redline | 4daba0cdd0c2aa067a055a4d391621b3929dba0273e9cce312ae3cda3487031a

General

Target

7463534466.exe
Size

1.0MB
MD5

bb7490898f26d439611e93a9d943365b
SHA1

6a19c7f0e712f5cfe2828b81582bb6fda0ed6b4e
SHA256

4daba0cdd0c2aa067a055a4d391621b3929dba0273e9cce312ae3cda3487031a
SHA512

0c03783766ffd82803cd1f2d9f642600f6b2ab2a7860492b92ab9c4aea91420ddbc355676e0d0f96670aca20e2c3649e79b3ad065322f86c6fa4408e1d1377f1
SSDEEP

24576:NypUNTalr0/uoOcbqdvrn0J3s/z7ZuWJIi:owYrFllr0J347Zu+

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3824	x9883599.exe
840	x7564752.exe
1968	f2989340.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9883599.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7564752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7564752.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7463534466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7463534466.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9883599.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3824	1928	7463534466.exe	82
PID 1928 wrote to memory of 3824	1928	7463534466.exe	82
PID 1928 wrote to memory of 3824	1928	7463534466.exe	82
PID 3824 wrote to memory of 840	3824	x9883599.exe	83
PID 3824 wrote to memory of 840	3824	x9883599.exe	83
PID 3824 wrote to memory of 840	3824	x9883599.exe	83
PID 840 wrote to memory of 1968	840	x7564752.exe	84
PID 840 wrote to memory of 1968	840	x7564752.exe	84
PID 840 wrote to memory of 1968	840	x7564752.exe	84

C:\Users\Admin\AppData\Local\Temp\7463534466.exe
"C:\Users\Admin\AppData\Local\Temp\7463534466.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9883599.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9883599.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7564752.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7564752.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2989340.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2989340.exe
      4⤵
      Executes dropped EXE
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9883599.exe

Filesize
751KB

MD5
8fa0670beb7522fe0cff67f91dec3c01

SHA1
9407e462296b07534d30b8c3d178eea0e8a3879e

SHA256
51944cf4a5524501fb1caf1947a5a9a012e4dfdfd6966a5a3dc186f192ca16fd

SHA512
9b33e080e44b3bc3ed6295cf043a2089e4b24d034fa189439747463d8e696bb6043d5e239e5b937d435e33ab5ceee0e11dd4352d379141a8be44d834e66030c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9883599.exe

Filesize
751KB

MD5
8fa0670beb7522fe0cff67f91dec3c01

SHA1
9407e462296b07534d30b8c3d178eea0e8a3879e

SHA256
51944cf4a5524501fb1caf1947a5a9a012e4dfdfd6966a5a3dc186f192ca16fd

SHA512
9b33e080e44b3bc3ed6295cf043a2089e4b24d034fa189439747463d8e696bb6043d5e239e5b937d435e33ab5ceee0e11dd4352d379141a8be44d834e66030c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7564752.exe

Filesize
306KB

MD5
8fcb7ec2288b72ae8dec955d13a431c9

SHA1
c0ddf35a6aa27bcf27d3b57ff1fc8e771f7eac51

SHA256
d6faae367645194aea5d05aa30022ef6a8bd7493df1d133838ad379c4ed1571c

SHA512
fe6d9495c5c392b3eee1dc408d17db3c81aeb88fbf853ec3cdcfc08300cb0faa16e36197fc89a449f1fef36786cf4dba88eb577fd923fefdca5829a53fcfcdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7564752.exe

Filesize
306KB

MD5
8fcb7ec2288b72ae8dec955d13a431c9

SHA1
c0ddf35a6aa27bcf27d3b57ff1fc8e771f7eac51

SHA256
d6faae367645194aea5d05aa30022ef6a8bd7493df1d133838ad379c4ed1571c

SHA512
fe6d9495c5c392b3eee1dc408d17db3c81aeb88fbf853ec3cdcfc08300cb0faa16e36197fc89a449f1fef36786cf4dba88eb577fd923fefdca5829a53fcfcdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2989340.exe

Filesize
145KB

MD5
a3dec03c5f87516388a3db279dc6ba12

SHA1
f89dd2bb2df9a9e23b2864b498b30ab2a960d3f9

SHA256
27d0344c324699bd6beff92f3242dad8e40004cff3316a83a817318fd569f911

SHA512
42d89402b9264c3842e9389ada20e06dde9cc40bbcb115e13b334105a4050bd16f53cbe72b5326639e48230928a8830fb74702f53752fa27e4be278517bcd18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2989340.exe

Filesize
145KB

MD5
a3dec03c5f87516388a3db279dc6ba12

SHA1
f89dd2bb2df9a9e23b2864b498b30ab2a960d3f9

SHA256
27d0344c324699bd6beff92f3242dad8e40004cff3316a83a817318fd569f911

SHA512
42d89402b9264c3842e9389ada20e06dde9cc40bbcb115e13b334105a4050bd16f53cbe72b5326639e48230928a8830fb74702f53752fa27e4be278517bcd18c

Download Submit
memory/1968-154-0x0000000000D20000-0x0000000000D4A000-memory.dmp

Filesize
168KB

Download
memory/1968-155-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/1968-156-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/1968-157-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/1968-158-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/1968-159-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/1968-160-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing