redline | 0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383

General

Target

0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe
Size

581KB
MD5

7cd3229bd415e3d546b691efa08e3dfc
SHA1

53c0fc7bd0d199472674b19d7d3ace6ac6f2a413
SHA256

0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383
SHA512

b9c6c0c1b8431fef9348f7ccae9fad989b80d7d4ee37002038c33092a69cdba1d837ef7855226c8857909906be1526ab9b0e82a4961b5dee9200ca6ad9dfe894
SSDEEP

12288:HMrWy90f6JPOxqAk0lW2YvgWC1nF+3Hem19JKXg7:pyQzx5vI2wgWF+m1bKm

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4144	x7644405.exe
2112	x1028961.exe
4612	f6834023.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7644405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7644405.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1028961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1028961.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4144	4128	0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe	66
PID 4128 wrote to memory of 4144	4128	0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe	66
PID 4128 wrote to memory of 4144	4128	0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe	66
PID 4144 wrote to memory of 2112	4144	x7644405.exe	67
PID 4144 wrote to memory of 2112	4144	x7644405.exe	67
PID 4144 wrote to memory of 2112	4144	x7644405.exe	67
PID 2112 wrote to memory of 4612	2112	x1028961.exe	68
PID 2112 wrote to memory of 4612	2112	x1028961.exe	68
PID 2112 wrote to memory of 4612	2112	x1028961.exe	68

C:\Users\Admin\AppData\Local\Temp\0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe
"C:\Users\Admin\AppData\Local\Temp\0c906a72201be027fdb1728a0f79e321cb9089361a3be314eb5389bd8a7d9383.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7644405.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7644405.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1028961.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1028961.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6834023.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6834023.exe
      4⤵
      Executes dropped EXE
      PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7644405.exe

Filesize
377KB

MD5
4b032b880477b47f11183b24ff16074d

SHA1
e70220d4165d751159ef9f9511030ebd477134c6

SHA256
3a72411ed3b4666f05f0716c291c763e607153b948ce0414453248879adbe95f

SHA512
ff18c5f8af12a2094676ee6559bb6b0a3186a157f05c157b53e33a1ea0cffb5133beaf8c7e666523b6da7b1a8665d7190e07883d9ce845f1361d1ec5b0e11e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7644405.exe

Filesize
377KB

MD5
4b032b880477b47f11183b24ff16074d

SHA1
e70220d4165d751159ef9f9511030ebd477134c6

SHA256
3a72411ed3b4666f05f0716c291c763e607153b948ce0414453248879adbe95f

SHA512
ff18c5f8af12a2094676ee6559bb6b0a3186a157f05c157b53e33a1ea0cffb5133beaf8c7e666523b6da7b1a8665d7190e07883d9ce845f1361d1ec5b0e11e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1028961.exe

Filesize
206KB

MD5
3ed077c9d5a5759f6cd6086876b5459b

SHA1
2d605d058d60c6e4de0c82a84655b4abd77c5d94

SHA256
a5d2c6384ae0cdc635436aab54a5a690f7c96e2165e3dc4bef688bd8a8c1ca05

SHA512
0b06dbad5fb19cf861547f7b3f107fdb3a90863a1f5bb9b3e601be391eef7445b153f5ca3204422d177991872d1ddaffdd155aade9728e1d1a43873e71882075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1028961.exe

Filesize
206KB

MD5
3ed077c9d5a5759f6cd6086876b5459b

SHA1
2d605d058d60c6e4de0c82a84655b4abd77c5d94

SHA256
a5d2c6384ae0cdc635436aab54a5a690f7c96e2165e3dc4bef688bd8a8c1ca05

SHA512
0b06dbad5fb19cf861547f7b3f107fdb3a90863a1f5bb9b3e601be391eef7445b153f5ca3204422d177991872d1ddaffdd155aade9728e1d1a43873e71882075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6834023.exe

Filesize
172KB

MD5
0fbd60e0ee03dedb05e4d7dabb09cf29

SHA1
87025d06da6e87db62a9aea7dda54be8a34457b0

SHA256
5181866e4528f48bd7787ce1356d733120414c3aa5e2ae1eeb4563d5f88b92d7

SHA512
5aee25347a53c3017f8ee6a6a4032c9cfd1ac79eb317d10543bf9acc4d590afd82999662d516397f140d72ed1bbf28904f8463c923448933efd821f07996a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6834023.exe

Filesize
172KB

MD5
0fbd60e0ee03dedb05e4d7dabb09cf29

SHA1
87025d06da6e87db62a9aea7dda54be8a34457b0

SHA256
5181866e4528f48bd7787ce1356d733120414c3aa5e2ae1eeb4563d5f88b92d7

SHA512
5aee25347a53c3017f8ee6a6a4032c9cfd1ac79eb317d10543bf9acc4d590afd82999662d516397f140d72ed1bbf28904f8463c923448933efd821f07996a0c4

Download Submit
memory/4612-141-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/4612-142-0x0000000002740000-0x0000000002746000-memory.dmp

Filesize
24KB

Download
memory/4612-143-0x0000000005550000-0x0000000005B56000-memory.dmp

Filesize
6.0MB

Download
memory/4612-144-0x0000000005050000-0x000000000515A000-memory.dmp

Filesize
1.0MB

Download
memory/4612-145-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/4612-146-0x0000000004F40000-0x0000000004F7E000-memory.dmp

Filesize
248KB

Download
memory/4612-147-0x0000000004F80000-0x0000000004FCB000-memory.dmp

Filesize
300KB

Download
memory/4612-148-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4612-149-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing