redline | dc0c2afadac0b53ac6bd604a4975a2c67fc55a3e0db84b6f4b8c877035cf703e

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01631899.exe
Size

579KB
MD5

e57bd800c2b9b6f8c5c3324fe024c3ae
SHA1

b8fd5b38b20f8cfdf4a008cea73e16f67cf116b7
SHA256

dc0c2afadac0b53ac6bd604a4975a2c67fc55a3e0db84b6f4b8c877035cf703e
SHA512

391b238c2eae9d176f0d5ac48864574b8d53655b8901cde0411a16a76662e120a527d7d8755fa8529da9b3f7cfc0def1e35ea548ca1e0442577874a26a8ca4c6
SSDEEP

12288:eMrUy90yhscc2tsay19JXhfeTrMYzNIJYZbUjqf1JU1us1sdl:Gyucrty19JXh2T4LwbQGJoLSD

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1124	x8653931.exe
1468	x2855363.exe
1308	f3594472.exe

Loads dropped DLL 6 IoCs

pid	Process
1772	01631899.exe
1124	x8653931.exe
1124	x8653931.exe
1468	x2855363.exe
1468	x2855363.exe
1308	f3594472.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2855363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2855363.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	01631899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01631899.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8653931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8653931.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1308	f3594472.exe
1308	f3594472.exe
1308	f3594472.exe
1308	f3594472.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	f3594472.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1772 wrote to memory of 1124	1772	01631899.exe	28
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1124 wrote to memory of 1468	1124	x8653931.exe	29
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30
PID 1468 wrote to memory of 1308	1468	x2855363.exe	30

C:\Users\Admin\AppData\Local\Temp\01631899.exe
"C:\Users\Admin\AppData\Local\Temp\01631899.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe

Filesize
377KB

MD5
90370b71de6d5bb7c0b2aa7de45a43fe

SHA1
976a1504023e7642faeb8cc536e072d6a582eab5

SHA256
0b9ace78167f765bc039f553ebad87328d1049e0c64370613331f3ea4f43d40d

SHA512
23ef907c0c6e015baeda1a6fdad105c55e3c9ffb15a06f1250ead5711b658a78f54c261062dae2ef120a83a23efac8b757df13160414fca83997a127edd40c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe

Filesize
377KB

MD5
90370b71de6d5bb7c0b2aa7de45a43fe

SHA1
976a1504023e7642faeb8cc536e072d6a582eab5

SHA256
0b9ace78167f765bc039f553ebad87328d1049e0c64370613331f3ea4f43d40d

SHA512
23ef907c0c6e015baeda1a6fdad105c55e3c9ffb15a06f1250ead5711b658a78f54c261062dae2ef120a83a23efac8b757df13160414fca83997a127edd40c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe

Filesize
206KB

MD5
cd99fea0ef621a4a4646e6305f3654d9

SHA1
d870371404ecd4d2ca1b2007ef41888d11985df7

SHA256
313eed3e2edecc98e67208d0f59f2bc50b46590a04e3443f9e6bc3b01517557c

SHA512
5c5bb71eddde9c41b6604687141bc0033647fc75cc311d1ea67648460dc702ca13c739858fe658e21a47b6fd112ee3fbfd9fe4177c7fcf53b543c0a9e912bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe

Filesize
206KB

MD5
cd99fea0ef621a4a4646e6305f3654d9

SHA1
d870371404ecd4d2ca1b2007ef41888d11985df7

SHA256
313eed3e2edecc98e67208d0f59f2bc50b46590a04e3443f9e6bc3b01517557c

SHA512
5c5bb71eddde9c41b6604687141bc0033647fc75cc311d1ea67648460dc702ca13c739858fe658e21a47b6fd112ee3fbfd9fe4177c7fcf53b543c0a9e912bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe

Filesize
173KB

MD5
822e1095a45947051150f1b645c1965c

SHA1
cb869809d65cd23cc55a73e39e79cbcacfa6e692

SHA256
ed5824f85bf64f28466a405b09df3bbb005dc90a7153f26b4a4e6d290ec4ed61

SHA512
7cb1b3e044e8578e19afb2eaf6b082fdb30067de1bf53f186cd421c89baabdbf8eca0880cad1d0531c747a1144ee0f9c9915ea88a92380e4d33bf7b9fac59b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe

Filesize
173KB

MD5
822e1095a45947051150f1b645c1965c

SHA1
cb869809d65cd23cc55a73e39e79cbcacfa6e692

SHA256
ed5824f85bf64f28466a405b09df3bbb005dc90a7153f26b4a4e6d290ec4ed61

SHA512
7cb1b3e044e8578e19afb2eaf6b082fdb30067de1bf53f186cd421c89baabdbf8eca0880cad1d0531c747a1144ee0f9c9915ea88a92380e4d33bf7b9fac59b0d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe

Filesize
377KB

MD5
90370b71de6d5bb7c0b2aa7de45a43fe

SHA1
976a1504023e7642faeb8cc536e072d6a582eab5

SHA256
0b9ace78167f765bc039f553ebad87328d1049e0c64370613331f3ea4f43d40d

SHA512
23ef907c0c6e015baeda1a6fdad105c55e3c9ffb15a06f1250ead5711b658a78f54c261062dae2ef120a83a23efac8b757df13160414fca83997a127edd40c0e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe

Filesize
377KB

MD5
90370b71de6d5bb7c0b2aa7de45a43fe

SHA1
976a1504023e7642faeb8cc536e072d6a582eab5

SHA256
0b9ace78167f765bc039f553ebad87328d1049e0c64370613331f3ea4f43d40d

SHA512
23ef907c0c6e015baeda1a6fdad105c55e3c9ffb15a06f1250ead5711b658a78f54c261062dae2ef120a83a23efac8b757df13160414fca83997a127edd40c0e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe

Filesize
206KB

MD5
cd99fea0ef621a4a4646e6305f3654d9

SHA1
d870371404ecd4d2ca1b2007ef41888d11985df7

SHA256
313eed3e2edecc98e67208d0f59f2bc50b46590a04e3443f9e6bc3b01517557c

SHA512
5c5bb71eddde9c41b6604687141bc0033647fc75cc311d1ea67648460dc702ca13c739858fe658e21a47b6fd112ee3fbfd9fe4177c7fcf53b543c0a9e912bd2a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe

Filesize
206KB

MD5
cd99fea0ef621a4a4646e6305f3654d9

SHA1
d870371404ecd4d2ca1b2007ef41888d11985df7

SHA256
313eed3e2edecc98e67208d0f59f2bc50b46590a04e3443f9e6bc3b01517557c

SHA512
5c5bb71eddde9c41b6604687141bc0033647fc75cc311d1ea67648460dc702ca13c739858fe658e21a47b6fd112ee3fbfd9fe4177c7fcf53b543c0a9e912bd2a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe

Filesize
173KB

MD5
822e1095a45947051150f1b645c1965c

SHA1
cb869809d65cd23cc55a73e39e79cbcacfa6e692

SHA256
ed5824f85bf64f28466a405b09df3bbb005dc90a7153f26b4a4e6d290ec4ed61

SHA512
7cb1b3e044e8578e19afb2eaf6b082fdb30067de1bf53f186cd421c89baabdbf8eca0880cad1d0531c747a1144ee0f9c9915ea88a92380e4d33bf7b9fac59b0d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe

Filesize
173KB

MD5
822e1095a45947051150f1b645c1965c

SHA1
cb869809d65cd23cc55a73e39e79cbcacfa6e692

SHA256
ed5824f85bf64f28466a405b09df3bbb005dc90a7153f26b4a4e6d290ec4ed61

SHA512
7cb1b3e044e8578e19afb2eaf6b082fdb30067de1bf53f186cd421c89baabdbf8eca0880cad1d0531c747a1144ee0f9c9915ea88a92380e4d33bf7b9fac59b0d

Download Submit
memory/1308-84-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1308-85-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1308-86-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download