redline | ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01

General

Target

ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe
Size

579KB
MD5

b39818dac1620ea6639210d6a03a0102
SHA1

5dcfc0bcc148174d811cf43a2e4671c4d8f72385
SHA256

ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01
SHA512

8bc5e31be36e264474a5777f00ccd8f0b4618e880a0ff2ba56c8093d57b28678236abdf322016b9a362426e0440b7c19c7c52a0f80c17e33b359831abd0b59e8
SSDEEP

12288:XMrWy90cWjjCQn4O/kiKcxKagsoGrgGSNXG6+W57y2l5:RyoJ5dYtsHrgGSFGOdJ5

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4600	x4587378.exe
4908	x3130606.exe
2296	f7706223.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4587378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4587378.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3130606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3130606.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4600	4656	ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe	84
PID 4656 wrote to memory of 4600	4656	ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe	84
PID 4656 wrote to memory of 4600	4656	ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe	84
PID 4600 wrote to memory of 4908	4600	x4587378.exe	85
PID 4600 wrote to memory of 4908	4600	x4587378.exe	85
PID 4600 wrote to memory of 4908	4600	x4587378.exe	85
PID 4908 wrote to memory of 2296	4908	x3130606.exe	86
PID 4908 wrote to memory of 2296	4908	x3130606.exe	86
PID 4908 wrote to memory of 2296	4908	x3130606.exe	86

C:\Users\Admin\AppData\Local\Temp\ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe
"C:\Users\Admin\AppData\Local\Temp\ab6cc155436b69ca35f8fb413658f8c68e31f069a62119f6ad96af6b57211e01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4587378.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4587378.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3130606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3130606.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7706223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7706223.exe
      4⤵
      Executes dropped EXE
      PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4587378.exe

Filesize
377KB

MD5
3ce5e6955c07e8e28830355f8a511fd5

SHA1
9d261668b7e3d05f1e5c762f2c2057d495eaa724

SHA256
098b3950f36417dda328a9ec9a55c367f6cab5e345c3e06a2bba90586910419c

SHA512
6971441d7c6f46d25a16789b5c21e9ecf6639a0c9b07bae648bb3db83394b1dc06994ade1ab877eddfd45c52c595fab6815dcf1145cc3c739e9e3b75a4813499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4587378.exe

Filesize
377KB

MD5
3ce5e6955c07e8e28830355f8a511fd5

SHA1
9d261668b7e3d05f1e5c762f2c2057d495eaa724

SHA256
098b3950f36417dda328a9ec9a55c367f6cab5e345c3e06a2bba90586910419c

SHA512
6971441d7c6f46d25a16789b5c21e9ecf6639a0c9b07bae648bb3db83394b1dc06994ade1ab877eddfd45c52c595fab6815dcf1145cc3c739e9e3b75a4813499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3130606.exe

Filesize
206KB

MD5
275105e12e3a86cce76929fc770e3dec

SHA1
58a1c8fb518f54b97fa9896832ef5e87c9816c63

SHA256
1ff83dd5cf8c73cb323546a089f93373f34d3c9feb8053b388980a8ae8e07e3b

SHA512
8a91a32a99c48d52408c702ec327052d826146c850ede28aef688403b0e79b5e41edc52b387a12bae93b02987d3b192e152a7e837e35fe7d22863bcf343785c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3130606.exe

Filesize
206KB

MD5
275105e12e3a86cce76929fc770e3dec

SHA1
58a1c8fb518f54b97fa9896832ef5e87c9816c63

SHA256
1ff83dd5cf8c73cb323546a089f93373f34d3c9feb8053b388980a8ae8e07e3b

SHA512
8a91a32a99c48d52408c702ec327052d826146c850ede28aef688403b0e79b5e41edc52b387a12bae93b02987d3b192e152a7e837e35fe7d22863bcf343785c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7706223.exe

Filesize
173KB

MD5
eece1e3b2a22960e040342b0aad2bfc5

SHA1
28403a6808ca1ddcdf246f7a3ede7bc28c5a5acc

SHA256
57400918b8f85777b2e735df26c4c9da898364a4e6b4ef58c377e0ee28ed43b9

SHA512
4df9bdcc8c3eb98fbdd12c4eec611da73c4902ffa779f3def828c9aeeeed3b20c227e1c4c1223927f955eb65de7f1560740404304af8698f7bffcead838d7c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7706223.exe

Filesize
173KB

MD5
eece1e3b2a22960e040342b0aad2bfc5

SHA1
28403a6808ca1ddcdf246f7a3ede7bc28c5a5acc

SHA256
57400918b8f85777b2e735df26c4c9da898364a4e6b4ef58c377e0ee28ed43b9

SHA512
4df9bdcc8c3eb98fbdd12c4eec611da73c4902ffa779f3def828c9aeeeed3b20c227e1c4c1223927f955eb65de7f1560740404304af8698f7bffcead838d7c52

Download Submit
memory/2296-154-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/2296-155-0x000000000A8D0000-0x000000000AEE8000-memory.dmp

Filesize
6.1MB

Download
memory/2296-156-0x000000000A450000-0x000000000A55A000-memory.dmp

Filesize
1.0MB

Download
memory/2296-157-0x000000000A390000-0x000000000A3A2000-memory.dmp

Filesize
72KB

Download
memory/2296-158-0x000000000A3F0000-0x000000000A42C000-memory.dmp

Filesize
240KB

Download
memory/2296-159-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/2296-160-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing