redline | ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31

General

Target

ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe
Size

581KB
MD5

c91d9e10c95a417ddc2601835ad4a9bd
SHA1

0a8c54caa46fa80d6e8da123c5fc5ed748b8efc3
SHA256

ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31
SHA512

07b53cdb0419a820389213a125ea7865f77af4b4955baf32920643f1dd3cacbb99a41efbd874a1769ee8cd830484244e5cee10b17c7b7e7f3951aa6bb2759b0d
SSDEEP

12288:9Mr7y90iScBXC/Dg+jgADJea+4ci7biaH0XFvv5QyJa72Bmjrj:SyJSM0Dg2DJD+M7O8gF35QnSmjH

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2696	x4147237.exe
4452	x1759741.exe
4644	f3596349.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4147237.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1759741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1759741.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4147237.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe
4644	f3596349.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	f3596349.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 2696	4632	ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe	81
PID 4632 wrote to memory of 2696	4632	ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe	81
PID 4632 wrote to memory of 2696	4632	ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe	81
PID 2696 wrote to memory of 4452	2696	x4147237.exe	82
PID 2696 wrote to memory of 4452	2696	x4147237.exe	82
PID 2696 wrote to memory of 4452	2696	x4147237.exe	82
PID 4452 wrote to memory of 4644	4452	x1759741.exe	83
PID 4452 wrote to memory of 4644	4452	x1759741.exe	83
PID 4452 wrote to memory of 4644	4452	x1759741.exe	83

C:\Users\Admin\AppData\Local\Temp\ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe
"C:\Users\Admin\AppData\Local\Temp\ace09955c7f46dcb78cbbad5ef3d08610c0dfd46612565cb089049f2c546ee31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4147237.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4147237.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1759741.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1759741.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3596349.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3596349.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4147237.exe

Filesize
377KB

MD5
5c6a056c304de60bd6b36d323a5a9945

SHA1
4ef69a3f2c2881080b7648fa7eaa57fffcc10ae8

SHA256
f1ad8f5aa85062709cd9e36923a19dbe76748f8851daf93688b7bc77505044ac

SHA512
816bf03461b2aec85413b8bbe1b38914b6652ebcc78a6b632d4da7c252dc8acddac8ecaf96b2d87369f0bfe9c9a8ea53dbba4064dc92889bbd7268edc9db58b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4147237.exe

Filesize
377KB

MD5
5c6a056c304de60bd6b36d323a5a9945

SHA1
4ef69a3f2c2881080b7648fa7eaa57fffcc10ae8

SHA256
f1ad8f5aa85062709cd9e36923a19dbe76748f8851daf93688b7bc77505044ac

SHA512
816bf03461b2aec85413b8bbe1b38914b6652ebcc78a6b632d4da7c252dc8acddac8ecaf96b2d87369f0bfe9c9a8ea53dbba4064dc92889bbd7268edc9db58b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1759741.exe

Filesize
206KB

MD5
3cbf2233931fce813bc1198512aff880

SHA1
8966d4f09534412410998a0d0569da7f1a5080cf

SHA256
f73f62539f2304e56b856726f62926d2c968ace26071cee88bb062e5defd3897

SHA512
0ebc92c24f6a443b5287d667851a3d12e073abadbaf8407a2b17f4d235408f448d9c913ffc149b0be53bc616e970f2f4cfbc8273d4d34a89ec902edf1aa6fc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1759741.exe

Filesize
206KB

MD5
3cbf2233931fce813bc1198512aff880

SHA1
8966d4f09534412410998a0d0569da7f1a5080cf

SHA256
f73f62539f2304e56b856726f62926d2c968ace26071cee88bb062e5defd3897

SHA512
0ebc92c24f6a443b5287d667851a3d12e073abadbaf8407a2b17f4d235408f448d9c913ffc149b0be53bc616e970f2f4cfbc8273d4d34a89ec902edf1aa6fc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3596349.exe

Filesize
172KB

MD5
373054be5bda9d5ceac68d2870b3d518

SHA1
24ec2a428cca5f0f4888fa9ce6fd13ada20648f4

SHA256
443e8f76469374b97281c5acebdac28471e9e31380de49099906f0623e7f26a0

SHA512
f589e1459ab3f7161bba12201e30f13c169631d4999bbf619bfa3444cb984a549c86db409ecbf433c55613fafb33f2e42de59f08e4eb50c233971b06c01529b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3596349.exe

Filesize
172KB

MD5
373054be5bda9d5ceac68d2870b3d518

SHA1
24ec2a428cca5f0f4888fa9ce6fd13ada20648f4

SHA256
443e8f76469374b97281c5acebdac28471e9e31380de49099906f0623e7f26a0

SHA512
f589e1459ab3f7161bba12201e30f13c169631d4999bbf619bfa3444cb984a549c86db409ecbf433c55613fafb33f2e42de59f08e4eb50c233971b06c01529b5

Download Submit
memory/4644-154-0x0000000000050000-0x0000000000080000-memory.dmp

Filesize
192KB

Download
memory/4644-155-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/4644-156-0x0000000004C60000-0x0000000004D6A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-157-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

Filesize
72KB

Download
memory/4644-158-0x0000000004B50000-0x0000000004B8C000-memory.dmp

Filesize
240KB

Download
memory/4644-159-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4644-160-0x0000000004F60000-0x0000000004FD6000-memory.dmp

Filesize
472KB

Download
memory/4644-161-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/4644-162-0x0000000006230000-0x00000000067D4000-memory.dmp

Filesize
5.6MB

Download
memory/4644-163-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4644-164-0x0000000005F90000-0x0000000006152000-memory.dmp

Filesize
1.8MB

Download
memory/4644-165-0x0000000008400000-0x000000000892C000-memory.dmp

Filesize
5.2MB

Download
memory/4644-166-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4644-167-0x0000000005F10000-0x0000000005F60000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing