redline | d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263

General

Target

d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe
Size

585KB
MD5

d2c76b7d5df38dfec2982a73a22fceec
SHA1

8e79e94d4b241135b39c40e7ce5684d687078c07
SHA256

d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263
SHA512

979028166afa2ff8fba01a76a975d8a61bd2f5f339d7fd49c97888d87af3b860bce0903a7161f6a8f3f08693356cff2608360c81351a86682789c34e00958fdf
SSDEEP

12288:0Mryy90WG92hPULn1EI4FmqXvqnwPqE2CuDyvWnQJ47p4Jc2:+yfG9nj1EcqXvqg2bDWu/4a2

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4584	x0187324.exe
2724	x1357259.exe
2020	f3791320.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0187324.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0187324.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1357259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1357259.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe
2020	f3791320.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	f3791320.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4584	4632	d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe	81
PID 4632 wrote to memory of 4584	4632	d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe	81
PID 4632 wrote to memory of 4584	4632	d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe	81
PID 4584 wrote to memory of 2724	4584	x0187324.exe	82
PID 4584 wrote to memory of 2724	4584	x0187324.exe	82
PID 4584 wrote to memory of 2724	4584	x0187324.exe	82
PID 2724 wrote to memory of 2020	2724	x1357259.exe	83
PID 2724 wrote to memory of 2020	2724	x1357259.exe	83
PID 2724 wrote to memory of 2020	2724	x1357259.exe	83

C:\Users\Admin\AppData\Local\Temp\d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe
"C:\Users\Admin\AppData\Local\Temp\d5a93e1e0c463a406b2c08ff3ef6154ec13aa65ef12852334694955c31b5f263.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0187324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0187324.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1357259.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1357259.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3791320.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3791320.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0187324.exe

Filesize
378KB

MD5
922efff3675484fe6c1a5069ec8cc7d2

SHA1
441b5df184cd8ebb598ee5e0baf0b6eed3430e89

SHA256
d0c0f389a0c17a4426efe58cfea98a404c5507f06978e9fb81467ff9e9c8f6aa

SHA512
42fdde023aff59956b3d3b1af0895a1ff5119c0b993489a8632e5fbae2198003c17f071dfd53f9b0d06c54f1d354580e2b790111bd1d5aba0166850952fbd059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0187324.exe

Filesize
378KB

MD5
922efff3675484fe6c1a5069ec8cc7d2

SHA1
441b5df184cd8ebb598ee5e0baf0b6eed3430e89

SHA256
d0c0f389a0c17a4426efe58cfea98a404c5507f06978e9fb81467ff9e9c8f6aa

SHA512
42fdde023aff59956b3d3b1af0895a1ff5119c0b993489a8632e5fbae2198003c17f071dfd53f9b0d06c54f1d354580e2b790111bd1d5aba0166850952fbd059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1357259.exe

Filesize
206KB

MD5
cac3fa3a8a5a14cdf2998ccd3f6a01b4

SHA1
8d41d07feb35495b296b8e320a4daca9bf4689ee

SHA256
2656c725e7566d3d36e44b95e46836cc84dd6f0c00faa5f90a8f0d1fa58d4b9f

SHA512
27807c98e27d9c32957146ed9ab80eedb5067d4b3c3f650f25ce9626a0ad71be07138f388811562f654eca7d779b56bc8f340fe8171363d5d6ed32554f46e1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1357259.exe

Filesize
206KB

MD5
cac3fa3a8a5a14cdf2998ccd3f6a01b4

SHA1
8d41d07feb35495b296b8e320a4daca9bf4689ee

SHA256
2656c725e7566d3d36e44b95e46836cc84dd6f0c00faa5f90a8f0d1fa58d4b9f

SHA512
27807c98e27d9c32957146ed9ab80eedb5067d4b3c3f650f25ce9626a0ad71be07138f388811562f654eca7d779b56bc8f340fe8171363d5d6ed32554f46e1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3791320.exe

Filesize
172KB

MD5
1c14f96a35661722c08e45c5ac02eb83

SHA1
79a2903152420f16bba75f654ac7d421c003ffd2

SHA256
d5e5601425b97fb9432b837964f60efe559822fc817e1211ba5ebe239d1d07da

SHA512
3239eef5b7ac3eac5360c467bc2667b211e532fec4cb453d328a670d499001659b166b2b13849e29162d399e0f27c989d74535beb2dd41611cb42bb13eb0611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3791320.exe

Filesize
172KB

MD5
1c14f96a35661722c08e45c5ac02eb83

SHA1
79a2903152420f16bba75f654ac7d421c003ffd2

SHA256
d5e5601425b97fb9432b837964f60efe559822fc817e1211ba5ebe239d1d07da

SHA512
3239eef5b7ac3eac5360c467bc2667b211e532fec4cb453d328a670d499001659b166b2b13849e29162d399e0f27c989d74535beb2dd41611cb42bb13eb0611f

Download Submit
memory/2020-154-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2020-155-0x000000000A620000-0x000000000AC38000-memory.dmp

Filesize
6.1MB

Download
memory/2020-156-0x000000000A1A0000-0x000000000A2AA000-memory.dmp

Filesize
1.0MB

Download
memory/2020-157-0x000000000A0E0000-0x000000000A0F2000-memory.dmp

Filesize
72KB

Download
memory/2020-158-0x000000000A140000-0x000000000A17C000-memory.dmp

Filesize
240KB

Download
memory/2020-159-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2020-160-0x000000000A450000-0x000000000A4C6000-memory.dmp

Filesize
472KB

Download
memory/2020-161-0x000000000A570000-0x000000000A602000-memory.dmp

Filesize
584KB

Download
memory/2020-162-0x000000000B1F0000-0x000000000B794000-memory.dmp

Filesize
5.6MB

Download
memory/2020-163-0x000000000AC40000-0x000000000ACA6000-memory.dmp

Filesize
408KB

Download
memory/2020-164-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2020-165-0x000000000B1A0000-0x000000000B1F0000-memory.dmp

Filesize
320KB

Download
memory/2020-166-0x000000000BA70000-0x000000000BC32000-memory.dmp

Filesize
1.8MB

Download
memory/2020-167-0x000000000C170000-0x000000000C69C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing