redline | 3916a11f7309308496410fa8d18cecade8a5d8583b649de80bc0cf9073b620f8

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe
Size

1022KB
MD5

de578a7ee388820eac7a710fc4b4da2a
SHA1

f775e36b7f26a95cfe92ac184f89261424e6b51c
SHA256

0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8
SHA512

848d6dff2e0329f04604bad67d9eb41b76bd1d8325fe08052b57407cef0a09a052f9123cbcf18e98aaac68272ebf37469809723acc1106409b57377871f2f6ae
SSDEEP

24576:LyAIlb7evv1kJEhTJXoDPjVIPgPYrox4k1SXIuc5QTho:+fB7eVPhThoDJIPgPYroxzEz9

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2032	x0117406.exe
696	x6639003.exe
1188	f1606323.exe

Loads dropped DLL 6 IoCs

pid	Process
1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe
2032	x0117406.exe
2032	x0117406.exe
696	x6639003.exe
696	x6639003.exe
1188	f1606323.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6639003.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0117406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0117406.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6639003.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 1108 wrote to memory of 2032	1108	0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe	27
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 2032 wrote to memory of 696	2032	x0117406.exe	28
PID 696 wrote to memory of 1188	696	x6639003.exe	29
PID 696 wrote to memory of 1188	696	x6639003.exe	29
PID 696 wrote to memory of 1188	696	x6639003.exe	29
PID 696 wrote to memory of 1188	696	x6639003.exe	29
PID 696 wrote to memory of 1188	696	x6639003.exe	29
PID 696 wrote to memory of 1188	696	x6639003.exe	29
PID 696 wrote to memory of 1188	696	x6639003.exe	29

C:\Users\Admin\AppData\Local\Temp\0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe
"C:\Users\Admin\AppData\Local\Temp\0ef0ed7930c910ec4b2089a3d122fde08fd4646dac2ebdd77d03ba5495c9e9e8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0117406.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0117406.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6639003.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6639003.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1606323.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1606323.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0117406.exe

Filesize
751KB

MD5
8c26935d9a68061fc67791069286134c

SHA1
8b63a481d5a893fb3a89f8b70cd8468923707fd8

SHA256
56989d1b86d5277126aa011fb9b6e5913bf9d820815c05c8fe803bd802e8e1de

SHA512
b33e497be99f9cafc61615dfdd2d495eae92c4f64d30d4e6a6fbbb7bd3ed42e5b76da7fff17e596b74bb46fc6271595e927bd8d623ca6008981fa8350b124886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0117406.exe

Filesize
751KB

MD5
8c26935d9a68061fc67791069286134c

SHA1
8b63a481d5a893fb3a89f8b70cd8468923707fd8

SHA256
56989d1b86d5277126aa011fb9b6e5913bf9d820815c05c8fe803bd802e8e1de

SHA512
b33e497be99f9cafc61615dfdd2d495eae92c4f64d30d4e6a6fbbb7bd3ed42e5b76da7fff17e596b74bb46fc6271595e927bd8d623ca6008981fa8350b124886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6639003.exe

Filesize
305KB

MD5
08f2a0404d31d1c35cf5b97e6280183f

SHA1
e3c73fe06749ff8ecdf0b26b7b76b7f8959dc980

SHA256
1349873633bf098e0ff08afb942326e2e2eb7d6fa72d86440e00631ccf177f42

SHA512
219e7ebbb7ac7e94c73ef6c73ec74acf0c2d80c54fca47f39be82ba028df59c5cdee9cf6bb2ba6868f495c1223a43d74b2c5bfc80e6176a6db26592c6f82cedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6639003.exe

Filesize
305KB

MD5
08f2a0404d31d1c35cf5b97e6280183f

SHA1
e3c73fe06749ff8ecdf0b26b7b76b7f8959dc980

SHA256
1349873633bf098e0ff08afb942326e2e2eb7d6fa72d86440e00631ccf177f42

SHA512
219e7ebbb7ac7e94c73ef6c73ec74acf0c2d80c54fca47f39be82ba028df59c5cdee9cf6bb2ba6868f495c1223a43d74b2c5bfc80e6176a6db26592c6f82cedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1606323.exe

Filesize
145KB

MD5
f4ef9917c72e529a1bccb494cbe0cccb

SHA1
036bbabd8a172c6cc323ecfd3d0a8dcaba79040f

SHA256
c0bd1af9133f587845700283e68669e45eba745e35f37ebc73acbdfe7e19c84b

SHA512
db35f3fd6a82dec0735c3b98418e950993b5e46dc2e1d1fea6a8b481866e6fc7fcd688d787af4fc66438e05af4af6604ccaeccb5a152ff37726a7db529ed3a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1606323.exe

Filesize
145KB

MD5
f4ef9917c72e529a1bccb494cbe0cccb

SHA1
036bbabd8a172c6cc323ecfd3d0a8dcaba79040f

SHA256
c0bd1af9133f587845700283e68669e45eba745e35f37ebc73acbdfe7e19c84b

SHA512
db35f3fd6a82dec0735c3b98418e950993b5e46dc2e1d1fea6a8b481866e6fc7fcd688d787af4fc66438e05af4af6604ccaeccb5a152ff37726a7db529ed3a77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0117406.exe

Filesize
751KB

MD5
8c26935d9a68061fc67791069286134c

SHA1
8b63a481d5a893fb3a89f8b70cd8468923707fd8

SHA256
56989d1b86d5277126aa011fb9b6e5913bf9d820815c05c8fe803bd802e8e1de

SHA512
b33e497be99f9cafc61615dfdd2d495eae92c4f64d30d4e6a6fbbb7bd3ed42e5b76da7fff17e596b74bb46fc6271595e927bd8d623ca6008981fa8350b124886

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0117406.exe

Filesize
751KB

MD5
8c26935d9a68061fc67791069286134c

SHA1
8b63a481d5a893fb3a89f8b70cd8468923707fd8

SHA256
56989d1b86d5277126aa011fb9b6e5913bf9d820815c05c8fe803bd802e8e1de

SHA512
b33e497be99f9cafc61615dfdd2d495eae92c4f64d30d4e6a6fbbb7bd3ed42e5b76da7fff17e596b74bb46fc6271595e927bd8d623ca6008981fa8350b124886

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6639003.exe

Filesize
305KB

MD5
08f2a0404d31d1c35cf5b97e6280183f

SHA1
e3c73fe06749ff8ecdf0b26b7b76b7f8959dc980

SHA256
1349873633bf098e0ff08afb942326e2e2eb7d6fa72d86440e00631ccf177f42

SHA512
219e7ebbb7ac7e94c73ef6c73ec74acf0c2d80c54fca47f39be82ba028df59c5cdee9cf6bb2ba6868f495c1223a43d74b2c5bfc80e6176a6db26592c6f82cedb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6639003.exe

Filesize
305KB

MD5
08f2a0404d31d1c35cf5b97e6280183f

SHA1
e3c73fe06749ff8ecdf0b26b7b76b7f8959dc980

SHA256
1349873633bf098e0ff08afb942326e2e2eb7d6fa72d86440e00631ccf177f42

SHA512
219e7ebbb7ac7e94c73ef6c73ec74acf0c2d80c54fca47f39be82ba028df59c5cdee9cf6bb2ba6868f495c1223a43d74b2c5bfc80e6176a6db26592c6f82cedb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1606323.exe

Filesize
145KB

MD5
f4ef9917c72e529a1bccb494cbe0cccb

SHA1
036bbabd8a172c6cc323ecfd3d0a8dcaba79040f

SHA256
c0bd1af9133f587845700283e68669e45eba745e35f37ebc73acbdfe7e19c84b

SHA512
db35f3fd6a82dec0735c3b98418e950993b5e46dc2e1d1fea6a8b481866e6fc7fcd688d787af4fc66438e05af4af6604ccaeccb5a152ff37726a7db529ed3a77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1606323.exe

Filesize
145KB

MD5
f4ef9917c72e529a1bccb494cbe0cccb

SHA1
036bbabd8a172c6cc323ecfd3d0a8dcaba79040f

SHA256
c0bd1af9133f587845700283e68669e45eba745e35f37ebc73acbdfe7e19c84b

SHA512
db35f3fd6a82dec0735c3b98418e950993b5e46dc2e1d1fea6a8b481866e6fc7fcd688d787af4fc66438e05af4af6604ccaeccb5a152ff37726a7db529ed3a77

Download Submit
memory/1188-84-0x0000000000990000-0x00000000009BA000-memory.dmp

Filesize
168KB

Download
memory/1188-85-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/1188-86-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download