redline | dc0c2afadac0b53ac6bd604a4975a2c67fc55a3e0db84b6f4b8c877035cf703e

General

Target

01631899.exe
Size

579KB
MD5

e57bd800c2b9b6f8c5c3324fe024c3ae
SHA1

b8fd5b38b20f8cfdf4a008cea73e16f67cf116b7
SHA256

dc0c2afadac0b53ac6bd604a4975a2c67fc55a3e0db84b6f4b8c877035cf703e
SHA512

391b238c2eae9d176f0d5ac48864574b8d53655b8901cde0411a16a76662e120a527d7d8755fa8529da9b3f7cfc0def1e35ea548ca1e0442577874a26a8ca4c6
SSDEEP

12288:eMrUy90yhscc2tsay19JXhfeTrMYzNIJYZbUjqf1JU1us1sdl:Gyucrty19JXh2T4LwbQGJoLSD

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4932	x8653931.exe
2004	x2855363.exe
4036	f3594472.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8653931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8653931.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2855363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2855363.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	01631899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01631899.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4932	4000	01631899.exe	88
PID 4000 wrote to memory of 4932	4000	01631899.exe	88
PID 4000 wrote to memory of 4932	4000	01631899.exe	88
PID 4932 wrote to memory of 2004	4932	x8653931.exe	89
PID 4932 wrote to memory of 2004	4932	x8653931.exe	89
PID 4932 wrote to memory of 2004	4932	x8653931.exe	89
PID 2004 wrote to memory of 4036	2004	x2855363.exe	90
PID 2004 wrote to memory of 4036	2004	x2855363.exe	90
PID 2004 wrote to memory of 4036	2004	x2855363.exe	90

C:\Users\Admin\AppData\Local\Temp\01631899.exe
"C:\Users\Admin\AppData\Local\Temp\01631899.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe
      4⤵
      Executes dropped EXE
      PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe

Filesize
377KB

MD5
90370b71de6d5bb7c0b2aa7de45a43fe

SHA1
976a1504023e7642faeb8cc536e072d6a582eab5

SHA256
0b9ace78167f765bc039f553ebad87328d1049e0c64370613331f3ea4f43d40d

SHA512
23ef907c0c6e015baeda1a6fdad105c55e3c9ffb15a06f1250ead5711b658a78f54c261062dae2ef120a83a23efac8b757df13160414fca83997a127edd40c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8653931.exe

Filesize
377KB

MD5
90370b71de6d5bb7c0b2aa7de45a43fe

SHA1
976a1504023e7642faeb8cc536e072d6a582eab5

SHA256
0b9ace78167f765bc039f553ebad87328d1049e0c64370613331f3ea4f43d40d

SHA512
23ef907c0c6e015baeda1a6fdad105c55e3c9ffb15a06f1250ead5711b658a78f54c261062dae2ef120a83a23efac8b757df13160414fca83997a127edd40c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe

Filesize
206KB

MD5
cd99fea0ef621a4a4646e6305f3654d9

SHA1
d870371404ecd4d2ca1b2007ef41888d11985df7

SHA256
313eed3e2edecc98e67208d0f59f2bc50b46590a04e3443f9e6bc3b01517557c

SHA512
5c5bb71eddde9c41b6604687141bc0033647fc75cc311d1ea67648460dc702ca13c739858fe658e21a47b6fd112ee3fbfd9fe4177c7fcf53b543c0a9e912bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2855363.exe

Filesize
206KB

MD5
cd99fea0ef621a4a4646e6305f3654d9

SHA1
d870371404ecd4d2ca1b2007ef41888d11985df7

SHA256
313eed3e2edecc98e67208d0f59f2bc50b46590a04e3443f9e6bc3b01517557c

SHA512
5c5bb71eddde9c41b6604687141bc0033647fc75cc311d1ea67648460dc702ca13c739858fe658e21a47b6fd112ee3fbfd9fe4177c7fcf53b543c0a9e912bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe

Filesize
173KB

MD5
822e1095a45947051150f1b645c1965c

SHA1
cb869809d65cd23cc55a73e39e79cbcacfa6e692

SHA256
ed5824f85bf64f28466a405b09df3bbb005dc90a7153f26b4a4e6d290ec4ed61

SHA512
7cb1b3e044e8578e19afb2eaf6b082fdb30067de1bf53f186cd421c89baabdbf8eca0880cad1d0531c747a1144ee0f9c9915ea88a92380e4d33bf7b9fac59b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3594472.exe

Filesize
173KB

MD5
822e1095a45947051150f1b645c1965c

SHA1
cb869809d65cd23cc55a73e39e79cbcacfa6e692

SHA256
ed5824f85bf64f28466a405b09df3bbb005dc90a7153f26b4a4e6d290ec4ed61

SHA512
7cb1b3e044e8578e19afb2eaf6b082fdb30067de1bf53f186cd421c89baabdbf8eca0880cad1d0531c747a1144ee0f9c9915ea88a92380e4d33bf7b9fac59b0d

Download Submit
memory/4036-154-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/4036-155-0x000000000A9B0000-0x000000000AFC8000-memory.dmp

Filesize
6.1MB

Download
memory/4036-156-0x000000000A4A0000-0x000000000A5AA000-memory.dmp

Filesize
1.0MB

Download
memory/4036-157-0x000000000A3D0000-0x000000000A3E2000-memory.dmp

Filesize
72KB

Download
memory/4036-158-0x000000000A430000-0x000000000A46C000-memory.dmp

Filesize
240KB

Download
memory/4036-159-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4036-160-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing