redline | f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434

General

Target

f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe
Size

584KB
MD5

3f41a156e6b9b0ecb55175e07ceea99e
SHA1

60baa30c8fa5fb3cb4c8c15df721cf0729bfdc99
SHA256

f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434
SHA512

a9f6682d2460629a7eade3ef08da7d699ce90a408e8f2814fe4435714a609ef31e76c96d6b66cc92811797cfd8bed6397792d836c0d0cb8643dbfe1567b7332e
SSDEEP

12288:VMr3y90NarzwdE3MR4VHwm2go+eBgmhysRV540T9hw0pn:OyaUeEF8oe+4BVVs0n

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2240	x3767638.exe
4596	x9797702.exe
5024	f3139248.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3767638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3767638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9797702.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9797702.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe
5024	f3139248.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	f3139248.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 2240	3144	f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe	66
PID 3144 wrote to memory of 2240	3144	f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe	66
PID 3144 wrote to memory of 2240	3144	f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe	66
PID 2240 wrote to memory of 4596	2240	x3767638.exe	67
PID 2240 wrote to memory of 4596	2240	x3767638.exe	67
PID 2240 wrote to memory of 4596	2240	x3767638.exe	67
PID 4596 wrote to memory of 5024	4596	x9797702.exe	68
PID 4596 wrote to memory of 5024	4596	x9797702.exe	68
PID 4596 wrote to memory of 5024	4596	x9797702.exe	68

C:\Users\Admin\AppData\Local\Temp\f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe
"C:\Users\Admin\AppData\Local\Temp\f920a6d6270e6df2ba3848343583afa75ab9e106407788fdacc0f3c5c77dd434.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3767638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3767638.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9797702.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9797702.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3139248.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3139248.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3767638.exe

Filesize
378KB

MD5
ae96108b021211ca4f1f8c9faddf5708

SHA1
fdfd8dc683bd089242bab2924e04175b31640d56

SHA256
e7f0da741c373f1ece6e1bd8bfe4d3b240fad7d3a8ea7029c3b11123cf8b99ae

SHA512
355222882c93dc0532e29590174c751502ee04acb6e87069f0afb4a6be51602a0d076bb2594e591f650f6d2e86c126713c985e6ebf99adbd7ae10f774fb58c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3767638.exe

Filesize
378KB

MD5
ae96108b021211ca4f1f8c9faddf5708

SHA1
fdfd8dc683bd089242bab2924e04175b31640d56

SHA256
e7f0da741c373f1ece6e1bd8bfe4d3b240fad7d3a8ea7029c3b11123cf8b99ae

SHA512
355222882c93dc0532e29590174c751502ee04acb6e87069f0afb4a6be51602a0d076bb2594e591f650f6d2e86c126713c985e6ebf99adbd7ae10f774fb58c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9797702.exe

Filesize
206KB

MD5
00dd8b95a12f9d1ccf06f2bcf292f265

SHA1
f031c084e47eaaa10ffb96bc6a3766c73f805ff6

SHA256
97fe37632600d6868bbddc1245db1553ea2e5f12a66a86275c20bce0a6319999

SHA512
7fd057094459a2dc9f55793d881ad91458050288de898afe718acf0439276c754f9e40cf50faabebf96169c8c890cecfe1a711b8926854a7b13b88fc6bbbd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9797702.exe

Filesize
206KB

MD5
00dd8b95a12f9d1ccf06f2bcf292f265

SHA1
f031c084e47eaaa10ffb96bc6a3766c73f805ff6

SHA256
97fe37632600d6868bbddc1245db1553ea2e5f12a66a86275c20bce0a6319999

SHA512
7fd057094459a2dc9f55793d881ad91458050288de898afe718acf0439276c754f9e40cf50faabebf96169c8c890cecfe1a711b8926854a7b13b88fc6bbbd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3139248.exe

Filesize
172KB

MD5
157caac4ed1adf2f535a6c333d17ce68

SHA1
c8986210d3264c44e209adc3a6bd822756b65392

SHA256
85dc77cf8fb129202d908c8b9148bd608f37a25d8dcb179c91ccdeb98b22f1c3

SHA512
c26da799e36c002c6896e2add714e894bd9bcb8616c6150bff32f1d7f5a44fba2155708ad3c8fd8eeeb0128b5be79c926a4518d990d8b168c1ad08e5662c59db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3139248.exe

Filesize
172KB

MD5
157caac4ed1adf2f535a6c333d17ce68

SHA1
c8986210d3264c44e209adc3a6bd822756b65392

SHA256
85dc77cf8fb129202d908c8b9148bd608f37a25d8dcb179c91ccdeb98b22f1c3

SHA512
c26da799e36c002c6896e2add714e894bd9bcb8616c6150bff32f1d7f5a44fba2155708ad3c8fd8eeeb0128b5be79c926a4518d990d8b168c1ad08e5662c59db

Download Submit
memory/5024-137-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/5024-138-0x00000000010B0000-0x00000000010B6000-memory.dmp

Filesize
24KB

Download
memory/5024-139-0x0000000005AD0000-0x00000000060D6000-memory.dmp

Filesize
6.0MB

Download
memory/5024-140-0x00000000055D0000-0x00000000056DA000-memory.dmp

Filesize
1.0MB

Download
memory/5024-141-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/5024-142-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/5024-143-0x0000000002D30000-0x0000000002D6E000-memory.dmp

Filesize
248KB

Download
memory/5024-144-0x00000000052C0000-0x000000000530B000-memory.dmp

Filesize
300KB

Download
memory/5024-145-0x0000000005780000-0x00000000057F6000-memory.dmp

Filesize
472KB

Download
memory/5024-146-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/5024-147-0x0000000006AF0000-0x0000000006FEE000-memory.dmp

Filesize
5.0MB

Download
memory/5024-148-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/5024-149-0x00000000067C0000-0x0000000006982000-memory.dmp

Filesize
1.8MB

Download
memory/5024-150-0x0000000008840000-0x0000000008D6C000-memory.dmp

Filesize
5.2MB

Download
memory/5024-151-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/5024-152-0x0000000006740000-0x0000000006790000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing