redline | cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0

General

Target

cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe
Size

580KB
MD5

58fecf286f0fd218b50f221bef7912f9
SHA1

c6d97d0922b2b17da3b2215866f3ca60c1d661b1
SHA256

cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0
SHA512

7474a3439d3e12727cb7987df49627d031415332ed98834e911e389464bf50d50c5002feb7d5e3b415803e108534337334b03a5cb5914198f63cce81ae15fd64
SSDEEP

12288:aMryy90kGWBtVMMRqAOTTtfc5dDuC1D8bfRY1ovply35vf/UtsEaCQAhX5:0y2WBRCvpCJ14bfRY1oxlO5vOraUR5

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
5084	x9494687.exe
1580	x2180737.exe
4464	f4726023.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2180737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2180737.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9494687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9494687.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 5084	3904	cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe	82
PID 3904 wrote to memory of 5084	3904	cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe	82
PID 3904 wrote to memory of 5084	3904	cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe	82
PID 5084 wrote to memory of 1580	5084	x9494687.exe	83
PID 5084 wrote to memory of 1580	5084	x9494687.exe	83
PID 5084 wrote to memory of 1580	5084	x9494687.exe	83
PID 1580 wrote to memory of 4464	1580	x2180737.exe	84
PID 1580 wrote to memory of 4464	1580	x2180737.exe	84
PID 1580 wrote to memory of 4464	1580	x2180737.exe	84

C:\Users\Admin\AppData\Local\Temp\cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe
"C:\Users\Admin\AppData\Local\Temp\cf94e308724f5798ef411fd35e46560fdbd3753fe2aed2e89b07affeee10bee0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9494687.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9494687.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2180737.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2180737.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4726023.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4726023.exe
      4⤵
      Executes dropped EXE
      PID:4464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9494687.exe

Filesize
377KB

MD5
8d2fef8a3e255a85becd9113fa6e3856

SHA1
d5b00e6d562690825fed33ed5e2dee6b42159fcb

SHA256
a55385957a87a871b1fa81e1fe53d46490cb0fee1d58ec4177f4e7704e417521

SHA512
9c558e62bd40222d57652a99778d9fd630abe8766fce73b6573b342f35a0cd5dda85b175d58ea9d9a59646d2b1a179520ef5572d15d14b3c666b03e6779c1ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9494687.exe

Filesize
377KB

MD5
8d2fef8a3e255a85becd9113fa6e3856

SHA1
d5b00e6d562690825fed33ed5e2dee6b42159fcb

SHA256
a55385957a87a871b1fa81e1fe53d46490cb0fee1d58ec4177f4e7704e417521

SHA512
9c558e62bd40222d57652a99778d9fd630abe8766fce73b6573b342f35a0cd5dda85b175d58ea9d9a59646d2b1a179520ef5572d15d14b3c666b03e6779c1ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2180737.exe

Filesize
206KB

MD5
109ed3a2afb7d026cd0a2513b0102ac2

SHA1
74b37885937bfebb5bf1f52b217295a879ce583c

SHA256
ccaa6d27f29c2db2830801eb34fcd574ebfb887e38d660f056cae2a15721b7b7

SHA512
f87563c9468ee14530966df8f49671f4fbdcfb1162c265ed872e31de5c567062311917ba3c2428201f532f095e4a3b9d08cca7f908c7b00a7d5a2d0eb05a719d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2180737.exe

Filesize
206KB

MD5
109ed3a2afb7d026cd0a2513b0102ac2

SHA1
74b37885937bfebb5bf1f52b217295a879ce583c

SHA256
ccaa6d27f29c2db2830801eb34fcd574ebfb887e38d660f056cae2a15721b7b7

SHA512
f87563c9468ee14530966df8f49671f4fbdcfb1162c265ed872e31de5c567062311917ba3c2428201f532f095e4a3b9d08cca7f908c7b00a7d5a2d0eb05a719d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4726023.exe

Filesize
173KB

MD5
0ce459c22a7196168a631ea934e5b978

SHA1
e171cea4bdac05454f87133227c2f25802651dd7

SHA256
f72cfc7cac3727a17312cfb0068fcc98c7eaffccadd3103fde07e7811998aee3

SHA512
a9bb536a6732cec841708dc576d390ff805325abd402ebed0919332c874a10ca9af8e05f359316f028a3a9f9216c5af51d8261d8f079aa8b2439dd7d28347998

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4726023.exe

Filesize
173KB

MD5
0ce459c22a7196168a631ea934e5b978

SHA1
e171cea4bdac05454f87133227c2f25802651dd7

SHA256
f72cfc7cac3727a17312cfb0068fcc98c7eaffccadd3103fde07e7811998aee3

SHA512
a9bb536a6732cec841708dc576d390ff805325abd402ebed0919332c874a10ca9af8e05f359316f028a3a9f9216c5af51d8261d8f079aa8b2439dd7d28347998

Download Submit
memory/4464-154-0x0000000000E50000-0x0000000000E80000-memory.dmp

Filesize
192KB

Download
memory/4464-155-0x000000000B1E0000-0x000000000B7F8000-memory.dmp

Filesize
6.1MB

Download
memory/4464-156-0x000000000ACD0000-0x000000000ADDA000-memory.dmp

Filesize
1.0MB

Download
memory/4464-157-0x000000000ABE0000-0x000000000ABF2000-memory.dmp

Filesize
72KB

Download
memory/4464-158-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4464-159-0x000000000AC40000-0x000000000AC7C000-memory.dmp

Filesize
240KB

Download
memory/4464-160-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing