redline | da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768

General

Target

da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe
Size

584KB
MD5

238c2fa9eecea15c2ab80f21368b7f3f
SHA1

749adcb57c3d5b39d2fb63d27760a90207b65545
SHA256

da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768
SHA512

e2648ccfc1701470dc320313ba0ab3c45033fa3ff679934872c858e51cba1e0167a47d5b67d389615a48739d1ae5ef662e98c63a14b40ac9e19a33f53cd42cd7
SSDEEP

12288:aMray90dNiYf0Mywzr1jLOk7j9z1SMHjz:kyONzSwzNLOsj9Ycjz

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1804	x3008723.exe
3024	x2934050.exe
1008	f1548073.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2934050.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3008723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3008723.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2934050.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1804	1596	da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe	84
PID 1596 wrote to memory of 1804	1596	da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe	84
PID 1596 wrote to memory of 1804	1596	da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe	84
PID 1804 wrote to memory of 3024	1804	x3008723.exe	85
PID 1804 wrote to memory of 3024	1804	x3008723.exe	85
PID 1804 wrote to memory of 3024	1804	x3008723.exe	85
PID 3024 wrote to memory of 1008	3024	x2934050.exe	86
PID 3024 wrote to memory of 1008	3024	x2934050.exe	86
PID 3024 wrote to memory of 1008	3024	x2934050.exe	86

C:\Users\Admin\AppData\Local\Temp\da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe
"C:\Users\Admin\AppData\Local\Temp\da10639848828abec3841562e23a1b1b121c24f4fd6aea48f6e26af32475a768.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3008723.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3008723.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2934050.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2934050.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1548073.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1548073.exe
      4⤵
      Executes dropped EXE
      PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3008723.exe

Filesize
378KB

MD5
69e4577bbfa3a25a183c9c1d52eed01e

SHA1
1a23a17cac50652a99b45462e6bc9bd074458624

SHA256
471aee376adbb6a5127e268b861a92a7fffcb7d63026a47c48929d956702a118

SHA512
bcbc5133c26f6cfa9c5e6432c62af2ea780752febd01f8a382273f662d18d27176e20ca021ea97bcefe6a3bde2e8c790bf3504e4577fe3da9b0b63c0932e8b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3008723.exe

Filesize
378KB

MD5
69e4577bbfa3a25a183c9c1d52eed01e

SHA1
1a23a17cac50652a99b45462e6bc9bd074458624

SHA256
471aee376adbb6a5127e268b861a92a7fffcb7d63026a47c48929d956702a118

SHA512
bcbc5133c26f6cfa9c5e6432c62af2ea780752febd01f8a382273f662d18d27176e20ca021ea97bcefe6a3bde2e8c790bf3504e4577fe3da9b0b63c0932e8b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2934050.exe

Filesize
206KB

MD5
511f687b7dc352d51f052cf2836812bb

SHA1
09eb1079f09ddd64b2bf08248dab9692868e8dd9

SHA256
137208e1a74d3db8fb4731ba9dfb6aeea06b82cc1b4271c9f9180e610ffe2156

SHA512
c5d9ab51191022b4974c0d0d345687e1c86180829dc89573d09e864bfa8d8e5389810f6826e57692880128230575aff31223634870518275465a5a812b1f8417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2934050.exe

Filesize
206KB

MD5
511f687b7dc352d51f052cf2836812bb

SHA1
09eb1079f09ddd64b2bf08248dab9692868e8dd9

SHA256
137208e1a74d3db8fb4731ba9dfb6aeea06b82cc1b4271c9f9180e610ffe2156

SHA512
c5d9ab51191022b4974c0d0d345687e1c86180829dc89573d09e864bfa8d8e5389810f6826e57692880128230575aff31223634870518275465a5a812b1f8417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1548073.exe

Filesize
172KB

MD5
de631bd7869c9ccdb044f51394f6b5b7

SHA1
fc3abe8281c40733c6a095ade3d1643abbf2567d

SHA256
174fc039cff0ca212b614b8c0d37d68e7de0c98d9bcada377bb35f37c5525232

SHA512
9ab1f1837ab13bba7b8044230efca8379eb9617947eafc17012c004ed3bfb9b1f0a6acb2a311da15bbecda074bc4a68de91ee7fc757664a67d062ea4af251b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1548073.exe

Filesize
172KB

MD5
de631bd7869c9ccdb044f51394f6b5b7

SHA1
fc3abe8281c40733c6a095ade3d1643abbf2567d

SHA256
174fc039cff0ca212b614b8c0d37d68e7de0c98d9bcada377bb35f37c5525232

SHA512
9ab1f1837ab13bba7b8044230efca8379eb9617947eafc17012c004ed3bfb9b1f0a6acb2a311da15bbecda074bc4a68de91ee7fc757664a67d062ea4af251b48

Download Submit
memory/1008-154-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/1008-155-0x000000000AA90000-0x000000000B0A8000-memory.dmp

Filesize
6.1MB

Download
memory/1008-156-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

Filesize
1.0MB

Download
memory/1008-157-0x000000000A4F0000-0x000000000A502000-memory.dmp

Filesize
72KB

Download
memory/1008-158-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1008-159-0x000000000A550000-0x000000000A58C000-memory.dmp

Filesize
240KB

Download
memory/1008-160-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing