redline | b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584

Analysis

max time kernel
296s
max time network
301s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/05/2023, 04:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe
Size

917KB
MD5

97cdc775f58ec1cc9e2aaed80efb5fce
SHA1

2a16acbcb1a5837469f7ffa5f45259a6d1211a4c
SHA256

b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584
SHA512

78c74e8894681332a7cf9cb0ce8736269e36db364233b245cfe9e287473c845c687ae42107ed5342782c8065ff30b64cf02c0fc5b962cf0b67307c9ba4c0c755
SSDEEP

24576:1y3VPKYyzbemTQmGvqTTHclbrNu0ymRy82kkyQEZZM:Q3Xab1TQHMHclqmrlQE

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.122:19062

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2032	x9438413.exe
1692	x2886438.exe
1340	f9795298.exe

Loads dropped DLL 6 IoCs

pid	Process
1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe
2032	x9438413.exe
2032	x9438413.exe
1692	x2886438.exe
1692	x2886438.exe
1340	f9795298.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2886438.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9438413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9438413.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2886438.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 1124 wrote to memory of 2032	1124	b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe	28
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 2032 wrote to memory of 1692	2032	x9438413.exe	29
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30
PID 1692 wrote to memory of 1340	1692	x2886438.exe	30

C:\Users\Admin\AppData\Local\Temp\b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe
"C:\Users\Admin\AppData\Local\Temp\b70e66fa33db12eb2d481c18e7ab9f1750d94b90367b757f5f2e78b094deb584.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9438413.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9438413.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2886438.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2886438.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9795298.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9795298.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9438413.exe

Filesize
637KB

MD5
499dc670295a1410da3b0ecb21bef749

SHA1
89aa438a09882d3992174423d58875c72270590c

SHA256
d7d294a965943df32f5a1c9c563b468023d7c857bdc447c76a12bf696f4245e1

SHA512
fddb2d634f36ba6527ab15ef5e54abc541d7194ac18b17620ec282121df8b3fbdacf802b5649aa27fe0983c3a6dbb25f2d50f7fc24740315834cfecd7f72dba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9438413.exe

Filesize
637KB

MD5
499dc670295a1410da3b0ecb21bef749

SHA1
89aa438a09882d3992174423d58875c72270590c

SHA256
d7d294a965943df32f5a1c9c563b468023d7c857bdc447c76a12bf696f4245e1

SHA512
fddb2d634f36ba6527ab15ef5e54abc541d7194ac18b17620ec282121df8b3fbdacf802b5649aa27fe0983c3a6dbb25f2d50f7fc24740315834cfecd7f72dba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2886438.exe

Filesize
193KB

MD5
ae1b60f393743ae8a8a04d3c6254beeb

SHA1
4472c036a6c3d3ef4d630e9a1232c039b2222a40

SHA256
b34796432019ad9fe872ff77cbae224a84dbf625cee8b09aff768b8a0f32116f

SHA512
99ef0d224fd151232348dbb352a70f5c6a096dee9941e090e29909ee630013f52a4abe43c46b2927c5150e96450b0205bad90609104249596830d951d38d3f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2886438.exe

Filesize
193KB

MD5
ae1b60f393743ae8a8a04d3c6254beeb

SHA1
4472c036a6c3d3ef4d630e9a1232c039b2222a40

SHA256
b34796432019ad9fe872ff77cbae224a84dbf625cee8b09aff768b8a0f32116f

SHA512
99ef0d224fd151232348dbb352a70f5c6a096dee9941e090e29909ee630013f52a4abe43c46b2927c5150e96450b0205bad90609104249596830d951d38d3f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9795298.exe

Filesize
145KB

MD5
ce072f1f7f37f1c0d9ee5f5e61938c38

SHA1
1a9767649eee91ba9d031f2bdb96992af986890e

SHA256
09d41d9bdb6441dcde0737e1843647685e9f556a3ca6edb5079fe8809a0c1418

SHA512
13157876217cbc912008512e5473adcdb244082d61e537121ce9f2732d8701ad9ee140a334dbde7d60382815dccf87b7f31a233c4f0fa8647ae54fd200d68dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9795298.exe

Filesize
145KB

MD5
ce072f1f7f37f1c0d9ee5f5e61938c38

SHA1
1a9767649eee91ba9d031f2bdb96992af986890e

SHA256
09d41d9bdb6441dcde0737e1843647685e9f556a3ca6edb5079fe8809a0c1418

SHA512
13157876217cbc912008512e5473adcdb244082d61e537121ce9f2732d8701ad9ee140a334dbde7d60382815dccf87b7f31a233c4f0fa8647ae54fd200d68dfb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9438413.exe

Filesize
637KB

MD5
499dc670295a1410da3b0ecb21bef749

SHA1
89aa438a09882d3992174423d58875c72270590c

SHA256
d7d294a965943df32f5a1c9c563b468023d7c857bdc447c76a12bf696f4245e1

SHA512
fddb2d634f36ba6527ab15ef5e54abc541d7194ac18b17620ec282121df8b3fbdacf802b5649aa27fe0983c3a6dbb25f2d50f7fc24740315834cfecd7f72dba2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9438413.exe

Filesize
637KB

MD5
499dc670295a1410da3b0ecb21bef749

SHA1
89aa438a09882d3992174423d58875c72270590c

SHA256
d7d294a965943df32f5a1c9c563b468023d7c857bdc447c76a12bf696f4245e1

SHA512
fddb2d634f36ba6527ab15ef5e54abc541d7194ac18b17620ec282121df8b3fbdacf802b5649aa27fe0983c3a6dbb25f2d50f7fc24740315834cfecd7f72dba2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2886438.exe

Filesize
193KB

MD5
ae1b60f393743ae8a8a04d3c6254beeb

SHA1
4472c036a6c3d3ef4d630e9a1232c039b2222a40

SHA256
b34796432019ad9fe872ff77cbae224a84dbf625cee8b09aff768b8a0f32116f

SHA512
99ef0d224fd151232348dbb352a70f5c6a096dee9941e090e29909ee630013f52a4abe43c46b2927c5150e96450b0205bad90609104249596830d951d38d3f6e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2886438.exe

Filesize
193KB

MD5
ae1b60f393743ae8a8a04d3c6254beeb

SHA1
4472c036a6c3d3ef4d630e9a1232c039b2222a40

SHA256
b34796432019ad9fe872ff77cbae224a84dbf625cee8b09aff768b8a0f32116f

SHA512
99ef0d224fd151232348dbb352a70f5c6a096dee9941e090e29909ee630013f52a4abe43c46b2927c5150e96450b0205bad90609104249596830d951d38d3f6e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9795298.exe

Filesize
145KB

MD5
ce072f1f7f37f1c0d9ee5f5e61938c38

SHA1
1a9767649eee91ba9d031f2bdb96992af986890e

SHA256
09d41d9bdb6441dcde0737e1843647685e9f556a3ca6edb5079fe8809a0c1418

SHA512
13157876217cbc912008512e5473adcdb244082d61e537121ce9f2732d8701ad9ee140a334dbde7d60382815dccf87b7f31a233c4f0fa8647ae54fd200d68dfb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9795298.exe

Filesize
145KB

MD5
ce072f1f7f37f1c0d9ee5f5e61938c38

SHA1
1a9767649eee91ba9d031f2bdb96992af986890e

SHA256
09d41d9bdb6441dcde0737e1843647685e9f556a3ca6edb5079fe8809a0c1418

SHA512
13157876217cbc912008512e5473adcdb244082d61e537121ce9f2732d8701ad9ee140a334dbde7d60382815dccf87b7f31a233c4f0fa8647ae54fd200d68dfb

Download Submit
memory/1340-84-0x00000000013C0000-0x00000000013EA000-memory.dmp

Filesize
168KB

Download
memory/1340-85-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/1340-86-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download