redline | b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938

General

Target

b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe
Size

580KB
MD5

eb9e20eebbe1ae66dfa0bb1f6b013a28
SHA1

6885766558055686f09800f94cb02adc7ce131a1
SHA256

b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938
SHA512

81a211f5bac6b22ef382413bb97afbe878f55d8e8785810dd5d443fd5638af825c4d0b764c85d9ddab8bac026b56782af1a182dac8e05dbced437cef1afe607f
SSDEEP

12288:GMruy90Cy3TH3Q9u/rexAYqU1lwQEBJwAX6+/K+gU4yxLMe:MymjHA9uz/ol9AX6Y41e

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1420	x1522164.exe
3360	x1922740.exe
4468	f5810304.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1922740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1922740.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1522164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1522164.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe
4468	f5810304.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	f5810304.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 1420	3200	b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe	66
PID 3200 wrote to memory of 1420	3200	b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe	66
PID 3200 wrote to memory of 1420	3200	b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe	66
PID 1420 wrote to memory of 3360	1420	x1522164.exe	67
PID 1420 wrote to memory of 3360	1420	x1522164.exe	67
PID 1420 wrote to memory of 3360	1420	x1522164.exe	67
PID 3360 wrote to memory of 4468	3360	x1922740.exe	68
PID 3360 wrote to memory of 4468	3360	x1922740.exe	68
PID 3360 wrote to memory of 4468	3360	x1922740.exe	68

C:\Users\Admin\AppData\Local\Temp\b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe
"C:\Users\Admin\AppData\Local\Temp\b6ceea7ed883d89c2d2031181fbaa690402b2bf122c97a4ffb0e63ec52342938.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1522164.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1522164.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1922740.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1922740.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5810304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5810304.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1522164.exe

Filesize
377KB

MD5
11ff695c08f1547c1097b44ada7afbdf

SHA1
b28ca4e81701dc5fc925fb3dccd196b60919b546

SHA256
3ae2846bdf9f40cc5ef10e316f3003c0ea0c2b5e0f61ac4e7b39787a326240cb

SHA512
5bb0f219cdf94bf6d83eb3abeb10b4b7f7e65878c952217c060a8f2515b9a3081a5d7697ef6fda638f5100d77cd07cbec201c7fa8833c9cb3e3ff315452e612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1522164.exe

Filesize
377KB

MD5
11ff695c08f1547c1097b44ada7afbdf

SHA1
b28ca4e81701dc5fc925fb3dccd196b60919b546

SHA256
3ae2846bdf9f40cc5ef10e316f3003c0ea0c2b5e0f61ac4e7b39787a326240cb

SHA512
5bb0f219cdf94bf6d83eb3abeb10b4b7f7e65878c952217c060a8f2515b9a3081a5d7697ef6fda638f5100d77cd07cbec201c7fa8833c9cb3e3ff315452e612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1922740.exe

Filesize
206KB

MD5
5e680abdda8499432902ef50a81d1ece

SHA1
21f4600248acb1bf4023b2ca17b8a320fa6ccc96

SHA256
308286bc7a1e59cc9616f37693a0625ede05199d2b0c727d62226b581ff48091

SHA512
2a832c36a7372e86a0eb2cc05b72dee5d7c8c7bbad52a8725147c715d3459775ba6ca9c25d1dfe4f17a94129e108668b74d9b4834251468e15e25c1bff6fd1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1922740.exe

Filesize
206KB

MD5
5e680abdda8499432902ef50a81d1ece

SHA1
21f4600248acb1bf4023b2ca17b8a320fa6ccc96

SHA256
308286bc7a1e59cc9616f37693a0625ede05199d2b0c727d62226b581ff48091

SHA512
2a832c36a7372e86a0eb2cc05b72dee5d7c8c7bbad52a8725147c715d3459775ba6ca9c25d1dfe4f17a94129e108668b74d9b4834251468e15e25c1bff6fd1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5810304.exe

Filesize
172KB

MD5
2f86770341481ecc4c4bc22bbeec37f4

SHA1
30a48ec5a8c5bf0c3d8225148fdf582a1d6ac4e0

SHA256
b36ffd7cd0e2c4ab53c2cbdce0e69d8ad448acb66162224a60b656f253e228a7

SHA512
3f4a6628d75d0801be335b3f5a9a2d1299dae6c9afe6f9851d0b015d8564eebe6c6b54e429c9220542ec8ebe05868534a63c1ac11e171ab9bb491af462390674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5810304.exe

Filesize
172KB

MD5
2f86770341481ecc4c4bc22bbeec37f4

SHA1
30a48ec5a8c5bf0c3d8225148fdf582a1d6ac4e0

SHA256
b36ffd7cd0e2c4ab53c2cbdce0e69d8ad448acb66162224a60b656f253e228a7

SHA512
3f4a6628d75d0801be335b3f5a9a2d1299dae6c9afe6f9851d0b015d8564eebe6c6b54e429c9220542ec8ebe05868534a63c1ac11e171ab9bb491af462390674

Download Submit
memory/4468-142-0x0000000000AD0000-0x0000000000B00000-memory.dmp

Filesize
192KB

Download
memory/4468-143-0x0000000001220000-0x0000000001226000-memory.dmp

Filesize
24KB

Download
memory/4468-144-0x0000000005AA0000-0x00000000060A6000-memory.dmp

Filesize
6.0MB

Download
memory/4468-145-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/4468-146-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4468-147-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4468-148-0x0000000005430000-0x000000000546E000-memory.dmp

Filesize
248KB

Download
memory/4468-149-0x0000000005490000-0x00000000054DB000-memory.dmp

Filesize
300KB

Download
memory/4468-150-0x0000000005760000-0x00000000057D6000-memory.dmp

Filesize
472KB

Download
memory/4468-151-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/4468-152-0x0000000006AC0000-0x0000000006FBE000-memory.dmp

Filesize
5.0MB

Download
memory/4468-153-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4468-154-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4468-155-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/4468-156-0x00000000068E0000-0x0000000006AA2000-memory.dmp

Filesize
1.8MB

Download
memory/4468-157-0x0000000008810000-0x0000000008D3C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing