redline | 1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5

General

Target

1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe
Size

767KB
MD5

fed721f6c9c55a060c5fda791a753264
SHA1

ae54e3aa6ea4821466b6e5b2e53b5b60f97e4d41
SHA256

1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5
SHA512

462b40469bba555c67187ed73ec98524cefbca48a7aa80fa0f547a71448c0c67864295b01bf500986d732cbef0fc1d3111bfc5f0c414d88a190ed1498cba785b
SSDEEP

12288:BMr2y90dN23vlNaPpKkXX2ABwradCgRbJPOmqT8+fYRBCI2agS+fyav1sjWqERe0:/y+GNaPDn0dgnhqoWsBCnaf+aQsjMZ

Score

10^/10

redline dina infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dina

C2

83.97.73.122:19062

Attributes

auth_value
4f77073adc624269de1bff760b9bc471

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3620	x9887455.exe
3940	x4616995.exe
4184	f8505935.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4616995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4616995.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9887455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9887455.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3620	5104	1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe	66
PID 5104 wrote to memory of 3620	5104	1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe	66
PID 5104 wrote to memory of 3620	5104	1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe	66
PID 3620 wrote to memory of 3940	3620	x9887455.exe	67
PID 3620 wrote to memory of 3940	3620	x9887455.exe	67
PID 3620 wrote to memory of 3940	3620	x9887455.exe	67
PID 3940 wrote to memory of 4184	3940	x4616995.exe	68
PID 3940 wrote to memory of 4184	3940	x4616995.exe	68
PID 3940 wrote to memory of 4184	3940	x4616995.exe	68

C:\Users\Admin\AppData\Local\Temp\1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe
"C:\Users\Admin\AppData\Local\Temp\1465454cc2ff89b93fa9873d36315b7ec9459020f293d685086fe256354dcce5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9887455.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9887455.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4616995.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4616995.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8505935.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8505935.exe
      4⤵
      Executes dropped EXE
      PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9887455.exe

Filesize
448KB

MD5
638499621f53733a44ac673d98e11c4e

SHA1
a6915030e39fd3ed89da5c44b8afe40b30ddd5e1

SHA256
24f05c2e252da53cd4243ec3349bbf7c89899b2cd58ce51d784458d4c53c8936

SHA512
9afdfd84f3f4ea6811461ffe9bc14787f12e6372d6fa987b99615a81607c0613691450b9a609eaa14f1a1a019e9e5680ca3ff41abea26b4a488b9208d45f10c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9887455.exe

Filesize
448KB

MD5
638499621f53733a44ac673d98e11c4e

SHA1
a6915030e39fd3ed89da5c44b8afe40b30ddd5e1

SHA256
24f05c2e252da53cd4243ec3349bbf7c89899b2cd58ce51d784458d4c53c8936

SHA512
9afdfd84f3f4ea6811461ffe9bc14787f12e6372d6fa987b99615a81607c0613691450b9a609eaa14f1a1a019e9e5680ca3ff41abea26b4a488b9208d45f10c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4616995.exe

Filesize
276KB

MD5
40846ae14106c17bda1b832990721444

SHA1
8c8d3db06f29ede20210ed75e8961332e9b2ef73

SHA256
4556f1bf1513b5d03f932f2c39b32af20dc0a419e0d55afee3fc1bb0c96e5003

SHA512
3ae143032f64cb2b86b880e3dbedf6cd719bfa759be06694ed0f12e7d24c5d93cebf5291c25ec2d8a97e8128e2fba3e9c9d43d7d64c5dc616f0bf6d5d64fad2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4616995.exe

Filesize
276KB

MD5
40846ae14106c17bda1b832990721444

SHA1
8c8d3db06f29ede20210ed75e8961332e9b2ef73

SHA256
4556f1bf1513b5d03f932f2c39b32af20dc0a419e0d55afee3fc1bb0c96e5003

SHA512
3ae143032f64cb2b86b880e3dbedf6cd719bfa759be06694ed0f12e7d24c5d93cebf5291c25ec2d8a97e8128e2fba3e9c9d43d7d64c5dc616f0bf6d5d64fad2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8505935.exe

Filesize
145KB

MD5
e813b50989e597d05247ee0beb4d3924

SHA1
a7f78ba1e25437173dc361a74b02f6ecd219a9b0

SHA256
17b482cd1428cdd5308db745f9b4cb12897e000349b654381192e23cd5f7a7eb

SHA512
ab52baa2a941afa4ed30c6abffa90cb8201ee80d3438bd56c7b7ac0af647eeb9b1da35b4eaf814d51a47b242db6194b106b6f04ffb2c5750686cd2f72f7a8bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8505935.exe

Filesize
145KB

MD5
e813b50989e597d05247ee0beb4d3924

SHA1
a7f78ba1e25437173dc361a74b02f6ecd219a9b0

SHA256
17b482cd1428cdd5308db745f9b4cb12897e000349b654381192e23cd5f7a7eb

SHA512
ab52baa2a941afa4ed30c6abffa90cb8201ee80d3438bd56c7b7ac0af647eeb9b1da35b4eaf814d51a47b242db6194b106b6f04ffb2c5750686cd2f72f7a8bdd

Download Submit
memory/4184-138-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/4184-139-0x0000000005080000-0x0000000005686000-memory.dmp

Filesize
6.0MB

Download
memory/4184-140-0x0000000004BE0000-0x0000000004CEA000-memory.dmp

Filesize
1.0MB

Download
memory/4184-141-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/4184-142-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4184-143-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/4184-144-0x0000000004CF0000-0x0000000004D3B000-memory.dmp

Filesize
300KB

Download
memory/4184-145-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing