redline | 019fcd5fe16c803241d44945746361349847c8ffb05f479bcea7212f6fc52f81

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 01:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe
Size

580KB
MD5

df725cc5affb15844d8f7ec66fb4b515
SHA1

27917c84aa928ec2fc4ad1949e93e9aceaaaa831
SHA256

cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6
SHA512

f1f91eea1031b8944bfa06030a74c85b09931e58ca58a50ef58ab0922f9ad80559353f8ac12dfa35bcda580480289eb4fe9722f51c92498fd95bf50275784329
SSDEEP

12288:4Mrmy90imnulSHm64k5M2MrqPd7aXuYAirpzCXBHL7kiwoYMX5:+y9Vg358qtyHAKCiEX5

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1356	x8842678.exe
780	x1468144.exe
524	f7751102.exe

Loads dropped DLL 6 IoCs

pid	Process
1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe
1356	x8842678.exe
1356	x8842678.exe
780	x1468144.exe
780	x1468144.exe
524	f7751102.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1468144.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8842678.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8842678.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1468144.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1488 wrote to memory of 1356	1488	cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe	27
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 1356 wrote to memory of 780	1356	x8842678.exe	28
PID 780 wrote to memory of 524	780	x1468144.exe	29
PID 780 wrote to memory of 524	780	x1468144.exe	29
PID 780 wrote to memory of 524	780	x1468144.exe	29
PID 780 wrote to memory of 524	780	x1468144.exe	29
PID 780 wrote to memory of 524	780	x1468144.exe	29
PID 780 wrote to memory of 524	780	x1468144.exe	29
PID 780 wrote to memory of 524	780	x1468144.exe	29

C:\Users\Admin\AppData\Local\Temp\cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe
"C:\Users\Admin\AppData\Local\Temp\cf876c9186eb271b9a2384302f4ae2c58f42b32aec870399cd80de473434c5d6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8842678.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8842678.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1468144.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1468144.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7751102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7751102.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8842678.exe

Filesize
377KB

MD5
c120adce34da6e92f14329fe4d763a8f

SHA1
db1ad4c0141fa03e193569da38593828fecc1c6e

SHA256
688f46f83e6e96bc313c93ac2f033eb88a4f8dee89440590ffccb0c2a0ed50f5

SHA512
c153da1a6ac4729dbe30374ad9c3108aa5c3f29ce05e15680944433e10e9abcd7cb48b2800d72756aff02ebe03411f1bd1b8014ce15cd9114cab5835c613ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8842678.exe

Filesize
377KB

MD5
c120adce34da6e92f14329fe4d763a8f

SHA1
db1ad4c0141fa03e193569da38593828fecc1c6e

SHA256
688f46f83e6e96bc313c93ac2f033eb88a4f8dee89440590ffccb0c2a0ed50f5

SHA512
c153da1a6ac4729dbe30374ad9c3108aa5c3f29ce05e15680944433e10e9abcd7cb48b2800d72756aff02ebe03411f1bd1b8014ce15cd9114cab5835c613ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1468144.exe

Filesize
206KB

MD5
708a5ea7f9cd7341bb0f043566675d85

SHA1
81125d09c29942885c50435ab7703fb5b00773c7

SHA256
a90c58a7ba6eea164c69eb359fefe80739c8f862069d6cb0260b2902753112f9

SHA512
833bbb5799738ecc04d312ff348ae2752e6253cec9a79fd7d86d9377c21d86ad5e2acccebbaf5b6eed7199f75937d849acfbb0f045441890a85aa9ca5cc3999d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1468144.exe

Filesize
206KB

MD5
708a5ea7f9cd7341bb0f043566675d85

SHA1
81125d09c29942885c50435ab7703fb5b00773c7

SHA256
a90c58a7ba6eea164c69eb359fefe80739c8f862069d6cb0260b2902753112f9

SHA512
833bbb5799738ecc04d312ff348ae2752e6253cec9a79fd7d86d9377c21d86ad5e2acccebbaf5b6eed7199f75937d849acfbb0f045441890a85aa9ca5cc3999d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7751102.exe

Filesize
172KB

MD5
10a001a938a6c2dad723303670c6cc21

SHA1
b84d93496934d9ab57feadc48a2e44f7a17fcb84

SHA256
a31234567002a93b93661f85527d61c56322928cae9e10a69264c3ac518e7188

SHA512
6d3a97c3a325a2fb2b869cdc95ed34d65bfa3da407611f81396231b6ba164bd7746486fe41e91cf838e978f87b1cc14c18c6f1ead9d7d546efdf7e31fdbbe2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7751102.exe

Filesize
172KB

MD5
10a001a938a6c2dad723303670c6cc21

SHA1
b84d93496934d9ab57feadc48a2e44f7a17fcb84

SHA256
a31234567002a93b93661f85527d61c56322928cae9e10a69264c3ac518e7188

SHA512
6d3a97c3a325a2fb2b869cdc95ed34d65bfa3da407611f81396231b6ba164bd7746486fe41e91cf838e978f87b1cc14c18c6f1ead9d7d546efdf7e31fdbbe2ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8842678.exe

Filesize
377KB

MD5
c120adce34da6e92f14329fe4d763a8f

SHA1
db1ad4c0141fa03e193569da38593828fecc1c6e

SHA256
688f46f83e6e96bc313c93ac2f033eb88a4f8dee89440590ffccb0c2a0ed50f5

SHA512
c153da1a6ac4729dbe30374ad9c3108aa5c3f29ce05e15680944433e10e9abcd7cb48b2800d72756aff02ebe03411f1bd1b8014ce15cd9114cab5835c613ee70

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8842678.exe

Filesize
377KB

MD5
c120adce34da6e92f14329fe4d763a8f

SHA1
db1ad4c0141fa03e193569da38593828fecc1c6e

SHA256
688f46f83e6e96bc313c93ac2f033eb88a4f8dee89440590ffccb0c2a0ed50f5

SHA512
c153da1a6ac4729dbe30374ad9c3108aa5c3f29ce05e15680944433e10e9abcd7cb48b2800d72756aff02ebe03411f1bd1b8014ce15cd9114cab5835c613ee70

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1468144.exe

Filesize
206KB

MD5
708a5ea7f9cd7341bb0f043566675d85

SHA1
81125d09c29942885c50435ab7703fb5b00773c7

SHA256
a90c58a7ba6eea164c69eb359fefe80739c8f862069d6cb0260b2902753112f9

SHA512
833bbb5799738ecc04d312ff348ae2752e6253cec9a79fd7d86d9377c21d86ad5e2acccebbaf5b6eed7199f75937d849acfbb0f045441890a85aa9ca5cc3999d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1468144.exe

Filesize
206KB

MD5
708a5ea7f9cd7341bb0f043566675d85

SHA1
81125d09c29942885c50435ab7703fb5b00773c7

SHA256
a90c58a7ba6eea164c69eb359fefe80739c8f862069d6cb0260b2902753112f9

SHA512
833bbb5799738ecc04d312ff348ae2752e6253cec9a79fd7d86d9377c21d86ad5e2acccebbaf5b6eed7199f75937d849acfbb0f045441890a85aa9ca5cc3999d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7751102.exe

Filesize
172KB

MD5
10a001a938a6c2dad723303670c6cc21

SHA1
b84d93496934d9ab57feadc48a2e44f7a17fcb84

SHA256
a31234567002a93b93661f85527d61c56322928cae9e10a69264c3ac518e7188

SHA512
6d3a97c3a325a2fb2b869cdc95ed34d65bfa3da407611f81396231b6ba164bd7746486fe41e91cf838e978f87b1cc14c18c6f1ead9d7d546efdf7e31fdbbe2ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7751102.exe

Filesize
172KB

MD5
10a001a938a6c2dad723303670c6cc21

SHA1
b84d93496934d9ab57feadc48a2e44f7a17fcb84

SHA256
a31234567002a93b93661f85527d61c56322928cae9e10a69264c3ac518e7188

SHA512
6d3a97c3a325a2fb2b869cdc95ed34d65bfa3da407611f81396231b6ba164bd7746486fe41e91cf838e978f87b1cc14c18c6f1ead9d7d546efdf7e31fdbbe2ea

Download Submit
memory/524-84-0x0000000000F20000-0x0000000000F50000-memory.dmp

Filesize
192KB

Download
memory/524-85-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/524-86-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download
memory/524-87-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download