redline | 640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6

Resubmissions

29/05/2023, 05:07

230529-fsb5gshg56 10

22/05/2023, 02:58

230522-dgjdbage8y 10

Analysis

max time kernel
290s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2023, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe
Size

1.0MB
MD5

0713965d193cb15fafa35e5e0800971f
SHA1

f23268a4833b212ebee732585e128f6fb94bce85
SHA256

640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6
SHA512

580ccae3dd580c77a6ca6cc6ca0ec78a33c770232af260dc5bb666a58f144d819cce4e736f7edda51893f22ab455272b2cd4ab8c53228ab71f71c20435d86f9c
SSDEEP

24576:5yxYNxdtODEWW+IbVCUvQP2XeRpvn5jVyjLLIcs/5B:sul7AOIUvQPdvn5jkjLLQ/

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4696	x6331748.exe
1648	x5717471.exe
1476	f5995073.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6331748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6331748.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5717471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5717471.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4696	2516	640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe	85
PID 2516 wrote to memory of 4696	2516	640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe	85
PID 2516 wrote to memory of 4696	2516	640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe	85
PID 4696 wrote to memory of 1648	4696	x6331748.exe	86
PID 4696 wrote to memory of 1648	4696	x6331748.exe	86
PID 4696 wrote to memory of 1648	4696	x6331748.exe	86
PID 1648 wrote to memory of 1476	1648	x5717471.exe	87
PID 1648 wrote to memory of 1476	1648	x5717471.exe	87
PID 1648 wrote to memory of 1476	1648	x5717471.exe	87

C:\Users\Admin\AppData\Local\Temp\640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe
"C:\Users\Admin\AppData\Local\Temp\640412edccb9426e721e3c5a0783fdb94337b0ddf9a1c1e53e178d15d415bef6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6331748.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6331748.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5717471.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5717471.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5995073.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5995073.exe
      4⤵
      Executes dropped EXE
      PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6331748.exe

Filesize
751KB

MD5
038596bd6141a019b9561b762f311668

SHA1
3b7088bdd57fb4b827b005f09689dd6e891b266a

SHA256
f8f51964a3bfb5bbb4be18300fd45ab0afe2c464f5741d49c9973dab66fe5de8

SHA512
be29da6fa9160dfabed64f56070b29fee110a987634db09a6d0ce09ca66fd0013a1a9251492e0a24b3c0b55f73fdb8668ddec0980dc0a89a759f226b7502bf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6331748.exe

Filesize
751KB

MD5
038596bd6141a019b9561b762f311668

SHA1
3b7088bdd57fb4b827b005f09689dd6e891b266a

SHA256
f8f51964a3bfb5bbb4be18300fd45ab0afe2c464f5741d49c9973dab66fe5de8

SHA512
be29da6fa9160dfabed64f56070b29fee110a987634db09a6d0ce09ca66fd0013a1a9251492e0a24b3c0b55f73fdb8668ddec0980dc0a89a759f226b7502bf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5717471.exe

Filesize
306KB

MD5
9aede45b6494fabfffd47b7c27fb3386

SHA1
5ea949a7093dbc4891d5f0ecbd66ee4f5e8298fd

SHA256
840f0efaaa6a36f9e107f7d2018f2c11ae7c2885a68df3306ce70b410f0153ee

SHA512
ff63eda3874244cc6b990894153a1b4bd7fd5fe3f8910f79f7c4e19304af5a63cd5b2de28881904d7a1ecb78517a0cf2707e10b5465a34b8d2e0fc24009660c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5717471.exe

Filesize
306KB

MD5
9aede45b6494fabfffd47b7c27fb3386

SHA1
5ea949a7093dbc4891d5f0ecbd66ee4f5e8298fd

SHA256
840f0efaaa6a36f9e107f7d2018f2c11ae7c2885a68df3306ce70b410f0153ee

SHA512
ff63eda3874244cc6b990894153a1b4bd7fd5fe3f8910f79f7c4e19304af5a63cd5b2de28881904d7a1ecb78517a0cf2707e10b5465a34b8d2e0fc24009660c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5995073.exe

Filesize
145KB

MD5
d50db612feff66c1d620e4f5c1bf5d30

SHA1
ec8f3147827768f17580657734de0d900108347d

SHA256
dc535e0514411507f196c50fd7f9d0c541d8d9852f27354f80702bfec67b0b5d

SHA512
812ece14230326a45411f24b2806793ea818b1f7757b70a7070c887c79b7c14e9adc50384c883e4ac186d6ddb7c0c56a0a2961d539eb8444d88813bf2762c370

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5995073.exe

Filesize
145KB

MD5
d50db612feff66c1d620e4f5c1bf5d30

SHA1
ec8f3147827768f17580657734de0d900108347d

SHA256
dc535e0514411507f196c50fd7f9d0c541d8d9852f27354f80702bfec67b0b5d

SHA512
812ece14230326a45411f24b2806793ea818b1f7757b70a7070c887c79b7c14e9adc50384c883e4ac186d6ddb7c0c56a0a2961d539eb8444d88813bf2762c370

Download Submit
memory/1476-154-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/1476-155-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/1476-156-0x0000000004F70000-0x000000000507A000-memory.dmp

Filesize
1.0MB

Download
memory/1476-157-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/1476-158-0x0000000004F30000-0x0000000004F6C000-memory.dmp

Filesize
240KB

Download
memory/1476-159-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1476-160-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download