SHA256
fbdedf1be076bd29cd07336124d8b257d46c4dd119bc10ec0c4a4081cd7572de

SHA512
98b8924d8fcca015c81dd2c7ed33bcd7c8f0cfe1473c854be38a9609b863a900f6704f440baa60cdd80126cfe64499056967f5774417e80bd6805b45bb08c9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6100534.exe

Filesize
751KB

MD5
6ab37c68c6c34af3d71a30719de6f290

SHA1
918211039c661d158b3fa581ba64c56257fc3742

SHA256
fbdedf1be076bd29cd07336124d8b257d46c4dd119bc10ec0c4a4081cd7572de

SHA512
98b8924d8fcca015c81dd2c7ed33bcd7c8f0cfe1473c854be38a9609b863a900f6704f440baa60cdd80126cfe64499056967f5774417e80bd6805b45bb08c9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7248735.exe

Filesize
306KB

MD5
5bb0aca06eb0d3d55d06736f0a07223a

SHA1
4169afbfc55c1f24414781c8621472edd4166df0

SHA256
68bfc459365680708f74b4608edab3bcaa118e26c2f25dfa337cf135c011f4dd

SHA512
536c79d0ba07a3f132d7c096559e706267e72435a0c6e22853921e6d1613096844c9827a91704bc814855c1ba3f179bcbdf67bb592614956e86959dcce685133

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7248735.exe

Filesize
306KB

MD5
5bb0aca06eb0d3d55d06736f0a07223a

SHA1
4169afbfc55c1f24414781c8621472edd4166df0

SHA256
68bfc459365680708f74b4608edab3bcaa118e26c2f25dfa337cf135c011f4dd

SHA512
536c79d0ba07a3f132d7c096559e706267e72435a0c6e22853921e6d1613096844c9827a91704bc814855c1ba3f179bcbdf67bb592614956e86959dcce685133

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5899326.exe

Filesize
146KB

MD5
16151c289d17ed813d61ecc3720b17b8

SHA1
de599e2639af45680d2e290f30d4db6d5f3340b6

SHA256
10e65a66b3a9f71c54419c5c5b446ae3a702caa6bd59f6cbc654ba62db76c573

SHA512
eb6817e2f8f4cf7a0ffef39ac4919b5c87f0d17045395954e211595bf451e8d2ff1807a8b89bb7430f6d83ef692585891027f5965370a32b74b50fbbaf6706e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5899326.exe

Filesize
146KB

MD5
16151c289d17ed813d61ecc3720b17b8

SHA1
de599e2639af45680d2e290f30d4db6d5f3340b6

SHA256
10e65a66b3a9f71c54419c5c5b446ae3a702caa6bd59f6cbc654ba62db76c573

SHA512
eb6817e2f8f4cf7a0ffef39ac4919b5c87f0d17045395954e211595bf451e8d2ff1807a8b89bb7430f6d83ef692585891027f5965370a32b74b50fbbaf6706e0

Download Submit
memory/2264-154-0x00000000009F0000-0x0000000000A1A000-memory.dmp

Filesize
168KB

Download
memory/2264-155-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/2264-156-0x0000000005490000-0x000000000559A000-memory.dmp

Filesize
1.0MB

Download
memory/2264-157-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/2264-158-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2264-159-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/2264-160-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing