redline | bee55683c19d138ac2a3087b3a2632902093ec4792ee7d3ed7ee0b0d0d5cc457

General

Target

526293.exe
Size

1.0MB
MD5

9f86dac831b9319316c442a4585febe4
SHA1

e26fee770d501902c0c96c46f64548e418d159b4
SHA256

bee55683c19d138ac2a3087b3a2632902093ec4792ee7d3ed7ee0b0d0d5cc457
SHA512

2c70f97368ab5376f36b40bebd5b10445d8cc7732567a940173abadce0232c977a9c5d3af3aa4acac5aaaacde814e7c31d27df936929acb94b73512e4fb6dc62
SSDEEP

24576:tytJhGkIq5a9DckgXvUknq6La1GTZQzST7btUcnHKY:Itf5IqI3gfUkXLeGTmzST3tU/

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4768	x4010368.exe
3620	x1720002.exe
5016	f7536059.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	526293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	526293.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4010368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4010368.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1720002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1720002.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4768	4780	526293.exe	81
PID 4780 wrote to memory of 4768	4780	526293.exe	81
PID 4780 wrote to memory of 4768	4780	526293.exe	81
PID 4768 wrote to memory of 3620	4768	x4010368.exe	82
PID 4768 wrote to memory of 3620	4768	x4010368.exe	82
PID 4768 wrote to memory of 3620	4768	x4010368.exe	82
PID 3620 wrote to memory of 5016	3620	x1720002.exe	83
PID 3620 wrote to memory of 5016	3620	x1720002.exe	83
PID 3620 wrote to memory of 5016	3620	x1720002.exe	83

C:\Users\Admin\AppData\Local\Temp\526293.exe
"C:\Users\Admin\AppData\Local\Temp\526293.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4010368.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4010368.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1720002.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1720002.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7536059.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7536059.exe
      4⤵
      Executes dropped EXE
      PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4010368.exe

Filesize
751KB

MD5
1f985d4397888f231b457538dd8ce9b4

SHA1
ed5d5f3da91c65f542c25a113e0f6799076b8dac

SHA256
eacd9dfd937211ff92b969d7e235277bbe02dba06244ccfb8e27540a45d0df25

SHA512
f45131d31ac06b60442f664bd8012c907b8bc0388d71f921c2e45a08279a19159af3eff99c31f9bf0a7ab679853038425a612b1def82a1358e6d9974e7492879

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4010368.exe

Filesize
751KB

MD5
1f985d4397888f231b457538dd8ce9b4

SHA1
ed5d5f3da91c65f542c25a113e0f6799076b8dac

SHA256
eacd9dfd937211ff92b969d7e235277bbe02dba06244ccfb8e27540a45d0df25

SHA512
f45131d31ac06b60442f664bd8012c907b8bc0388d71f921c2e45a08279a19159af3eff99c31f9bf0a7ab679853038425a612b1def82a1358e6d9974e7492879

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1720002.exe

Filesize
306KB

MD5
0fefdf0e4445b70a706d77263ff60424

SHA1
fc7232a560c1909717aae4e433497d8c6e75b75f

SHA256
caabc0aa8565dbdcaec4c2d0462ee647f0a27949d26ca51eb0168a84c059ec3f

SHA512
1e614eed5d2be99c567671932017e52a4c1b0b1e4e9e94b596680a198598db22a046b12cb2bebf9166227e98f8995be91ba8d81cc14cfabe418a6a9b1fb1b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1720002.exe

Filesize
306KB

MD5
0fefdf0e4445b70a706d77263ff60424

SHA1
fc7232a560c1909717aae4e433497d8c6e75b75f

SHA256
caabc0aa8565dbdcaec4c2d0462ee647f0a27949d26ca51eb0168a84c059ec3f

SHA512
1e614eed5d2be99c567671932017e52a4c1b0b1e4e9e94b596680a198598db22a046b12cb2bebf9166227e98f8995be91ba8d81cc14cfabe418a6a9b1fb1b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7536059.exe

Filesize
146KB

MD5
a8bbb9d8d9afc912d77b0b1eb7e02029

SHA1
b92b9649fbbfcde7b56146f20fcd6dbb08b82e09

SHA256
c3ae1a36132676d29bd5df457c002c8c42cfa028a407aee7ba285b996b30276c

SHA512
0e97abe08a5ce016f430438bbb7d224385214bf67969d645765e5f3f693dfc100e86501cbcf9448468713cebe004a2919428170608eedc6f7ccd803b5c277631

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7536059.exe

Filesize
146KB

MD5
a8bbb9d8d9afc912d77b0b1eb7e02029

SHA1
b92b9649fbbfcde7b56146f20fcd6dbb08b82e09

SHA256
c3ae1a36132676d29bd5df457c002c8c42cfa028a407aee7ba285b996b30276c

SHA512
0e97abe08a5ce016f430438bbb7d224385214bf67969d645765e5f3f693dfc100e86501cbcf9448468713cebe004a2919428170608eedc6f7ccd803b5c277631

Download Submit
memory/5016-154-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/5016-155-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/5016-156-0x0000000004E70000-0x0000000004F7A000-memory.dmp

Filesize
1.0MB

Download
memory/5016-157-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/5016-158-0x0000000004E00000-0x0000000004E3C000-memory.dmp

Filesize
240KB

Download
memory/5016-159-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/5016-160-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing