redline | 986a1c37256eb0417132ff10cace7d70d877bea5d6b37d5552b0d613ec351276

General

Target

launcher652.exe
Size

1.0MB
MD5

65a5e18f71c3d619e7bf8b78f6fd0ce9
SHA1

ca1601edccdcc661a21f05ce620e261828c459b2
SHA256

986a1c37256eb0417132ff10cace7d70d877bea5d6b37d5552b0d613ec351276
SHA512

79ee59f12f76d6cdfd17dc24b2f75b95a5bfc762b792c2a863eb574b7314742a495ad070e6ff14cef6ffec593eca5d78feaa03941a4418bd2f916ee74ae12cb0
SSDEEP

24576:QyvnwOovOS1YWPNrT+sjhQYgjiSmXW92IoydVwQZA2YQ:XYnO0VV6sKjLOWH/r5ZA2

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4796	x2598358.exe
3888	x9610714.exe
4744	f2880280.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	launcher652.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2598358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2598358.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9610714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9610714.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	launcher652.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4796	5004	launcher652.exe	79
PID 5004 wrote to memory of 4796	5004	launcher652.exe	79
PID 5004 wrote to memory of 4796	5004	launcher652.exe	79
PID 4796 wrote to memory of 3888	4796	x2598358.exe	80
PID 4796 wrote to memory of 3888	4796	x2598358.exe	80
PID 4796 wrote to memory of 3888	4796	x2598358.exe	80
PID 3888 wrote to memory of 4744	3888	x9610714.exe	81
PID 3888 wrote to memory of 4744	3888	x9610714.exe	81
PID 3888 wrote to memory of 4744	3888	x9610714.exe	81

C:\Users\Admin\AppData\Local\Temp\launcher652.exe
"C:\Users\Admin\AppData\Local\Temp\launcher652.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2598358.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2598358.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9610714.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9610714.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2880280.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2880280.exe
      4⤵
      Executes dropped EXE
      PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2598358.exe

Filesize
751KB

MD5
948ba8fda89504bd28468c8239b88914

SHA1
df140fa800d55d4f0f83401c252aa8ad61de4121

SHA256
768890c09ed9c5f7d857220411ed55aa9d7ed0f597ebbe1f22dfbfa0764a959a

SHA512
a6880835644437714852299fb5baa449ae27f19ce65f91a0012419302feb1746ea71ee2b6a989ef60868fef8558fb8eb9c5520dfbcf4c19759d3fa46e999a34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2598358.exe

Filesize
751KB

MD5
948ba8fda89504bd28468c8239b88914

SHA1
df140fa800d55d4f0f83401c252aa8ad61de4121

SHA256
768890c09ed9c5f7d857220411ed55aa9d7ed0f597ebbe1f22dfbfa0764a959a

SHA512
a6880835644437714852299fb5baa449ae27f19ce65f91a0012419302feb1746ea71ee2b6a989ef60868fef8558fb8eb9c5520dfbcf4c19759d3fa46e999a34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9610714.exe

Filesize
306KB

MD5
5e575fbff7cf5f2aa057624ebd4edd31

SHA1
cb594e098fa332e43014c9bb1eeb5c535cd6626a

SHA256
08c279995f1dd45eee3dce201ec3a1b0fed94ffa57075c217182361f98756e77

SHA512
8bfcfb78f3b7ddd7c049473812353ac34d4f6ad72a86fb0e56cd239c7fcee351d9e2cca505e4634db2e8b7a2c8b7cab615b15f2e3c923b18640f4d080bd3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9610714.exe

Filesize
306KB

MD5
5e575fbff7cf5f2aa057624ebd4edd31

SHA1
cb594e098fa332e43014c9bb1eeb5c535cd6626a

SHA256
08c279995f1dd45eee3dce201ec3a1b0fed94ffa57075c217182361f98756e77

SHA512
8bfcfb78f3b7ddd7c049473812353ac34d4f6ad72a86fb0e56cd239c7fcee351d9e2cca505e4634db2e8b7a2c8b7cab615b15f2e3c923b18640f4d080bd3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2880280.exe

Filesize
145KB

MD5
275ecf9be5ce6436c986c35f2970c9ab

SHA1
2631565d148e616ce3bffea9cfbe8afea7c00823

SHA256
aa97cb794ff1f18af0b19653a23a254e1ff0ac967b8df316b760c09e80404115

SHA512
0585d6e2c3f4ce92740acade6f9145ebade92f58e6aa837fb3f1b8cdc8296520b4d3249b63680c233ad5b14ec95bfbeaca2c5d3151f5cddb7be29fb4db40d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2880280.exe

Filesize
145KB

MD5
275ecf9be5ce6436c986c35f2970c9ab

SHA1
2631565d148e616ce3bffea9cfbe8afea7c00823

SHA256
aa97cb794ff1f18af0b19653a23a254e1ff0ac967b8df316b760c09e80404115

SHA512
0585d6e2c3f4ce92740acade6f9145ebade92f58e6aa837fb3f1b8cdc8296520b4d3249b63680c233ad5b14ec95bfbeaca2c5d3151f5cddb7be29fb4db40d693

Download Submit
memory/4744-154-0x00000000006B0000-0x00000000006DA000-memory.dmp

Filesize
168KB

Download
memory/4744-155-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/4744-156-0x0000000005150000-0x000000000525A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-157-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4744-158-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4744-159-0x00000000050E0000-0x000000000511C000-memory.dmp

Filesize
240KB

Download
memory/4744-160-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing