redline | b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013

General

Target

b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe
Size

585KB
MD5

e23d7f8b06f5b96744dbece57d9e6872
SHA1

8d33cf9ab5646d484345b1a4994afdd6d583f271
SHA256

b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013
SHA512

24cbe3a8769d5fd81d1dcaff982a9e70a11cab21d0e090c17af010fa7203e4b50dfd96b2135a14829ee62a123a9b2e88f59210f1bc09ea8155d3ed9652d7fa17
SSDEEP

12288:KMrjy90QtXJGVXVNq/xviymqdhMp8udPfHLmTHZE2xysS5MLeFpb:lyDtXJEzq5aymqdmHRfrIaMjLwJ

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
852	x7467113.exe
1212	x3706342.exe
2156	f7133417.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3706342.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7467113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7467113.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3706342.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe
2156	f7133417.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	f7133417.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 852	2392	b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe	84
PID 2392 wrote to memory of 852	2392	b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe	84
PID 2392 wrote to memory of 852	2392	b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe	84
PID 852 wrote to memory of 1212	852	x7467113.exe	85
PID 852 wrote to memory of 1212	852	x7467113.exe	85
PID 852 wrote to memory of 1212	852	x7467113.exe	85
PID 1212 wrote to memory of 2156	1212	x3706342.exe	86
PID 1212 wrote to memory of 2156	1212	x3706342.exe	86
PID 1212 wrote to memory of 2156	1212	x3706342.exe	86

C:\Users\Admin\AppData\Local\Temp\b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe
"C:\Users\Admin\AppData\Local\Temp\b438a11ab68f628962fb4a2aa1b1e4ff2a0b496ae33c8bd0a3609dbf7f11e013.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7467113.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7467113.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706342.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706342.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7133417.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7133417.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7467113.exe

Filesize
377KB

MD5
a6cbf08cb26f163aa4cf35b126b0e4de

SHA1
c635eab2b1ca0700514511d45a4af34e7391e712

SHA256
55ad1edc5bb688e8645e35af848206fcdf9be89f3dfe273a0ab32e4c58cf064f

SHA512
1288b02ca2ba9b63a0c99338471d564f632413ae075f8ae5827450b6553f675b4e0a3f6d1e8b8d071d0eedab36d2f4496c517ef16bd287cbc9e6bec834e9a1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7467113.exe

Filesize
377KB

MD5
a6cbf08cb26f163aa4cf35b126b0e4de

SHA1
c635eab2b1ca0700514511d45a4af34e7391e712

SHA256
55ad1edc5bb688e8645e35af848206fcdf9be89f3dfe273a0ab32e4c58cf064f

SHA512
1288b02ca2ba9b63a0c99338471d564f632413ae075f8ae5827450b6553f675b4e0a3f6d1e8b8d071d0eedab36d2f4496c517ef16bd287cbc9e6bec834e9a1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706342.exe

Filesize
206KB

MD5
0a95cdda0031a58bed76f2b422a52943

SHA1
b5964a048c89fda4cdb8caaa868d777f74ef29d8

SHA256
3932a55e16f0a5fefc9ed9c1a14a453cd5623cfcaee4878b2f6944cd0003f54a

SHA512
967669e6f48ad646778b9d82a5b93ea26f5009bf70f89bad0fd9292f1c5c9a9398d41fa726f157d3ae12763e5018f595eb0772522e56a360bfb4d583a93b422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706342.exe

Filesize
206KB

MD5
0a95cdda0031a58bed76f2b422a52943

SHA1
b5964a048c89fda4cdb8caaa868d777f74ef29d8

SHA256
3932a55e16f0a5fefc9ed9c1a14a453cd5623cfcaee4878b2f6944cd0003f54a

SHA512
967669e6f48ad646778b9d82a5b93ea26f5009bf70f89bad0fd9292f1c5c9a9398d41fa726f157d3ae12763e5018f595eb0772522e56a360bfb4d583a93b422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7133417.exe

Filesize
172KB

MD5
c591a316b87ceb1cf041aa918e916bfc

SHA1
5c9b00541a96205e0af34404dc54203e0cca5986

SHA256
9a0e114d8ed643f85ca162a7b7e7c6878f5e6fe7c98271b5c381996c46ed61f0

SHA512
b688ca758927caffcaaad0558529b3111fe2bfb045230a667eff20383100f06b9ab39793bf6a63b792cfd8b32d0bb298bc2ed7a079e67b6bb03529a3903382c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7133417.exe

Filesize
172KB

MD5
c591a316b87ceb1cf041aa918e916bfc

SHA1
5c9b00541a96205e0af34404dc54203e0cca5986

SHA256
9a0e114d8ed643f85ca162a7b7e7c6878f5e6fe7c98271b5c381996c46ed61f0

SHA512
b688ca758927caffcaaad0558529b3111fe2bfb045230a667eff20383100f06b9ab39793bf6a63b792cfd8b32d0bb298bc2ed7a079e67b6bb03529a3903382c1

Download Submit
memory/2156-154-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/2156-155-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/2156-156-0x0000000004D70000-0x0000000004E7A000-memory.dmp

Filesize
1.0MB

Download
memory/2156-157-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/2156-158-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/2156-159-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2156-160-0x0000000005010000-0x0000000005086000-memory.dmp

Filesize
472KB

Download
memory/2156-161-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2156-162-0x0000000006340000-0x00000000068E4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-163-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2156-164-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2156-165-0x0000000005F90000-0x0000000005FE0000-memory.dmp

Filesize
320KB

Download
memory/2156-166-0x00000000068F0000-0x0000000006AB2000-memory.dmp

Filesize
1.8MB

Download
memory/2156-167-0x0000000008510000-0x0000000008A3C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing