redline | 547b01aeaaf7d03d0c8328a6c2998089761d55c88e0940ce3fbf0e0725a911a8

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe
Size

581KB
MD5

be34d9defd842eacc8847f254ad3b29c
SHA1

e826092ec3504659b37bdcdb3626a648effb48d9
SHA256

683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d
SHA512

db5a87736c31879ffd0bfa0b83d4842195ceb1c955d6b8784766d7e4e074b876aab0f69c3d30342de2020d33b361c6291cf02872f8b26292d92bfd425432a016
SSDEEP

12288:bMrMy90KKEQUOHiIz1mqu/Jtx6O0bE9ljsyFQJljIqX1qp+cB22:Dy3vQl/zsZHx6FEzF+KzgcA2

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1744	x2602851.exe
432	x2100364.exe
468	f3890861.exe

Loads dropped DLL 6 IoCs

pid	Process
1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe
1744	x2602851.exe
1744	x2602851.exe
432	x2100364.exe
432	x2100364.exe
468	f3890861.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2602851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2602851.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2100364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2100364.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1580 wrote to memory of 1744	1580	683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe	28
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 1744 wrote to memory of 432	1744	x2602851.exe	29
PID 432 wrote to memory of 468	432	x2100364.exe	30
PID 432 wrote to memory of 468	432	x2100364.exe	30
PID 432 wrote to memory of 468	432	x2100364.exe	30
PID 432 wrote to memory of 468	432	x2100364.exe	30
PID 432 wrote to memory of 468	432	x2100364.exe	30
PID 432 wrote to memory of 468	432	x2100364.exe	30
PID 432 wrote to memory of 468	432	x2100364.exe	30

C:\Users\Admin\AppData\Local\Temp\683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe
"C:\Users\Admin\AppData\Local\Temp\683f5114e5f6f5b9397b80b4fccd1d3e2f0ff02b8c1ab1c98781a1b344e0324d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2602851.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2602851.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2100364.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2100364.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3890861.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3890861.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2602851.exe

Filesize
377KB

MD5
2b38245532d40b9ba023c90e5d36e333

SHA1
6b5c407a7fcfe631aefb7ceb8319496f4e5f9b05

SHA256
adf27270c8537324cffb8246e98c3868d5d5007db1f9579c195fc195abbc2b5c

SHA512
62292993c18108b0d03ab7350f6f600e0b2697136262e8d7e40c6fc33fcad311df5ff5820ef176663d7af6873acd2f5e9c8c38cce2c70d8a856a6e4e6256ad63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2602851.exe

Filesize
377KB

MD5
2b38245532d40b9ba023c90e5d36e333

SHA1
6b5c407a7fcfe631aefb7ceb8319496f4e5f9b05

SHA256
adf27270c8537324cffb8246e98c3868d5d5007db1f9579c195fc195abbc2b5c

SHA512
62292993c18108b0d03ab7350f6f600e0b2697136262e8d7e40c6fc33fcad311df5ff5820ef176663d7af6873acd2f5e9c8c38cce2c70d8a856a6e4e6256ad63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2100364.exe

Filesize
206KB

MD5
c67b19593019e7250c19ac2a222d81ee

SHA1
48248d0def119cc3b2fc9bdc591cbb235d38928f

SHA256
023b7b2e7f80b3580709a87377d478a276c625f4a5ea8b5adee91dbb15b98824

SHA512
1692086d88ad9eeec52f74fd6319a54a8244bc90e183b9703705d22592a4e9fd7b209bf03ab6b6942c8e6b74054f3a2aacdd42e6282feb999874610430b6fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2100364.exe

Filesize
206KB

MD5
c67b19593019e7250c19ac2a222d81ee

SHA1
48248d0def119cc3b2fc9bdc591cbb235d38928f

SHA256
023b7b2e7f80b3580709a87377d478a276c625f4a5ea8b5adee91dbb15b98824

SHA512
1692086d88ad9eeec52f74fd6319a54a8244bc90e183b9703705d22592a4e9fd7b209bf03ab6b6942c8e6b74054f3a2aacdd42e6282feb999874610430b6fa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3890861.exe

Filesize
172KB

MD5
950089ad29ff0c81e1a0f1c065e9dda8

SHA1
5b64294c9afc8f7a4dabe536908214feaaacb94a

SHA256
c0fc7f9fe03eaba1318ed279ec219eac3d08f450c3ce86c14f63866448acd075

SHA512
316c8b76d62fa729cab3261eefa784e48109939a5167a87b72134905113ec37e4926125373e838cf3dd3e83a9eb564543d9bd53b78adc6ae0bcf530e8125597c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3890861.exe

Filesize
172KB

MD5
950089ad29ff0c81e1a0f1c065e9dda8

SHA1
5b64294c9afc8f7a4dabe536908214feaaacb94a

SHA256
c0fc7f9fe03eaba1318ed279ec219eac3d08f450c3ce86c14f63866448acd075

SHA512
316c8b76d62fa729cab3261eefa784e48109939a5167a87b72134905113ec37e4926125373e838cf3dd3e83a9eb564543d9bd53b78adc6ae0bcf530e8125597c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2602851.exe

Filesize
377KB

MD5
2b38245532d40b9ba023c90e5d36e333

SHA1
6b5c407a7fcfe631aefb7ceb8319496f4e5f9b05

SHA256
adf27270c8537324cffb8246e98c3868d5d5007db1f9579c195fc195abbc2b5c

SHA512
62292993c18108b0d03ab7350f6f600e0b2697136262e8d7e40c6fc33fcad311df5ff5820ef176663d7af6873acd2f5e9c8c38cce2c70d8a856a6e4e6256ad63

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2602851.exe

Filesize
377KB

MD5
2b38245532d40b9ba023c90e5d36e333

SHA1
6b5c407a7fcfe631aefb7ceb8319496f4e5f9b05

SHA256
adf27270c8537324cffb8246e98c3868d5d5007db1f9579c195fc195abbc2b5c

SHA512
62292993c18108b0d03ab7350f6f600e0b2697136262e8d7e40c6fc33fcad311df5ff5820ef176663d7af6873acd2f5e9c8c38cce2c70d8a856a6e4e6256ad63

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2100364.exe

Filesize
206KB

MD5
c67b19593019e7250c19ac2a222d81ee

SHA1
48248d0def119cc3b2fc9bdc591cbb235d38928f

SHA256
023b7b2e7f80b3580709a87377d478a276c625f4a5ea8b5adee91dbb15b98824

SHA512
1692086d88ad9eeec52f74fd6319a54a8244bc90e183b9703705d22592a4e9fd7b209bf03ab6b6942c8e6b74054f3a2aacdd42e6282feb999874610430b6fa53

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2100364.exe

Filesize
206KB

MD5
c67b19593019e7250c19ac2a222d81ee

SHA1
48248d0def119cc3b2fc9bdc591cbb235d38928f

SHA256
023b7b2e7f80b3580709a87377d478a276c625f4a5ea8b5adee91dbb15b98824

SHA512
1692086d88ad9eeec52f74fd6319a54a8244bc90e183b9703705d22592a4e9fd7b209bf03ab6b6942c8e6b74054f3a2aacdd42e6282feb999874610430b6fa53

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3890861.exe

Filesize
172KB

MD5
950089ad29ff0c81e1a0f1c065e9dda8

SHA1
5b64294c9afc8f7a4dabe536908214feaaacb94a

SHA256
c0fc7f9fe03eaba1318ed279ec219eac3d08f450c3ce86c14f63866448acd075

SHA512
316c8b76d62fa729cab3261eefa784e48109939a5167a87b72134905113ec37e4926125373e838cf3dd3e83a9eb564543d9bd53b78adc6ae0bcf530e8125597c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3890861.exe

Filesize
172KB

MD5
950089ad29ff0c81e1a0f1c065e9dda8

SHA1
5b64294c9afc8f7a4dabe536908214feaaacb94a

SHA256
c0fc7f9fe03eaba1318ed279ec219eac3d08f450c3ce86c14f63866448acd075

SHA512
316c8b76d62fa729cab3261eefa784e48109939a5167a87b72134905113ec37e4926125373e838cf3dd3e83a9eb564543d9bd53b78adc6ae0bcf530e8125597c

Download Submit
memory/468-84-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download
memory/468-85-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/468-86-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/468-87-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download