redline | 2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7

General

Target

2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe
Size

584KB
MD5

60ff3ea98fbff219d542f3596baad756
SHA1

5a771862dc7cf1c80e635d4969094645171c3c7b
SHA256

2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7
SHA512

a7b24fbae5da9a9155bf78e53a00f65e6c3571f1e2c27589a2606ace1b2d3e551aa9856009758fd1403261b725d7fc9303c5cd21dc92f09f7fcd17d9d2362b12
SSDEEP

12288:cMryy90ZBiiW5x03Dw8PslQluRSxCE56x1L3yvofvxokL2QbIb6:WyMBi7030SLluRiH6r3yvCvxokg6

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1348	x1235161.exe
3536	x2415073.exe
3656	f4204025.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1235161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1235161.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2415073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2415073.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe
3656	f4204025.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	f4204025.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1348	1516	2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe	84
PID 1516 wrote to memory of 1348	1516	2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe	84
PID 1516 wrote to memory of 1348	1516	2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe	84
PID 1348 wrote to memory of 3536	1348	x1235161.exe	85
PID 1348 wrote to memory of 3536	1348	x1235161.exe	85
PID 1348 wrote to memory of 3536	1348	x1235161.exe	85
PID 3536 wrote to memory of 3656	3536	x2415073.exe	86
PID 3536 wrote to memory of 3656	3536	x2415073.exe	86
PID 3536 wrote to memory of 3656	3536	x2415073.exe	86

C:\Users\Admin\AppData\Local\Temp\2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe
"C:\Users\Admin\AppData\Local\Temp\2204a84249289c3568b1b92bb7094f940148cc139dd7bd10b8858efc7c5289d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1235161.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1235161.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2415073.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2415073.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4204025.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4204025.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1235161.exe

Filesize
378KB

MD5
aa22d03eec86fa78ea61a6123d81a40d

SHA1
658c0dd3707fcda0aaac7989663e41f30e83e5b0

SHA256
73f8097a8ffd4ca3589e8e68643f488a9fd465214850d67b1f6303a3028bac87

SHA512
e01a3ec672bbc8c585deba387bd28623fb87d308e986640cd36bd70dc662acc6cf075510f8feb7f730160d2fde00c9f10a1d1247f191271fc1fab62bde02d910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1235161.exe

Filesize
378KB

MD5
aa22d03eec86fa78ea61a6123d81a40d

SHA1
658c0dd3707fcda0aaac7989663e41f30e83e5b0

SHA256
73f8097a8ffd4ca3589e8e68643f488a9fd465214850d67b1f6303a3028bac87

SHA512
e01a3ec672bbc8c585deba387bd28623fb87d308e986640cd36bd70dc662acc6cf075510f8feb7f730160d2fde00c9f10a1d1247f191271fc1fab62bde02d910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2415073.exe

Filesize
206KB

MD5
8fd01ee6cdbb4b5da54573ad4f2bd87c

SHA1
70c15c2b06be8a3940d2eb9e184a032a25eb3fc4

SHA256
2dc875f664cf26c3d13458c03d0466c71ad0ee223a6d4a2c93f706aaf3515cd4

SHA512
fe2446d0d5d3d9dcdd9fba8cee87b10ce069be8ca348fe8922f8a44f1a328a75466a4da835c258dad250b32fe536fed85596850ca87f98d40573914d01c709e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2415073.exe

Filesize
206KB

MD5
8fd01ee6cdbb4b5da54573ad4f2bd87c

SHA1
70c15c2b06be8a3940d2eb9e184a032a25eb3fc4

SHA256
2dc875f664cf26c3d13458c03d0466c71ad0ee223a6d4a2c93f706aaf3515cd4

SHA512
fe2446d0d5d3d9dcdd9fba8cee87b10ce069be8ca348fe8922f8a44f1a328a75466a4da835c258dad250b32fe536fed85596850ca87f98d40573914d01c709e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4204025.exe

Filesize
172KB

MD5
e5b359a111de9e0fb34bafc9492fbfaf

SHA1
0af56a20f18345a473adeb29102029ad1192aea1

SHA256
efbe335ca57e0dfcf1ba7ddf650f1a7e67db523548d7e675e0751f11d1176b7f

SHA512
06ffea9d0d5cb80756cb2bcf2c51d34fdd35d60b4b397f5e39c4ad9377c2a8b16472e66750275bb808bd7485c756f2e21637b5d076666757e1b87e8a5294d192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4204025.exe

Filesize
172KB

MD5
e5b359a111de9e0fb34bafc9492fbfaf

SHA1
0af56a20f18345a473adeb29102029ad1192aea1

SHA256
efbe335ca57e0dfcf1ba7ddf650f1a7e67db523548d7e675e0751f11d1176b7f

SHA512
06ffea9d0d5cb80756cb2bcf2c51d34fdd35d60b4b397f5e39c4ad9377c2a8b16472e66750275bb808bd7485c756f2e21637b5d076666757e1b87e8a5294d192

Download Submit
memory/3656-154-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/3656-155-0x000000000A900000-0x000000000AF18000-memory.dmp

Filesize
6.1MB

Download
memory/3656-156-0x000000000A470000-0x000000000A57A000-memory.dmp

Filesize
1.0MB

Download
memory/3656-157-0x000000000A3B0000-0x000000000A3C2000-memory.dmp

Filesize
72KB

Download
memory/3656-158-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3656-159-0x000000000A410000-0x000000000A44C000-memory.dmp

Filesize
240KB

Download
memory/3656-160-0x000000000A720000-0x000000000A796000-memory.dmp

Filesize
472KB

Download
memory/3656-161-0x000000000A840000-0x000000000A8D2000-memory.dmp

Filesize
584KB

Download
memory/3656-162-0x000000000B4D0000-0x000000000BA74000-memory.dmp

Filesize
5.6MB

Download
memory/3656-163-0x000000000B020000-0x000000000B086000-memory.dmp

Filesize
408KB

Download
memory/3656-164-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3656-165-0x000000000BC50000-0x000000000BE12000-memory.dmp

Filesize
1.8MB

Download
memory/3656-166-0x000000000C350000-0x000000000C87C000-memory.dmp

Filesize
5.2MB

Download
memory/3656-167-0x000000000BC00000-0x000000000BC50000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing