redline | 73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78

General

Target

73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe
Size

580KB
MD5

fd1cabf04c59c65e0e1e413097a89348
SHA1

73731f977c631ac2b2a53356ff18ef10f82b5221
SHA256

73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78
SHA512

a2254ffe633b88e0223bb45f723b67088fe615eeff3cb52916835c18358b0b401f0cf62e041208127286fef8ddb1c30aa1f0b662b70f27e00867f6ebfbef8d47
SSDEEP

12288:mMrvy901/V8OJ0dam87njXlMuZdurIxw4KLTM+m:1yWPJnmzuYjRL4d

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4632	x2264813.exe
3228	x8442963.exe
3236	f4016641.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2264813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2264813.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8442963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8442963.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe
3236	f4016641.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	f4016641.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4632	4264	73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe	85
PID 4264 wrote to memory of 4632	4264	73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe	85
PID 4264 wrote to memory of 4632	4264	73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe	85
PID 4632 wrote to memory of 3228	4632	x2264813.exe	86
PID 4632 wrote to memory of 3228	4632	x2264813.exe	86
PID 4632 wrote to memory of 3228	4632	x2264813.exe	86
PID 3228 wrote to memory of 3236	3228	x8442963.exe	87
PID 3228 wrote to memory of 3236	3228	x8442963.exe	87
PID 3228 wrote to memory of 3236	3228	x8442963.exe	87

C:\Users\Admin\AppData\Local\Temp\73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe
"C:\Users\Admin\AppData\Local\Temp\73394305fc8f5a428bd67442d9b4c23d8c35e707efca250f463c09e3dd184b78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2264813.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2264813.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8442963.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8442963.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4016641.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4016641.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2264813.exe

Filesize
377KB

MD5
d20d0db4a574a4ca387b5957b0e3da71

SHA1
45e1efb39fcc402cda15a41e0c745c9ffddb7014

SHA256
3ee4b5b7edfe33b089431012ab8487d0acd213bc7e65947102c11a70fdd6b56d

SHA512
b0efb316e91f17dee6fcfb041a0a0fa6b009a80491b3fb5839fbb8d76ac40ebbf0e6dd597d289c7497c016b178d3537507c07bcb45f2ad6fa3dee484e1a639e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2264813.exe

Filesize
377KB

MD5
d20d0db4a574a4ca387b5957b0e3da71

SHA1
45e1efb39fcc402cda15a41e0c745c9ffddb7014

SHA256
3ee4b5b7edfe33b089431012ab8487d0acd213bc7e65947102c11a70fdd6b56d

SHA512
b0efb316e91f17dee6fcfb041a0a0fa6b009a80491b3fb5839fbb8d76ac40ebbf0e6dd597d289c7497c016b178d3537507c07bcb45f2ad6fa3dee484e1a639e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8442963.exe

Filesize
206KB

MD5
3e6706cd1d1ca8cd71a160975f530808

SHA1
fb1b58080ece44b0b66073bd936e5e3b0272482f

SHA256
59eadcefd391518cf1797f0cca6ecbb248d8eca6595153771652b02d9f3d550d

SHA512
5cc5d08aa9f9b1af0ad515d584181834ab0b94c139377b5ec9eeeac5004d7bf2da40eaadeac4b98e850a725f9605101a77dbc0634e4a0d710d59e4e27e416aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8442963.exe

Filesize
206KB

MD5
3e6706cd1d1ca8cd71a160975f530808

SHA1
fb1b58080ece44b0b66073bd936e5e3b0272482f

SHA256
59eadcefd391518cf1797f0cca6ecbb248d8eca6595153771652b02d9f3d550d

SHA512
5cc5d08aa9f9b1af0ad515d584181834ab0b94c139377b5ec9eeeac5004d7bf2da40eaadeac4b98e850a725f9605101a77dbc0634e4a0d710d59e4e27e416aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4016641.exe

Filesize
172KB

MD5
920b0d07b072f4bc9620d8174ea88da8

SHA1
970199edd595bd9f188fb293e0f15ff7e72c00ff

SHA256
d21b42113ad7d9da527ad045a082416f43013321974cf23c71e60cd7e542b554

SHA512
55d82d6427cb37aef3a9b3cbf0f1d2ea0f832f1d423aab4709686c0a7aff46524b3c0acf9bfd9e4c67f0b14a6002f61d2ab970d96c9bdbaaa1685b6dc5c6bf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4016641.exe

Filesize
172KB

MD5
920b0d07b072f4bc9620d8174ea88da8

SHA1
970199edd595bd9f188fb293e0f15ff7e72c00ff

SHA256
d21b42113ad7d9da527ad045a082416f43013321974cf23c71e60cd7e542b554

SHA512
55d82d6427cb37aef3a9b3cbf0f1d2ea0f832f1d423aab4709686c0a7aff46524b3c0acf9bfd9e4c67f0b14a6002f61d2ab970d96c9bdbaaa1685b6dc5c6bf20

Download Submit
memory/3236-154-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/3236-155-0x000000000AB10000-0x000000000B128000-memory.dmp

Filesize
6.1MB

Download
memory/3236-156-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/3236-157-0x000000000A550000-0x000000000A562000-memory.dmp

Filesize
72KB

Download
memory/3236-158-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

Filesize
240KB

Download
memory/3236-159-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3236-160-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3236-161-0x000000000B1B0000-0x000000000B226000-memory.dmp

Filesize
472KB

Download
memory/3236-162-0x000000000B2D0000-0x000000000B362000-memory.dmp

Filesize
584KB

Download
memory/3236-163-0x000000000B230000-0x000000000B296000-memory.dmp

Filesize
408KB

Download
memory/3236-164-0x000000000BB20000-0x000000000C0C4000-memory.dmp

Filesize
5.6MB

Download
memory/3236-165-0x000000000B6D0000-0x000000000B720000-memory.dmp

Filesize
320KB

Download
memory/3236-166-0x000000000B900000-0x000000000BAC2000-memory.dmp

Filesize
1.8MB

Download
memory/3236-167-0x000000000C600000-0x000000000CB2C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing