redline | 8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c

General

Target

8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe
Size

584KB
MD5

6f86d05e774077c7eaa0b0019bdb535f
SHA1

2764174a9d721b6910e1072fa8ae26779615a2fe
SHA256

8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c
SHA512

5ab81293284105e8d3fb15b36e4217f90304d3f133e63f081686a038f2e4e7724e3d52a504809f493c7d9f7d638a36c52c1dfe04b36f1fc6e93ef15cfaeb9089
SSDEEP

12288:vMrCy90BgV9sGmCUbJxVrMNAvdSXoOC2nQi3dOlI1zj:lyR9s8SJxZNdSXoOC8OiJj

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1392	x8426290.exe
2272	x5657634.exe
3132	f6772074.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8426290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8426290.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5657634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5657634.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 1392	4500	8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe	84
PID 4500 wrote to memory of 1392	4500	8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe	84
PID 4500 wrote to memory of 1392	4500	8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe	84
PID 1392 wrote to memory of 2272	1392	x8426290.exe	85
PID 1392 wrote to memory of 2272	1392	x8426290.exe	85
PID 1392 wrote to memory of 2272	1392	x8426290.exe	85
PID 2272 wrote to memory of 3132	2272	x5657634.exe	86
PID 2272 wrote to memory of 3132	2272	x5657634.exe	86
PID 2272 wrote to memory of 3132	2272	x5657634.exe	86

C:\Users\Admin\AppData\Local\Temp\8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe
"C:\Users\Admin\AppData\Local\Temp\8bcad15880455bf3c58ee82de143205c27e625c923cc96d2ebb198cfe6a8685c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8426290.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8426290.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5657634.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5657634.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6772074.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6772074.exe
      4⤵
      Executes dropped EXE
      PID:3132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8426290.exe

Filesize
378KB

MD5
e7084edaf44575dfcfdcc009b3dc13c3

SHA1
8cbe78c72b015d74c34ff7c7fbec1c64081ec60f

SHA256
c14f3f6f1b9a4efa6206266cf69dcac73b3e53e594c5ef839f6f988167bb58d4

SHA512
14142be133097d8ca0adf55a002c869dfcbac6c476526b3581d2579b7273566a3e21daa4805b05352aca75adb3a3671826e6a9a66c9ef9fa7f2b2b6d53c1a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8426290.exe

Filesize
378KB

MD5
e7084edaf44575dfcfdcc009b3dc13c3

SHA1
8cbe78c72b015d74c34ff7c7fbec1c64081ec60f

SHA256
c14f3f6f1b9a4efa6206266cf69dcac73b3e53e594c5ef839f6f988167bb58d4

SHA512
14142be133097d8ca0adf55a002c869dfcbac6c476526b3581d2579b7273566a3e21daa4805b05352aca75adb3a3671826e6a9a66c9ef9fa7f2b2b6d53c1a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5657634.exe

Filesize
206KB

MD5
6d2a2112ee3cd80f0523a6d78844f9c4

SHA1
4b68ff66b3161570a4210331eda714a617dfd012

SHA256
1889a6367fc438a71cec46a44335033df8590bbae4f0a649fde5a9b098000012

SHA512
64994716daddad5b0161aadbc410e2166a4e31c4f9fffc49321a11322335dd21ff7bb9f043842a8dbca9d4f5bc7543be1b49fd72868e3bd2472cc6355edd549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5657634.exe

Filesize
206KB

MD5
6d2a2112ee3cd80f0523a6d78844f9c4

SHA1
4b68ff66b3161570a4210331eda714a617dfd012

SHA256
1889a6367fc438a71cec46a44335033df8590bbae4f0a649fde5a9b098000012

SHA512
64994716daddad5b0161aadbc410e2166a4e31c4f9fffc49321a11322335dd21ff7bb9f043842a8dbca9d4f5bc7543be1b49fd72868e3bd2472cc6355edd549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6772074.exe

Filesize
172KB

MD5
a984fb0c02c2334f0c2525ee9e0b5116

SHA1
6a593076d93a307e187495371e24c881ebe3ef25

SHA256
576962476c55547eb87079182608df8807d0db7869be9083fde9a30485f6f791

SHA512
0d58159791fd912e7e321174d9807e2c989d582bd1120165fda0615d6d301b8b1f17e1c4d0c23d30ac75e81aae5487a1b5f3babba054951aa4f4e9c6f05be0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6772074.exe

Filesize
172KB

MD5
a984fb0c02c2334f0c2525ee9e0b5116

SHA1
6a593076d93a307e187495371e24c881ebe3ef25

SHA256
576962476c55547eb87079182608df8807d0db7869be9083fde9a30485f6f791

SHA512
0d58159791fd912e7e321174d9807e2c989d582bd1120165fda0615d6d301b8b1f17e1c4d0c23d30ac75e81aae5487a1b5f3babba054951aa4f4e9c6f05be0a7

Download Submit
memory/3132-154-0x0000000000B90000-0x0000000000BC0000-memory.dmp

Filesize
192KB

Download
memory/3132-155-0x000000000AFF0000-0x000000000B608000-memory.dmp

Filesize
6.1MB

Download
memory/3132-156-0x000000000AB10000-0x000000000AC1A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-157-0x000000000AA50000-0x000000000AA62000-memory.dmp

Filesize
72KB

Download
memory/3132-158-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/3132-159-0x000000000AAB0000-0x000000000AAEC000-memory.dmp

Filesize
240KB

Download
memory/3132-160-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing