redline | 159463dee43611455ae7edebf0518f670a39926c405b2c37fadf6dd196a3b1f5

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-05-2023 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe
Size

1.0MB
MD5

fce7ead3250bc1287c04c213d43dcc29
SHA1

22ef077ef6dff28dc5b6cd35f162b892e4186a10
SHA256

d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c
SHA512

b8056f891f91e1c949a620351028999e8422c1315d19ccc2c9085f58470d6ee36e9e5ea93b50920c4419f51206ab8a062cc760bf4f42dff80051e2bd6e8e1634
SSDEEP

24576:ly0swK5sbyRwk70RsYl4CNKBufT30Tuk7/b:AiK5sbywl4C7fT30TT/

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1072	x6812573.exe
1612	x1063049.exe
512	f0110514.exe

Loads dropped DLL 6 IoCs

pid	Process
1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe
1072	x6812573.exe
1072	x6812573.exe
1612	x1063049.exe
1612	x1063049.exe
512	f0110514.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6812573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6812573.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1063049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1063049.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1684 wrote to memory of 1072	1684	d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe	28
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1072 wrote to memory of 1612	1072	x6812573.exe	29
PID 1612 wrote to memory of 512	1612	x1063049.exe	30
PID 1612 wrote to memory of 512	1612	x1063049.exe	30
PID 1612 wrote to memory of 512	1612	x1063049.exe	30
PID 1612 wrote to memory of 512	1612	x1063049.exe	30
PID 1612 wrote to memory of 512	1612	x1063049.exe	30
PID 1612 wrote to memory of 512	1612	x1063049.exe	30
PID 1612 wrote to memory of 512	1612	x1063049.exe	30

C:\Users\Admin\AppData\Local\Temp\d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe
"C:\Users\Admin\AppData\Local\Temp\d6e45d6b938e6eff9382d0b1c5ac247b1064a39eb79aa830e3b61470157b333c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6812573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6812573.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1063049.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1063049.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0110514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0110514.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6812573.exe

Filesize
750KB

MD5
b257595d03be6b826840ea537e81aa42

SHA1
c5149980fe35cfd3f4a8872b979d8c349806b153

SHA256
67387b3872f52711edc35b0ed1e0bf9c4dbfb5912456d05d87ec9c99745b3314

SHA512
f68276a405b8aedd55ecb61c1d3d520b4866eee33621fdd10d1ea7de24720635bcdf5a5f31a7b65f37042ef7e62cafa7bbbf88f8915392e24d56b573ca663ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6812573.exe

Filesize
750KB

MD5
b257595d03be6b826840ea537e81aa42

SHA1
c5149980fe35cfd3f4a8872b979d8c349806b153

SHA256
67387b3872f52711edc35b0ed1e0bf9c4dbfb5912456d05d87ec9c99745b3314

SHA512
f68276a405b8aedd55ecb61c1d3d520b4866eee33621fdd10d1ea7de24720635bcdf5a5f31a7b65f37042ef7e62cafa7bbbf88f8915392e24d56b573ca663ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1063049.exe

Filesize
306KB

MD5
4a6d892e19b4282ff786846a57cd9c33

SHA1
b76e085b4f481645a3c2d2b64e981055977fcb26

SHA256
f9f853a015d03b5061d2f8e18b1fc1b9e64c3bb3f6cfe2ce59a84bcb227916f0

SHA512
2e081f8ee1b0d94ac4aa55166891624d1b97333d7ce364e65aac6ba64b1d6203ddfe221299f041a5fdc04fb42a5d785bbdfef1b65f72ac605cd5ecf44243c420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1063049.exe

Filesize
306KB

MD5
4a6d892e19b4282ff786846a57cd9c33

SHA1
b76e085b4f481645a3c2d2b64e981055977fcb26

SHA256
f9f853a015d03b5061d2f8e18b1fc1b9e64c3bb3f6cfe2ce59a84bcb227916f0

SHA512
2e081f8ee1b0d94ac4aa55166891624d1b97333d7ce364e65aac6ba64b1d6203ddfe221299f041a5fdc04fb42a5d785bbdfef1b65f72ac605cd5ecf44243c420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0110514.exe

Filesize
145KB

MD5
cad0d4be9a373f885268cd327fda3287

SHA1
bea0c8184d58bf7858726658388101ead94711b0

SHA256
21da48888a06870f5c9858b03faf5a54ac7ece380c1aba85951a14f1ba9c81cc

SHA512
dea126ed566661f6900c9976421753a63b217728d8d94b1d4bc029bcd8954e61cfb05df743b96856d0cd2f1f2fc7b9f47d01d78ac632709e777f6c3dbbf4eefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0110514.exe

Filesize
145KB

MD5
cad0d4be9a373f885268cd327fda3287

SHA1
bea0c8184d58bf7858726658388101ead94711b0

SHA256
21da48888a06870f5c9858b03faf5a54ac7ece380c1aba85951a14f1ba9c81cc

SHA512
dea126ed566661f6900c9976421753a63b217728d8d94b1d4bc029bcd8954e61cfb05df743b96856d0cd2f1f2fc7b9f47d01d78ac632709e777f6c3dbbf4eefb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6812573.exe

Filesize
750KB

MD5
b257595d03be6b826840ea537e81aa42

SHA1
c5149980fe35cfd3f4a8872b979d8c349806b153

SHA256
67387b3872f52711edc35b0ed1e0bf9c4dbfb5912456d05d87ec9c99745b3314

SHA512
f68276a405b8aedd55ecb61c1d3d520b4866eee33621fdd10d1ea7de24720635bcdf5a5f31a7b65f37042ef7e62cafa7bbbf88f8915392e24d56b573ca663ad2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6812573.exe

Filesize
750KB

MD5
b257595d03be6b826840ea537e81aa42

SHA1
c5149980fe35cfd3f4a8872b979d8c349806b153

SHA256
67387b3872f52711edc35b0ed1e0bf9c4dbfb5912456d05d87ec9c99745b3314

SHA512
f68276a405b8aedd55ecb61c1d3d520b4866eee33621fdd10d1ea7de24720635bcdf5a5f31a7b65f37042ef7e62cafa7bbbf88f8915392e24d56b573ca663ad2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1063049.exe

Filesize
306KB

MD5
4a6d892e19b4282ff786846a57cd9c33

SHA1
b76e085b4f481645a3c2d2b64e981055977fcb26

SHA256
f9f853a015d03b5061d2f8e18b1fc1b9e64c3bb3f6cfe2ce59a84bcb227916f0

SHA512
2e081f8ee1b0d94ac4aa55166891624d1b97333d7ce364e65aac6ba64b1d6203ddfe221299f041a5fdc04fb42a5d785bbdfef1b65f72ac605cd5ecf44243c420

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1063049.exe

Filesize
306KB

MD5
4a6d892e19b4282ff786846a57cd9c33

SHA1
b76e085b4f481645a3c2d2b64e981055977fcb26

SHA256
f9f853a015d03b5061d2f8e18b1fc1b9e64c3bb3f6cfe2ce59a84bcb227916f0

SHA512
2e081f8ee1b0d94ac4aa55166891624d1b97333d7ce364e65aac6ba64b1d6203ddfe221299f041a5fdc04fb42a5d785bbdfef1b65f72ac605cd5ecf44243c420

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0110514.exe

Filesize
145KB

MD5
cad0d4be9a373f885268cd327fda3287

SHA1
bea0c8184d58bf7858726658388101ead94711b0

SHA256
21da48888a06870f5c9858b03faf5a54ac7ece380c1aba85951a14f1ba9c81cc

SHA512
dea126ed566661f6900c9976421753a63b217728d8d94b1d4bc029bcd8954e61cfb05df743b96856d0cd2f1f2fc7b9f47d01d78ac632709e777f6c3dbbf4eefb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0110514.exe

Filesize
145KB

MD5
cad0d4be9a373f885268cd327fda3287

SHA1
bea0c8184d58bf7858726658388101ead94711b0

SHA256
21da48888a06870f5c9858b03faf5a54ac7ece380c1aba85951a14f1ba9c81cc

SHA512
dea126ed566661f6900c9976421753a63b217728d8d94b1d4bc029bcd8954e61cfb05df743b96856d0cd2f1f2fc7b9f47d01d78ac632709e777f6c3dbbf4eefb

Download Submit
memory/512-84-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/512-85-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/512-86-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download