redline | 000739cd22a155c7f1e03daf27fc1b63a5715c438aaa2838e0ae426ddf92a2b7

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe
Size

1.0MB
MD5

fb9d8a953a851ddc1cf9f23275bab493
SHA1

7d864566d8de0aa4d19d0c4b678b28e6e11302ef
SHA256

1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef
SHA512

b464b91fd4a9310d4762a30e1bc2744fc6bba4384a39fb1920ce9c8e5bfda3086b1a00469897a2df0adf58ffb5b98a85c0539bf95ca02e003dea0a0c1f65de9e
SSDEEP

24576:1yWjp4uK/LYi0pjhEZpNu0QN482swL10B8u0u7U5DYTx+/x0:Q0p4L/B3pNmN4/sog7XTxm

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1224	x8990858.exe
1980	x8796060.exe
544	f4143963.exe

Loads dropped DLL 6 IoCs

pid	Process
1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe
1224	x8990858.exe
1224	x8990858.exe
1980	x8796060.exe
1980	x8796060.exe
544	f4143963.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8990858.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8796060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8796060.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8990858.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1660 wrote to memory of 1224	1660	1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe	27
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1224 wrote to memory of 1980	1224	x8990858.exe	28
PID 1980 wrote to memory of 544	1980	x8796060.exe	29
PID 1980 wrote to memory of 544	1980	x8796060.exe	29
PID 1980 wrote to memory of 544	1980	x8796060.exe	29
PID 1980 wrote to memory of 544	1980	x8796060.exe	29
PID 1980 wrote to memory of 544	1980	x8796060.exe	29
PID 1980 wrote to memory of 544	1980	x8796060.exe	29
PID 1980 wrote to memory of 544	1980	x8796060.exe	29

C:\Users\Admin\AppData\Local\Temp\1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe
"C:\Users\Admin\AppData\Local\Temp\1450b8cd2a6bd9509294447efb5f0290a27d95ebbb57ac225ca14fa46ea4e6ef.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990858.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990858.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8796060.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8796060.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4143963.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4143963.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990858.exe

Filesize
751KB

MD5
9bfa7df2fa0fdb8df14c63c945c7397f

SHA1
b7c3a4473823732ad0d604b31a7569702c1821d9

SHA256
5c22b84364940c1524dd9601f7d55c515e23404bfcc18456ce35b069bf09f1c2

SHA512
95b54e9fc0b5355c855c7148f5580def91d7ab3cc30527a3769ae1cfe48147721285408eaacd3b9e1d243f47615d0556ab0caec70cd2a6c8431acdca07454767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990858.exe

Filesize
751KB

MD5
9bfa7df2fa0fdb8df14c63c945c7397f

SHA1
b7c3a4473823732ad0d604b31a7569702c1821d9

SHA256
5c22b84364940c1524dd9601f7d55c515e23404bfcc18456ce35b069bf09f1c2

SHA512
95b54e9fc0b5355c855c7148f5580def91d7ab3cc30527a3769ae1cfe48147721285408eaacd3b9e1d243f47615d0556ab0caec70cd2a6c8431acdca07454767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8796060.exe

Filesize
306KB

MD5
d0c73ff4cb39c3f5d79a715731595bfc

SHA1
4f53335909be8d1f3d98cf00284c06468a826f07

SHA256
905c0c89b2b689af2d83b4382b045275ef8404bae28f3f432dd19f5ca151b0c7

SHA512
fe1de6f073a934d64b102f12a717581c5941fb311ace6c066999cf7aafe81e39526ab019f56f1e70d8ff4134433abb858b59dd091cb7f38ef73d6d51177a86c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8796060.exe

Filesize
306KB

MD5
d0c73ff4cb39c3f5d79a715731595bfc

SHA1
4f53335909be8d1f3d98cf00284c06468a826f07

SHA256
905c0c89b2b689af2d83b4382b045275ef8404bae28f3f432dd19f5ca151b0c7

SHA512
fe1de6f073a934d64b102f12a717581c5941fb311ace6c066999cf7aafe81e39526ab019f56f1e70d8ff4134433abb858b59dd091cb7f38ef73d6d51177a86c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4143963.exe

Filesize
145KB

MD5
f243bf8ce9cd5f8262692f0af91c0538

SHA1
36150a586f2c9cd51c35b05877ef027a2661663b

SHA256
9613281632899c8897b1ee47736c6b0779af720130b5ef2474300b392f09763f

SHA512
e0f9558b4b277a40016a18fd5775d6b96d1841e2f790ca3b21999b1bd9e13286ef12829730a70df6d53898b59bfef60bfa2773fd846c86f5b09131787a27a95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4143963.exe

Filesize
145KB

MD5
f243bf8ce9cd5f8262692f0af91c0538

SHA1
36150a586f2c9cd51c35b05877ef027a2661663b

SHA256
9613281632899c8897b1ee47736c6b0779af720130b5ef2474300b392f09763f

SHA512
e0f9558b4b277a40016a18fd5775d6b96d1841e2f790ca3b21999b1bd9e13286ef12829730a70df6d53898b59bfef60bfa2773fd846c86f5b09131787a27a95e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990858.exe

Filesize
751KB

MD5
9bfa7df2fa0fdb8df14c63c945c7397f

SHA1
b7c3a4473823732ad0d604b31a7569702c1821d9

SHA256
5c22b84364940c1524dd9601f7d55c515e23404bfcc18456ce35b069bf09f1c2

SHA512
95b54e9fc0b5355c855c7148f5580def91d7ab3cc30527a3769ae1cfe48147721285408eaacd3b9e1d243f47615d0556ab0caec70cd2a6c8431acdca07454767

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990858.exe

Filesize
751KB

MD5
9bfa7df2fa0fdb8df14c63c945c7397f

SHA1
b7c3a4473823732ad0d604b31a7569702c1821d9

SHA256
5c22b84364940c1524dd9601f7d55c515e23404bfcc18456ce35b069bf09f1c2

SHA512
95b54e9fc0b5355c855c7148f5580def91d7ab3cc30527a3769ae1cfe48147721285408eaacd3b9e1d243f47615d0556ab0caec70cd2a6c8431acdca07454767

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8796060.exe

Filesize
306KB

MD5
d0c73ff4cb39c3f5d79a715731595bfc

SHA1
4f53335909be8d1f3d98cf00284c06468a826f07

SHA256
905c0c89b2b689af2d83b4382b045275ef8404bae28f3f432dd19f5ca151b0c7

SHA512
fe1de6f073a934d64b102f12a717581c5941fb311ace6c066999cf7aafe81e39526ab019f56f1e70d8ff4134433abb858b59dd091cb7f38ef73d6d51177a86c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8796060.exe

Filesize
306KB

MD5
d0c73ff4cb39c3f5d79a715731595bfc

SHA1
4f53335909be8d1f3d98cf00284c06468a826f07

SHA256
905c0c89b2b689af2d83b4382b045275ef8404bae28f3f432dd19f5ca151b0c7

SHA512
fe1de6f073a934d64b102f12a717581c5941fb311ace6c066999cf7aafe81e39526ab019f56f1e70d8ff4134433abb858b59dd091cb7f38ef73d6d51177a86c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4143963.exe

Filesize
145KB

MD5
f243bf8ce9cd5f8262692f0af91c0538

SHA1
36150a586f2c9cd51c35b05877ef027a2661663b

SHA256
9613281632899c8897b1ee47736c6b0779af720130b5ef2474300b392f09763f

SHA512
e0f9558b4b277a40016a18fd5775d6b96d1841e2f790ca3b21999b1bd9e13286ef12829730a70df6d53898b59bfef60bfa2773fd846c86f5b09131787a27a95e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4143963.exe

Filesize
145KB

MD5
f243bf8ce9cd5f8262692f0af91c0538

SHA1
36150a586f2c9cd51c35b05877ef027a2661663b

SHA256
9613281632899c8897b1ee47736c6b0779af720130b5ef2474300b392f09763f

SHA512
e0f9558b4b277a40016a18fd5775d6b96d1841e2f790ca3b21999b1bd9e13286ef12829730a70df6d53898b59bfef60bfa2773fd846c86f5b09131787a27a95e

Download Submit
memory/544-84-0x0000000001230000-0x000000000125A000-memory.dmp

Filesize
168KB

Download
memory/544-85-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/544-86-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download