redline | 3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f

Analysis

max time kernel
300s
max time network
302s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe
Size

584KB
MD5

cac11cadde640bb0b326ea4bb9ed1b62
SHA1

0641b8f830c7053c71dcfb62ff946aa4dc778ea2
SHA256

3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f
SHA512

af1ff4f6a0650f255585de2b22024a29d23c3be04cf77794545d0bcd7790c2b71fb1ff16141d1ac155c7b59d44c53184aec936d8dcf59a854e3123a85b3ba7f6
SSDEEP

12288:4MrUy90pkAS6LtDG/xYirKse9FTJVRuv6mM0uh19wlj:MyI7tDG/xzrKt9PVRuvnLik

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1088	x8297860.exe
1924	x6192703.exe
588	f8774704.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe
1088	x8297860.exe
1088	x8297860.exe
1924	x6192703.exe
1924	x6192703.exe
588	f8774704.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8297860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8297860.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6192703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6192703.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 2024 wrote to memory of 1088	2024	3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe	28
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1088 wrote to memory of 1924	1088	x8297860.exe	29
PID 1924 wrote to memory of 588	1924	x6192703.exe	30
PID 1924 wrote to memory of 588	1924	x6192703.exe	30
PID 1924 wrote to memory of 588	1924	x6192703.exe	30
PID 1924 wrote to memory of 588	1924	x6192703.exe	30
PID 1924 wrote to memory of 588	1924	x6192703.exe	30
PID 1924 wrote to memory of 588	1924	x6192703.exe	30
PID 1924 wrote to memory of 588	1924	x6192703.exe	30

C:\Users\Admin\AppData\Local\Temp\3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe
"C:\Users\Admin\AppData\Local\Temp\3b2d0b14c55db45a6c85a6168f7c94e5211d05660a73678adf1c9768c6379a5f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8297860.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8297860.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6192703.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6192703.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8774704.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8774704.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8297860.exe

Filesize
377KB

MD5
dcf026db45aedc8e1cb2c15e2af0f37c

SHA1
7646bd4f5b1e5e201a933f136204cec8bfab085a

SHA256
8592aba1f18454048df34e5264d82bd8780be2579ea335d6535911fa57aef6e0

SHA512
93703cdc20c190a577e9502c393d73b92efccad9c8a83a64bfb4d40f433b1c1a5375980bca33db81442e559d67e6907a7ec10cebbcbded1466ee526f1ee7bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8297860.exe

Filesize
377KB

MD5
dcf026db45aedc8e1cb2c15e2af0f37c

SHA1
7646bd4f5b1e5e201a933f136204cec8bfab085a

SHA256
8592aba1f18454048df34e5264d82bd8780be2579ea335d6535911fa57aef6e0

SHA512
93703cdc20c190a577e9502c393d73b92efccad9c8a83a64bfb4d40f433b1c1a5375980bca33db81442e559d67e6907a7ec10cebbcbded1466ee526f1ee7bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6192703.exe

Filesize
206KB

MD5
a7daadc2907fa46eea64b8a20b431b18

SHA1
a8c2a7635dd80d2d5999a139b84429ae6cb0811b

SHA256
a52662a38b2fa8cdc921607844ffcf483acaa17144d690fb35f649c6f45f2d99

SHA512
e9ded841a63cc52fea0bc8d608f87bf61a4a3cc41e30bba3047f3571b20182d0ab48ebfc249255ae76e9c39db73ca062c07e5b4ca96f3798fb221105eb8954c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6192703.exe

Filesize
206KB

MD5
a7daadc2907fa46eea64b8a20b431b18

SHA1
a8c2a7635dd80d2d5999a139b84429ae6cb0811b

SHA256
a52662a38b2fa8cdc921607844ffcf483acaa17144d690fb35f649c6f45f2d99

SHA512
e9ded841a63cc52fea0bc8d608f87bf61a4a3cc41e30bba3047f3571b20182d0ab48ebfc249255ae76e9c39db73ca062c07e5b4ca96f3798fb221105eb8954c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8774704.exe

Filesize
172KB

MD5
972d11760f3e1655dbcbb50635c1d365

SHA1
eec889e488c4b68e12c6ee03a95f2b41a4e41998

SHA256
4896665f0bde5c4332633dc60aa4e81d0cda7edf90377825b64b58bf6d5ca034

SHA512
65f34930ca5e6eb99d56d5d72ec4fe508b8da0f8c7ff74433f33b64b9fe0b19a786a66bdb95ddd0569845a2ef03ac93833f700cb7aaeb3c21401eb84b7457076

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8774704.exe

Filesize
172KB

MD5
972d11760f3e1655dbcbb50635c1d365

SHA1
eec889e488c4b68e12c6ee03a95f2b41a4e41998

SHA256
4896665f0bde5c4332633dc60aa4e81d0cda7edf90377825b64b58bf6d5ca034

SHA512
65f34930ca5e6eb99d56d5d72ec4fe508b8da0f8c7ff74433f33b64b9fe0b19a786a66bdb95ddd0569845a2ef03ac93833f700cb7aaeb3c21401eb84b7457076

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8297860.exe

Filesize
377KB

MD5
dcf026db45aedc8e1cb2c15e2af0f37c

SHA1
7646bd4f5b1e5e201a933f136204cec8bfab085a

SHA256
8592aba1f18454048df34e5264d82bd8780be2579ea335d6535911fa57aef6e0

SHA512
93703cdc20c190a577e9502c393d73b92efccad9c8a83a64bfb4d40f433b1c1a5375980bca33db81442e559d67e6907a7ec10cebbcbded1466ee526f1ee7bade

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8297860.exe

Filesize
377KB

MD5
dcf026db45aedc8e1cb2c15e2af0f37c

SHA1
7646bd4f5b1e5e201a933f136204cec8bfab085a

SHA256
8592aba1f18454048df34e5264d82bd8780be2579ea335d6535911fa57aef6e0

SHA512
93703cdc20c190a577e9502c393d73b92efccad9c8a83a64bfb4d40f433b1c1a5375980bca33db81442e559d67e6907a7ec10cebbcbded1466ee526f1ee7bade

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6192703.exe

Filesize
206KB

MD5
a7daadc2907fa46eea64b8a20b431b18

SHA1
a8c2a7635dd80d2d5999a139b84429ae6cb0811b

SHA256
a52662a38b2fa8cdc921607844ffcf483acaa17144d690fb35f649c6f45f2d99

SHA512
e9ded841a63cc52fea0bc8d608f87bf61a4a3cc41e30bba3047f3571b20182d0ab48ebfc249255ae76e9c39db73ca062c07e5b4ca96f3798fb221105eb8954c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6192703.exe

Filesize
206KB

MD5
a7daadc2907fa46eea64b8a20b431b18

SHA1
a8c2a7635dd80d2d5999a139b84429ae6cb0811b

SHA256
a52662a38b2fa8cdc921607844ffcf483acaa17144d690fb35f649c6f45f2d99

SHA512
e9ded841a63cc52fea0bc8d608f87bf61a4a3cc41e30bba3047f3571b20182d0ab48ebfc249255ae76e9c39db73ca062c07e5b4ca96f3798fb221105eb8954c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8774704.exe

Filesize
172KB

MD5
972d11760f3e1655dbcbb50635c1d365

SHA1
eec889e488c4b68e12c6ee03a95f2b41a4e41998

SHA256
4896665f0bde5c4332633dc60aa4e81d0cda7edf90377825b64b58bf6d5ca034

SHA512
65f34930ca5e6eb99d56d5d72ec4fe508b8da0f8c7ff74433f33b64b9fe0b19a786a66bdb95ddd0569845a2ef03ac93833f700cb7aaeb3c21401eb84b7457076

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8774704.exe

Filesize
172KB

MD5
972d11760f3e1655dbcbb50635c1d365

SHA1
eec889e488c4b68e12c6ee03a95f2b41a4e41998

SHA256
4896665f0bde5c4332633dc60aa4e81d0cda7edf90377825b64b58bf6d5ca034

SHA512
65f34930ca5e6eb99d56d5d72ec4fe508b8da0f8c7ff74433f33b64b9fe0b19a786a66bdb95ddd0569845a2ef03ac93833f700cb7aaeb3c21401eb84b7457076

Download Submit
memory/588-84-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/588-85-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/588-86-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download
memory/588-87-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download