redline | 5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671

General

Target

5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe
Size

584KB
MD5

4e55e517797a7dcde95e31447b31c659
SHA1

b76e9db5e5d9272b618806c35ce7ab11d8b39eb1
SHA256

5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671
SHA512

90b36d603bbf5118c998c68746deab5847d318a838dff421fd464fab42c4e4316f1eb4e8691cb3409fe9a71a532c49fea8a29e9fe8240506b09350a0e05060db
SSDEEP

12288:QMrWy90K4EEx8cAepVZNl+E73i5wMtaMQZ4:WyGHpqETi5wMcMQZ4

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4244	x9288433.exe
4832	x3869162.exe
1516	f6157868.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9288433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9288433.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3869162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3869162.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4244	2080	5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe	67
PID 2080 wrote to memory of 4244	2080	5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe	67
PID 2080 wrote to memory of 4244	2080	5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe	67
PID 4244 wrote to memory of 4832	4244	x9288433.exe	68
PID 4244 wrote to memory of 4832	4244	x9288433.exe	68
PID 4244 wrote to memory of 4832	4244	x9288433.exe	68
PID 4832 wrote to memory of 1516	4832	x3869162.exe	69
PID 4832 wrote to memory of 1516	4832	x3869162.exe	69
PID 4832 wrote to memory of 1516	4832	x3869162.exe	69

C:\Users\Admin\AppData\Local\Temp\5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe
"C:\Users\Admin\AppData\Local\Temp\5e44315ce1502e3592f614e7da161173732e3e9a5e70a610dccc654b25f96671.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9288433.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9288433.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3869162.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3869162.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6157868.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6157868.exe
      4⤵
      Executes dropped EXE
      PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9288433.exe

Filesize
378KB

MD5
ab2c246527a9420a944a07966165ba55

SHA1
1996dde8a2505980748586e3f6b943611ae4bef1

SHA256
66cadbf3393f86e5a7783ac03c1b650b11047ed94070aaeeb75ee2cf4f922e8f

SHA512
b24b471416a026b145ea3c825350b635efcf360dfed20018a1c93272850f5d642ac916919cef20e7d2e9c1d37232cdfd9b83022d4eef9ca7230007f632e4c0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9288433.exe

Filesize
378KB

MD5
ab2c246527a9420a944a07966165ba55

SHA1
1996dde8a2505980748586e3f6b943611ae4bef1

SHA256
66cadbf3393f86e5a7783ac03c1b650b11047ed94070aaeeb75ee2cf4f922e8f

SHA512
b24b471416a026b145ea3c825350b635efcf360dfed20018a1c93272850f5d642ac916919cef20e7d2e9c1d37232cdfd9b83022d4eef9ca7230007f632e4c0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3869162.exe

Filesize
206KB

MD5
173369efb6a9591a038add6039d979a1

SHA1
399bdb92ce196168a32916edfcfc90e2bab9945d

SHA256
f8ec9add417845f050286c2bbcbcc05cf26a2b8398a44555410883f6674e0c72

SHA512
0ee7c5814d83df9b27ebb8e136002b9f14a4641660463c059c3b45bc54f35f0444aa5d74af993d177d488bc5a94d2a6d881af24f2fa9470a12c016a3f55f1601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3869162.exe

Filesize
206KB

MD5
173369efb6a9591a038add6039d979a1

SHA1
399bdb92ce196168a32916edfcfc90e2bab9945d

SHA256
f8ec9add417845f050286c2bbcbcc05cf26a2b8398a44555410883f6674e0c72

SHA512
0ee7c5814d83df9b27ebb8e136002b9f14a4641660463c059c3b45bc54f35f0444aa5d74af993d177d488bc5a94d2a6d881af24f2fa9470a12c016a3f55f1601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6157868.exe

Filesize
172KB

MD5
79efc8497532d183341d92f77d64112f

SHA1
2896faa6d79cf2f8f2b2360259b5a62d7c5bb5df

SHA256
ed5a0f0788cce08d69f8b6e6c68b96cf6d20b2f3c45249be95f121d440f07955

SHA512
416880fd9d0aa531940e67496001a85394a57b8772fa12e3b0d7e3ab560656f7f7289289029ef49b39548404e9b9525cb48b2f56cf879eeb373f4f51f0e2aaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6157868.exe

Filesize
172KB

MD5
79efc8497532d183341d92f77d64112f

SHA1
2896faa6d79cf2f8f2b2360259b5a62d7c5bb5df

SHA256
ed5a0f0788cce08d69f8b6e6c68b96cf6d20b2f3c45249be95f121d440f07955

SHA512
416880fd9d0aa531940e67496001a85394a57b8772fa12e3b0d7e3ab560656f7f7289289029ef49b39548404e9b9525cb48b2f56cf879eeb373f4f51f0e2aaaa

Download Submit
memory/1516-137-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/1516-138-0x00000000022A0000-0x00000000022A6000-memory.dmp

Filesize
24KB

Download
memory/1516-139-0x0000000005030000-0x0000000005636000-memory.dmp

Filesize
6.0MB

Download
memory/1516-140-0x0000000004B30000-0x0000000004C3A000-memory.dmp

Filesize
1.0MB

Download
memory/1516-141-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1516-142-0x00000000049B0000-0x00000000049EE000-memory.dmp

Filesize
248KB

Download
memory/1516-143-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/1516-144-0x0000000004A20000-0x0000000004A6B000-memory.dmp

Filesize
300KB

Download
memory/1516-145-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing