redline | 00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3

General

Target

00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe
Size

583KB
MD5

2aa282b29f53377aee548af79998eac9
SHA1

3c3aae5a2e4b4c7b7c6329f06c06caad8472afca
SHA256

00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3
SHA512

31d787f6a24c4d948ff29778d7853547dd48cdf25d0761091083c31764f3aa523a3a90155eb89bae78f480abb5b9a41cff9a9ce4b19d2428f77a3efa2e4155a2
SSDEEP

12288:eMrly90zvJvSmFxgYozGaAqqXsd1n3D+XeNT6rHGVX0DLw59:HyChhozGtqDzTyq6rHWXqsP

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4960	x1505090.exe
3000	x3304893.exe
4168	f6300551.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3304893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3304893.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1505090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1505090.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4960	1736	00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe	66
PID 1736 wrote to memory of 4960	1736	00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe	66
PID 1736 wrote to memory of 4960	1736	00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe	66
PID 4960 wrote to memory of 3000	4960	x1505090.exe	67
PID 4960 wrote to memory of 3000	4960	x1505090.exe	67
PID 4960 wrote to memory of 3000	4960	x1505090.exe	67
PID 3000 wrote to memory of 4168	3000	x3304893.exe	68
PID 3000 wrote to memory of 4168	3000	x3304893.exe	68
PID 3000 wrote to memory of 4168	3000	x3304893.exe	68

C:\Users\Admin\AppData\Local\Temp\00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe
"C:\Users\Admin\AppData\Local\Temp\00b6afe50e054bdd12a50bc3cb503c5acafbe0465713eb795455b925d35447b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1505090.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1505090.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3304893.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3304893.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6300551.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6300551.exe
      4⤵
      Executes dropped EXE
      PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1505090.exe

Filesize
377KB

MD5
e4400ae8e0a041c840c2292bc9993298

SHA1
26b99d9069477e9f1ec95470369df5d25ea274aa

SHA256
b661c182e090619d3f0665ff499d21673a61566fea24c46ce2c7e1cd15abd535

SHA512
44621c586a5b967d8dc0217f220889c56c044e81cdecc48acd9dfb5645d9cf59ce7bc547ddfce8e0f1662b29711679b4a4ae5b82c3bbe23cc326ec4c944f509f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1505090.exe

Filesize
377KB

MD5
e4400ae8e0a041c840c2292bc9993298

SHA1
26b99d9069477e9f1ec95470369df5d25ea274aa

SHA256
b661c182e090619d3f0665ff499d21673a61566fea24c46ce2c7e1cd15abd535

SHA512
44621c586a5b967d8dc0217f220889c56c044e81cdecc48acd9dfb5645d9cf59ce7bc547ddfce8e0f1662b29711679b4a4ae5b82c3bbe23cc326ec4c944f509f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3304893.exe

Filesize
206KB

MD5
edc1e6fb18249da37538acbff523bcc6

SHA1
a097385e8032e5cd633fa2fd9b22f7f5fc3a428d

SHA256
8027f4f5758c6326b3764d6f9b3a1fb1ada2bfc2175bb10af3e5ceb90b805bdd

SHA512
bf35c31c5272d6ac64d73f8827f3b1db173eb7e70bf8776f333bf1ba9c58aa0edef9adc595304c6e4c04cd0a3d3a3e56324ac280c9403d3c8cc949b95602d1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3304893.exe

Filesize
206KB

MD5
edc1e6fb18249da37538acbff523bcc6

SHA1
a097385e8032e5cd633fa2fd9b22f7f5fc3a428d

SHA256
8027f4f5758c6326b3764d6f9b3a1fb1ada2bfc2175bb10af3e5ceb90b805bdd

SHA512
bf35c31c5272d6ac64d73f8827f3b1db173eb7e70bf8776f333bf1ba9c58aa0edef9adc595304c6e4c04cd0a3d3a3e56324ac280c9403d3c8cc949b95602d1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6300551.exe

Filesize
172KB

MD5
3f1e199853f8aef1ac01232391fd6cef

SHA1
d93e304496a556bed09a531d5ef18731c4a34db9

SHA256
4b1f9fedf783d611fb22b251e0528d81f634f2c3e293a6b6c195a5b8fa7ca895

SHA512
cf2024dab4442aeeaad02c9b7dc32795d8925295cd6c97124df57a5c3a6e6b49f5a69c7b226151886abe3e42d9fcf97119472da60ab917c0cafab1e21a26f4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6300551.exe

Filesize
172KB

MD5
3f1e199853f8aef1ac01232391fd6cef

SHA1
d93e304496a556bed09a531d5ef18731c4a34db9

SHA256
4b1f9fedf783d611fb22b251e0528d81f634f2c3e293a6b6c195a5b8fa7ca895

SHA512
cf2024dab4442aeeaad02c9b7dc32795d8925295cd6c97124df57a5c3a6e6b49f5a69c7b226151886abe3e42d9fcf97119472da60ab917c0cafab1e21a26f4e1

Download Submit
memory/4168-142-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/4168-143-0x00000000028A0000-0x00000000028A6000-memory.dmp

Filesize
24KB

Download
memory/4168-144-0x000000000AA20000-0x000000000B026000-memory.dmp

Filesize
6.0MB

Download
memory/4168-145-0x000000000A570000-0x000000000A67A000-memory.dmp

Filesize
1.0MB

Download
memory/4168-146-0x000000000A4A0000-0x000000000A4B2000-memory.dmp

Filesize
72KB

Download
memory/4168-147-0x000000000A500000-0x000000000A53E000-memory.dmp

Filesize
248KB

Download
memory/4168-148-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4168-149-0x000000000A680000-0x000000000A6CB000-memory.dmp

Filesize
300KB

Download
memory/4168-150-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing