redline | a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9

General

Target

a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe
Size

579KB
MD5

e862af8c7ebee64917ff0e1421111aea
SHA1

b54f86e3cd8899030db7523665556a50fd085b7c
SHA256

a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9
SHA512

9295a7b4ee46237cc086226ef9ccc37a0cfd576973577259eee90f5f7786e046cc204f3b95fe4f00a4d033019c4927d5f1d954e6c93c45e62391cb6baac2da09
SSDEEP

12288:GMrry90pdzxS9/rvfjnbvHSHXd2sfn0Eml5P7QAD2mcr:Byd9/rXjnjIN2s6l5P7qm4

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4684	x4520650.exe
632	x6788424.exe
2584	f7612335.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4520650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4520650.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6788424.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6788424.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe
2584	f7612335.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	f7612335.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4684	1488	a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe	83
PID 1488 wrote to memory of 4684	1488	a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe	83
PID 1488 wrote to memory of 4684	1488	a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe	83
PID 4684 wrote to memory of 632	4684	x4520650.exe	84
PID 4684 wrote to memory of 632	4684	x4520650.exe	84
PID 4684 wrote to memory of 632	4684	x4520650.exe	84
PID 632 wrote to memory of 2584	632	x6788424.exe	85
PID 632 wrote to memory of 2584	632	x6788424.exe	85
PID 632 wrote to memory of 2584	632	x6788424.exe	85

C:\Users\Admin\AppData\Local\Temp\a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe
"C:\Users\Admin\AppData\Local\Temp\a3004d6d07609ce6155e0e6f7368a7f4f01551cc955cfe600c7af4f9260db5e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4520650.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4520650.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6788424.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6788424.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7612335.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7612335.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4520650.exe

Filesize
378KB

MD5
55882cbe5ce5cbfdb2a837cbd9ad195f

SHA1
6429c5dfe3c9e279e08b1224e2bece5e2bb392d5

SHA256
48b41c875fdedcc1310723bca799e5165bb649cca082a6e5fb2f6f20089f6ec7

SHA512
f993a061c8f226d0adf28afcbbed439d58cdc97fa401e1f7dc759650594e3889dc51345c10aecfec2e1603a371e3d5d96890dc10165deeb802aba0fcea165feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4520650.exe

Filesize
378KB

MD5
55882cbe5ce5cbfdb2a837cbd9ad195f

SHA1
6429c5dfe3c9e279e08b1224e2bece5e2bb392d5

SHA256
48b41c875fdedcc1310723bca799e5165bb649cca082a6e5fb2f6f20089f6ec7

SHA512
f993a061c8f226d0adf28afcbbed439d58cdc97fa401e1f7dc759650594e3889dc51345c10aecfec2e1603a371e3d5d96890dc10165deeb802aba0fcea165feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6788424.exe

Filesize
206KB

MD5
9c6af94d3a66c46878f1ec0ddbb209fe

SHA1
e87f44041ca54b4d98ca696724868f0374916e50

SHA256
717c59491222ae3fb6cefa42e138a7b438f616d8058823aae945969868083d15

SHA512
275d37ca11c9123849965a8fe91c622a775244a1a3b4400bf6bdbab528ac8c7ff4abb4c11ccfb2e8b85a6fd1ae058116071b65de6654476e5e265fc585f28b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6788424.exe

Filesize
206KB

MD5
9c6af94d3a66c46878f1ec0ddbb209fe

SHA1
e87f44041ca54b4d98ca696724868f0374916e50

SHA256
717c59491222ae3fb6cefa42e138a7b438f616d8058823aae945969868083d15

SHA512
275d37ca11c9123849965a8fe91c622a775244a1a3b4400bf6bdbab528ac8c7ff4abb4c11ccfb2e8b85a6fd1ae058116071b65de6654476e5e265fc585f28b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7612335.exe

Filesize
173KB

MD5
a96d10f659c3910571cca0e6d84fb847

SHA1
054f4bc63c206804588ecef549a5c81d3f836411

SHA256
dcc00e21d555eb7c3fbba01dfddc37332e9d4f8fbfad0e2773fb8a827efdb0f6

SHA512
a5b3c4a545e559292290e5e55afaa7450210e14da4bd1f8d830850d1b2d31967e1ac23c0ca50b381091ad599307e56a85329f286ca905ac0d23cc84d5e139c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7612335.exe

Filesize
173KB

MD5
a96d10f659c3910571cca0e6d84fb847

SHA1
054f4bc63c206804588ecef549a5c81d3f836411

SHA256
dcc00e21d555eb7c3fbba01dfddc37332e9d4f8fbfad0e2773fb8a827efdb0f6

SHA512
a5b3c4a545e559292290e5e55afaa7450210e14da4bd1f8d830850d1b2d31967e1ac23c0ca50b381091ad599307e56a85329f286ca905ac0d23cc84d5e139c64

Download Submit
memory/2584-154-0x00000000002B0000-0x00000000002E0000-memory.dmp

Filesize
192KB

Download
memory/2584-155-0x000000000A610000-0x000000000AC28000-memory.dmp

Filesize
6.1MB

Download
memory/2584-156-0x000000000A100000-0x000000000A20A000-memory.dmp

Filesize
1.0MB

Download
memory/2584-157-0x000000000A030000-0x000000000A042000-memory.dmp

Filesize
72KB

Download
memory/2584-158-0x000000000A090000-0x000000000A0CC000-memory.dmp

Filesize
240KB

Download
memory/2584-159-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2584-160-0x000000000A3A0000-0x000000000A416000-memory.dmp

Filesize
472KB

Download
memory/2584-161-0x000000000A4C0000-0x000000000A552000-memory.dmp

Filesize
584KB

Download
memory/2584-162-0x000000000B1E0000-0x000000000B784000-memory.dmp

Filesize
5.6MB

Download
memory/2584-163-0x000000000A560000-0x000000000A5C6000-memory.dmp

Filesize
408KB

Download
memory/2584-164-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2584-165-0x000000000B0F0000-0x000000000B140000-memory.dmp

Filesize
320KB

Download
memory/2584-166-0x000000000BA60000-0x000000000BC22000-memory.dmp

Filesize
1.8MB

Download
memory/2584-167-0x000000000C160000-0x000000000C68C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing