redline | 4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9

General

Target

4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe
Size

584KB
MD5

9a55454aa112cc2522e77b8501c865a9
SHA1

b09e7b80f19bb430838895a23b60fd4712ec3c63
SHA256

4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9
SHA512

9c16e37bb0c9fe2500e46f6d543e248b3c8f6980fc9e3737288205c29f9c20ef9484272cb106b68755f5af87ef94b1279615c21e35363fa2bc00e2ab2e5d38c8
SSDEEP

12288:2Mray90E4+izMtuaIe2ZQaILczDLlZbOTbdvlUDBO86bTaRWouF:YyrrcaIPMQrbKjUDt6b1R

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2940	x8694819.exe
4300	x1114244.exe
1780	f3355630.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8694819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8694819.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1114244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1114244.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe
1780	f3355630.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	f3355630.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 2940	444	4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe	83
PID 444 wrote to memory of 2940	444	4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe	83
PID 444 wrote to memory of 2940	444	4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe	83
PID 2940 wrote to memory of 4300	2940	x8694819.exe	84
PID 2940 wrote to memory of 4300	2940	x8694819.exe	84
PID 2940 wrote to memory of 4300	2940	x8694819.exe	84
PID 4300 wrote to memory of 1780	4300	x1114244.exe	85
PID 4300 wrote to memory of 1780	4300	x1114244.exe	85
PID 4300 wrote to memory of 1780	4300	x1114244.exe	85

C:\Users\Admin\AppData\Local\Temp\4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe
"C:\Users\Admin\AppData\Local\Temp\4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8694819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8694819.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1114244.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1114244.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3355630.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3355630.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8694819.exe

Filesize
377KB

MD5
e325fc72bbfbad30b78ed9d159f0a058

SHA1
657f7006c058d7782d8c464d89a27a59a19aeefa

SHA256
09a51802b57d7e0436e6a7a6e07cfdd0024923ddd1efe8b9188ce8824420518c

SHA512
b518138440096496b1207b8416dabb5f0a1138a1fd4f2b6f4dac6644f56f777e49bae6302c94cd35888e73ff73143a257f28491583d32de52b1e693227141eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8694819.exe

Filesize
377KB

MD5
e325fc72bbfbad30b78ed9d159f0a058

SHA1
657f7006c058d7782d8c464d89a27a59a19aeefa

SHA256
09a51802b57d7e0436e6a7a6e07cfdd0024923ddd1efe8b9188ce8824420518c

SHA512
b518138440096496b1207b8416dabb5f0a1138a1fd4f2b6f4dac6644f56f777e49bae6302c94cd35888e73ff73143a257f28491583d32de52b1e693227141eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1114244.exe

Filesize
206KB

MD5
dd01c7c42bdbedf64bd67441428cba3c

SHA1
804c69685ca77f8de008b496d18264a43037404e

SHA256
61409ea97cf037082a67220b86ee000f7b4d63e776f779669556e0da1b3ff7cc

SHA512
1e61261fb33326d68e69a8a7b5c90ddad85b9be715e368f68b4e9e1ea77db0f134832addf91e5c218b2c7c1f49ff1e9ad4e44305ec78a63fe2dbd04dc638e8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1114244.exe

Filesize
206KB

MD5
dd01c7c42bdbedf64bd67441428cba3c

SHA1
804c69685ca77f8de008b496d18264a43037404e

SHA256
61409ea97cf037082a67220b86ee000f7b4d63e776f779669556e0da1b3ff7cc

SHA512
1e61261fb33326d68e69a8a7b5c90ddad85b9be715e368f68b4e9e1ea77db0f134832addf91e5c218b2c7c1f49ff1e9ad4e44305ec78a63fe2dbd04dc638e8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3355630.exe

Filesize
172KB

MD5
30a765529edaa6de4fe4c13cffc26b86

SHA1
52b6f59535009e880788cff62bf8afc4af2b52a2

SHA256
5ead8c6c53f03e6035057121d4233b7774d6ae12aa60cddb5dfc959bea491668

SHA512
b0c1ce0026b2e232236d2e8a8c8b3763240f09f8aa9303dcebb751ca12f7a129bbb997ba1452436fd542a5b57c9f8f5d09a2267e5e074f51d3be0872deb4c22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3355630.exe

Filesize
172KB

MD5
30a765529edaa6de4fe4c13cffc26b86

SHA1
52b6f59535009e880788cff62bf8afc4af2b52a2

SHA256
5ead8c6c53f03e6035057121d4233b7774d6ae12aa60cddb5dfc959bea491668

SHA512
b0c1ce0026b2e232236d2e8a8c8b3763240f09f8aa9303dcebb751ca12f7a129bbb997ba1452436fd542a5b57c9f8f5d09a2267e5e074f51d3be0872deb4c22e

Download Submit
memory/1780-154-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/1780-155-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/1780-156-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/1780-157-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/1780-158-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/1780-159-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/1780-160-0x00000000051D0000-0x0000000005246000-memory.dmp

Filesize
472KB

Download
memory/1780-161-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/1780-162-0x00000000063F0000-0x0000000006994000-memory.dmp

Filesize
5.6MB

Download
memory/1780-163-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/1780-164-0x0000000006210000-0x00000000063D2000-memory.dmp

Filesize
1.8MB

Download
memory/1780-165-0x00000000085C0000-0x0000000008AEC000-memory.dmp

Filesize
5.2MB

Download
memory/1780-166-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/1780-167-0x0000000006A10000-0x0000000006A60000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing