redline | 126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0

General

Target

126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe
Size

578KB
MD5

0a7e31abb542a4d4a9a2c6533dd4fd97
SHA1

1e8918213184f9ba58066a8fd422f06e975e5c68
SHA256

126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0
SHA512

5da9404585b3b478e162c7a47e4fd75e3665634a9881a0237179b97797cb009cdc45c307920e58785e5ea3f5451a9d6e01370954671257f894afd2c5303da299
SSDEEP

12288:aMrdy90P7WK78bz45BHTd1KdKvtjxEEOXUQh:7yG4bz45hdSKvtjxEdr

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3968	x4215179.exe
1420	x6925272.exe
2068	f4532828.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4215179.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4215179.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6925272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6925272.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe
2068	f4532828.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	f4532828.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3968	1608	126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe	66
PID 1608 wrote to memory of 3968	1608	126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe	66
PID 1608 wrote to memory of 3968	1608	126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe	66
PID 3968 wrote to memory of 1420	3968	x4215179.exe	67
PID 3968 wrote to memory of 1420	3968	x4215179.exe	67
PID 3968 wrote to memory of 1420	3968	x4215179.exe	67
PID 1420 wrote to memory of 2068	1420	x6925272.exe	68
PID 1420 wrote to memory of 2068	1420	x6925272.exe	68
PID 1420 wrote to memory of 2068	1420	x6925272.exe	68

C:\Users\Admin\AppData\Local\Temp\126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe
"C:\Users\Admin\AppData\Local\Temp\126a17d3c17bfc00c0b85bec0dd6be322664e5d1eee36289f0d4894d54db0db0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4215179.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4215179.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6925272.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6925272.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4532828.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4532828.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4215179.exe

Filesize
377KB

MD5
eaa1f172b8a3810af09b73097f4cbbbb

SHA1
b60a9c75cdb14b2c06adf10e452ccb840abd8cdc

SHA256
1e840d46762c669e68c73ee846007b32543e8735b136479d4fdc28d18a20d0b4

SHA512
47929564be193a7fd22ef4619b6b43da5b11b063b612143e960d52383d69d740f5f620f86ae4d7c88ed7053a853a00396effc223607837e0b1d8cba2d332c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4215179.exe

Filesize
377KB

MD5
eaa1f172b8a3810af09b73097f4cbbbb

SHA1
b60a9c75cdb14b2c06adf10e452ccb840abd8cdc

SHA256
1e840d46762c669e68c73ee846007b32543e8735b136479d4fdc28d18a20d0b4

SHA512
47929564be193a7fd22ef4619b6b43da5b11b063b612143e960d52383d69d740f5f620f86ae4d7c88ed7053a853a00396effc223607837e0b1d8cba2d332c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6925272.exe

Filesize
206KB

MD5
0a6991689b2b9703e761297a41e28fac

SHA1
0f26deb16e8f15f45b28f3c30eea63a9eea96fc1

SHA256
f5fcd4c9d36ac16cf3958cd1368c3efd65b2a5b7a126183d28e660b523e3b1ef

SHA512
e6315a60495788e55f9b05fc7e23415ced7d7a6eec82ce234c873e177efb83c529b0afb8287be9b17941017ddc6d408f953f2645c05d1ec538507cbcf03d4c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6925272.exe

Filesize
206KB

MD5
0a6991689b2b9703e761297a41e28fac

SHA1
0f26deb16e8f15f45b28f3c30eea63a9eea96fc1

SHA256
f5fcd4c9d36ac16cf3958cd1368c3efd65b2a5b7a126183d28e660b523e3b1ef

SHA512
e6315a60495788e55f9b05fc7e23415ced7d7a6eec82ce234c873e177efb83c529b0afb8287be9b17941017ddc6d408f953f2645c05d1ec538507cbcf03d4c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4532828.exe

Filesize
173KB

MD5
045bbc927eaeb2180a0f1cd8e58ff3ec

SHA1
224518aacd4d2ab7a027368cce1208e77b8ae6ab

SHA256
8114bf446b10d8df1447ec5bc0d448100c0afc9d40d29b6c5c90256f6e0ed1c4

SHA512
744a4d1f33406701795f1bec992c93741ff3cc8d8b6641407e74610e55b77c45a29575797f5c1db222c3010814afed3d33e462f5c617ef15f42fdc6d9cb7585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4532828.exe

Filesize
173KB

MD5
045bbc927eaeb2180a0f1cd8e58ff3ec

SHA1
224518aacd4d2ab7a027368cce1208e77b8ae6ab

SHA256
8114bf446b10d8df1447ec5bc0d448100c0afc9d40d29b6c5c90256f6e0ed1c4

SHA512
744a4d1f33406701795f1bec992c93741ff3cc8d8b6641407e74610e55b77c45a29575797f5c1db222c3010814afed3d33e462f5c617ef15f42fdc6d9cb7585f

Download Submit
memory/2068-141-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download
memory/2068-142-0x0000000004900000-0x0000000004906000-memory.dmp

Filesize
24KB

Download
memory/2068-143-0x0000000005040000-0x0000000005646000-memory.dmp

Filesize
6.0MB

Download
memory/2068-144-0x0000000004B40000-0x0000000004C4A000-memory.dmp

Filesize
1.0MB

Download
memory/2068-145-0x0000000004A60000-0x0000000004A72000-memory.dmp

Filesize
72KB

Download
memory/2068-146-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2068-147-0x0000000004AC0000-0x0000000004AFE000-memory.dmp

Filesize
248KB

Download
memory/2068-148-0x0000000004C50000-0x0000000004C9B000-memory.dmp

Filesize
300KB

Download
memory/2068-149-0x0000000004DE0000-0x0000000004E56000-memory.dmp

Filesize
472KB

Download
memory/2068-150-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/2068-151-0x0000000006060000-0x000000000655E000-memory.dmp

Filesize
5.0MB

Download
memory/2068-152-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/2068-153-0x00000000057C0000-0x0000000005810000-memory.dmp

Filesize
320KB

Download
memory/2068-154-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2068-155-0x0000000006560000-0x0000000006722000-memory.dmp

Filesize
1.8MB

Download
memory/2068-156-0x00000000082E0000-0x000000000880C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing