redline | d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0

General

Target

d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe
Size

584KB
MD5

85fec6f1a411fd7de8382d2cc1c40cab
SHA1

1f916a13941ca04518a6b74f972294f86dce0189
SHA256

d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0
SHA512

ff106ab6a20889bf84705d3a585b531687fc2ecd302c2d12d96bd5014271c770ede6a7d7ef161df89fce3acc3a717117440f21655eb3a3e5676e1527ce2d46ab
SSDEEP

12288:kMryy90hgYrZinp2gp3YqlUm5Ei94YIdCu:eyoz4p33sEHwX

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4116	x1960709.exe
3324	x5811612.exe
2552	f7338643.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1960709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1960709.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5811612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5811612.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe
2552	f7338643.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	f7338643.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4116	3200	d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe	66
PID 3200 wrote to memory of 4116	3200	d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe	66
PID 3200 wrote to memory of 4116	3200	d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe	66
PID 4116 wrote to memory of 3324	4116	x1960709.exe	67
PID 4116 wrote to memory of 3324	4116	x1960709.exe	67
PID 4116 wrote to memory of 3324	4116	x1960709.exe	67
PID 3324 wrote to memory of 2552	3324	x5811612.exe	68
PID 3324 wrote to memory of 2552	3324	x5811612.exe	68
PID 3324 wrote to memory of 2552	3324	x5811612.exe	68

C:\Users\Admin\AppData\Local\Temp\d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe
"C:\Users\Admin\AppData\Local\Temp\d6e252378a8837d99741dfa2ab4790d823f5e16b27b4ca85ee94b19a219f6bb0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1960709.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1960709.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5811612.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5811612.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7338643.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7338643.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1960709.exe

Filesize
378KB

MD5
09352edf0de12ec2b2913b8fbb14dc20

SHA1
0f3fd67ba00b11b0ef0da501370d0e769a1ebb98

SHA256
0579938f105e7e6dc080fefd413b185f43be91591630231e25fd15b52ac56c37

SHA512
becfe817dcb6e7ab567cfdfe7977282fa40ff061588fdfb7bbbb0368110acfa5f75757cfe688970b07bd2ba05b58afb9eca815e99e6dbd6d7ae71f3e7f3ec77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1960709.exe

Filesize
378KB

MD5
09352edf0de12ec2b2913b8fbb14dc20

SHA1
0f3fd67ba00b11b0ef0da501370d0e769a1ebb98

SHA256
0579938f105e7e6dc080fefd413b185f43be91591630231e25fd15b52ac56c37

SHA512
becfe817dcb6e7ab567cfdfe7977282fa40ff061588fdfb7bbbb0368110acfa5f75757cfe688970b07bd2ba05b58afb9eca815e99e6dbd6d7ae71f3e7f3ec77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5811612.exe

Filesize
206KB

MD5
f0da35c0616bdc4cb25cad1425dc6198

SHA1
0d9d57f250836bd4ce1115ece3234ef64bcc2b87

SHA256
1ee03763688e41e7a0a77123d96b98a81174ba3fcffd537734dba92947b74de1

SHA512
5fa6336120166b8965b80d20e7849db8f25a29a9529c0c1500f28f32d5826275a64d32c955a92102a1e5ff4f54ecca43edf684cd8512e24784b8891e7e8bc6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5811612.exe

Filesize
206KB

MD5
f0da35c0616bdc4cb25cad1425dc6198

SHA1
0d9d57f250836bd4ce1115ece3234ef64bcc2b87

SHA256
1ee03763688e41e7a0a77123d96b98a81174ba3fcffd537734dba92947b74de1

SHA512
5fa6336120166b8965b80d20e7849db8f25a29a9529c0c1500f28f32d5826275a64d32c955a92102a1e5ff4f54ecca43edf684cd8512e24784b8891e7e8bc6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7338643.exe

Filesize
172KB

MD5
e4c451d7d50085242f1db7aef1330906

SHA1
01d5ffceb7190d02c1a57e2c528951531e215dcd

SHA256
638a3fbf62d23dc806acc0c5a0d40d0878c17ce0ad97bcdab00d17356f3e82a7

SHA512
6c70ddd4678f1e6726b521c3d84bb91f2f7ee963c6abaaafab47638bd749a2515beed13049e33fd9625f488204081961f19c7722bcc7b7fa37245c49bdc39b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7338643.exe

Filesize
172KB

MD5
e4c451d7d50085242f1db7aef1330906

SHA1
01d5ffceb7190d02c1a57e2c528951531e215dcd

SHA256
638a3fbf62d23dc806acc0c5a0d40d0878c17ce0ad97bcdab00d17356f3e82a7

SHA512
6c70ddd4678f1e6726b521c3d84bb91f2f7ee963c6abaaafab47638bd749a2515beed13049e33fd9625f488204081961f19c7722bcc7b7fa37245c49bdc39b5e

Download Submit
memory/2552-142-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/2552-143-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/2552-144-0x00000000052E0000-0x00000000058E6000-memory.dmp

Filesize
6.0MB

Download
memory/2552-145-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/2552-147-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/2552-146-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2552-148-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/2552-149-0x0000000004D10000-0x0000000004D5B000-memory.dmp

Filesize
300KB

Download
memory/2552-150-0x0000000004FD0000-0x0000000005046000-memory.dmp

Filesize
472KB

Download
memory/2552-151-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/2552-152-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/2552-153-0x0000000006300000-0x00000000067FE000-memory.dmp

Filesize
5.0MB

Download
memory/2552-154-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2552-155-0x0000000005F40000-0x0000000005F90000-memory.dmp

Filesize
320KB

Download
memory/2552-156-0x0000000006800000-0x00000000069C2000-memory.dmp

Filesize
1.8MB

Download
memory/2552-157-0x0000000008580000-0x0000000008AAC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing