redline | 0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a

General

Target

07270499.exe
Size

580KB
MD5

2f04ac814a59dafca189e603d18d196d
SHA1

29148efe87f9303a07a05b45afeec232139243b0
SHA256

0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a
SHA512

aafc6953a4d136c4e0c0de728e6481bc733cd07bdbc4f14c8839f38caf53c7e6f1db8bc7d21397cf61dca0fe73c724ebf6b803da8ee567a319935aed9d6bb77a
SSDEEP

12288:fMrNy90f5MI+IauHzi0A2Ok3k4uzkAxKtP9GzFzeIEG:GyqCVYS2Q4uzPxKWzFeIb

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4420	x0476388.exe
1560	x2634231.exe
4060	f1006954.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	07270499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	07270499.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0476388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0476388.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2634231.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2634231.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe
4060	f1006954.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	f1006954.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4420	5072	07270499.exe	82
PID 5072 wrote to memory of 4420	5072	07270499.exe	82
PID 5072 wrote to memory of 4420	5072	07270499.exe	82
PID 4420 wrote to memory of 1560	4420	x0476388.exe	83
PID 4420 wrote to memory of 1560	4420	x0476388.exe	83
PID 4420 wrote to memory of 1560	4420	x0476388.exe	83
PID 1560 wrote to memory of 4060	1560	x2634231.exe	84
PID 1560 wrote to memory of 4060	1560	x2634231.exe	84
PID 1560 wrote to memory of 4060	1560	x2634231.exe	84

C:\Users\Admin\AppData\Local\Temp\07270499.exe
"C:\Users\Admin\AppData\Local\Temp\07270499.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe

Filesize
377KB

MD5
6346502ea9b0242fb32b62da5a0e856f

SHA1
c1211b9b1fc8d9f7197a7d1727a741370eb83c0d

SHA256
d1d5c5e389152c9d208f98abd0edca1f452d2b364bb4435218a02abcef77f113

SHA512
4dbac0562509b115ae33a2b49e39f9f76f6a2328c541d4fc90f54195a191327eb55c5a39f46811f28bac68e2be7921b67409b52ca0ee9818bfe7399a26c989a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe

Filesize
377KB

MD5
6346502ea9b0242fb32b62da5a0e856f

SHA1
c1211b9b1fc8d9f7197a7d1727a741370eb83c0d

SHA256
d1d5c5e389152c9d208f98abd0edca1f452d2b364bb4435218a02abcef77f113

SHA512
4dbac0562509b115ae33a2b49e39f9f76f6a2328c541d4fc90f54195a191327eb55c5a39f46811f28bac68e2be7921b67409b52ca0ee9818bfe7399a26c989a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe

Filesize
206KB

MD5
8cedee880088fe68f3c4c585069bc3ba

SHA1
780d2090d7379a9eeb6d0d99babd572c1fc5f6bf

SHA256
aa56cf399b17f61588283ab834fc2d2be5bfaee6a64eea2b027d4a5e2522bc89

SHA512
4f27ee5a22ba8a5c4bf45c78823f002dc724b3c58ad9485e0b090b162fee779fc501593f02e4ae431dfbc089fa5ddc0825d475412df1326812bafcb61366761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe

Filesize
206KB

MD5
8cedee880088fe68f3c4c585069bc3ba

SHA1
780d2090d7379a9eeb6d0d99babd572c1fc5f6bf

SHA256
aa56cf399b17f61588283ab834fc2d2be5bfaee6a64eea2b027d4a5e2522bc89

SHA512
4f27ee5a22ba8a5c4bf45c78823f002dc724b3c58ad9485e0b090b162fee779fc501593f02e4ae431dfbc089fa5ddc0825d475412df1326812bafcb61366761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe

Filesize
172KB

MD5
48000a3f8eda69e5d8e2dbec2658dfce

SHA1
0b30d4e0a4279c813fdb973c9eb8d363d2f9bae0

SHA256
29e3016d2036cfffbd86161c5dc777c06b11fca77c32bcddb14b8cbc21c11915

SHA512
69be2602fa2ec2f123bebcee5f8bf983e5f7646424e4dccc76808ff1ac04b99ecbb4087baf26c58420b37c088563fdf96fbd57c1fc96f42227a50bc3318f3bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe

Filesize
172KB

MD5
48000a3f8eda69e5d8e2dbec2658dfce

SHA1
0b30d4e0a4279c813fdb973c9eb8d363d2f9bae0

SHA256
29e3016d2036cfffbd86161c5dc777c06b11fca77c32bcddb14b8cbc21c11915

SHA512
69be2602fa2ec2f123bebcee5f8bf983e5f7646424e4dccc76808ff1ac04b99ecbb4087baf26c58420b37c088563fdf96fbd57c1fc96f42227a50bc3318f3bb1

Download Submit
memory/4060-154-0x0000000000A10000-0x0000000000A40000-memory.dmp

Filesize
192KB

Download
memory/4060-155-0x000000000AE10000-0x000000000B428000-memory.dmp

Filesize
6.1MB

Download
memory/4060-156-0x000000000A990000-0x000000000AA9A000-memory.dmp

Filesize
1.0MB

Download
memory/4060-157-0x000000000A8D0000-0x000000000A8E2000-memory.dmp

Filesize
72KB

Download
memory/4060-158-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4060-159-0x000000000A930000-0x000000000A96C000-memory.dmp

Filesize
240KB

Download
memory/4060-160-0x000000000AC40000-0x000000000ACB6000-memory.dmp

Filesize
472KB

Download
memory/4060-161-0x000000000AD60000-0x000000000ADF2000-memory.dmp

Filesize
584KB

Download
memory/4060-162-0x000000000B9E0000-0x000000000BF84000-memory.dmp

Filesize
5.6MB

Download
memory/4060-163-0x000000000B530000-0x000000000B596000-memory.dmp

Filesize
408KB

Download
memory/4060-164-0x000000000C260000-0x000000000C422000-memory.dmp

Filesize
1.8MB

Download
memory/4060-165-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4060-166-0x000000000C960000-0x000000000CE8C000-memory.dmp

Filesize
5.2MB

Download
memory/4060-167-0x000000000C110000-0x000000000C160000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing