redline | f8c960f79319e773cb5491c14ca4bdad349334ab5c9c61da66225641e1af4dda

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04093699.exe
Size

585KB
MD5

cdeedcc74a65bbf2d908bad6d34e00f2
SHA1

2d36561512046a42fb0d65d208905a0390c8fe6d
SHA256

f8c960f79319e773cb5491c14ca4bdad349334ab5c9c61da66225641e1af4dda
SHA512

84937ee5cdd28f3e65e181bb0222323f37bb77f9a525ddb982473c379e0017446f2609f4bda054c0f3a846dd6e55ac9e2e5d8c20be596b232cbab7953cad94b4
SSDEEP

12288:EMrhy90PbcMTrqJUoh54wGIRLMvf1nVSTMG:lyEbpO7h54yAfdG

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1588	x4222462.exe
568	x9425436.exe
728	f3222357.exe

Loads dropped DLL 6 IoCs

pid	Process
1644	04093699.exe
1588	x4222462.exe
1588	x4222462.exe
568	x9425436.exe
568	x9425436.exe
728	f3222357.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4222462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4222462.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9425436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9425436.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	04093699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04093699.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1644 wrote to memory of 1588	1644	04093699.exe	28
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 1588 wrote to memory of 568	1588	x4222462.exe	29
PID 568 wrote to memory of 728	568	x9425436.exe	30
PID 568 wrote to memory of 728	568	x9425436.exe	30
PID 568 wrote to memory of 728	568	x9425436.exe	30
PID 568 wrote to memory of 728	568	x9425436.exe	30
PID 568 wrote to memory of 728	568	x9425436.exe	30
PID 568 wrote to memory of 728	568	x9425436.exe	30
PID 568 wrote to memory of 728	568	x9425436.exe	30

C:\Users\Admin\AppData\Local\Temp\04093699.exe
"C:\Users\Admin\AppData\Local\Temp\04093699.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4222462.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4222462.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9425436.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9425436.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3222357.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3222357.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4222462.exe

Filesize
377KB

MD5
c89158854c5a9750cff4d975aed9e720

SHA1
fe1d72b3c7289088764ad8c5233a38152b4d19e4

SHA256
7055accc4867c6c7237bfbe0fa3007ce05f0b50f41e1b8881062be87efbca265

SHA512
ac2a180ef03c270af9ca94bfda4ef81f88e3c4ed9ba381081dd8e3f6c26cd584c3b8272847502e009bc90a511835758b05c6a1612d2af276ae0cc9a736eadf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4222462.exe

Filesize
377KB

MD5
c89158854c5a9750cff4d975aed9e720

SHA1
fe1d72b3c7289088764ad8c5233a38152b4d19e4

SHA256
7055accc4867c6c7237bfbe0fa3007ce05f0b50f41e1b8881062be87efbca265

SHA512
ac2a180ef03c270af9ca94bfda4ef81f88e3c4ed9ba381081dd8e3f6c26cd584c3b8272847502e009bc90a511835758b05c6a1612d2af276ae0cc9a736eadf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9425436.exe

Filesize
206KB

MD5
974da7592be53a6ded51b5776920a569

SHA1
474022b69ad053d848c856dcbd3b5d3711d7ee80

SHA256
1f4bacb5fb3de10d909976a52e61e50fdf357e1589cf4f7ffc90c19d45785f48

SHA512
0788bf48e959eeb8f2de80929ed8214cf698c5db9758dea5959b134296f904c1010728f55be757fae35525af905bb4bab4117bc8223e02979c10a7e365f4fcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9425436.exe

Filesize
206KB

MD5
974da7592be53a6ded51b5776920a569

SHA1
474022b69ad053d848c856dcbd3b5d3711d7ee80

SHA256
1f4bacb5fb3de10d909976a52e61e50fdf357e1589cf4f7ffc90c19d45785f48

SHA512
0788bf48e959eeb8f2de80929ed8214cf698c5db9758dea5959b134296f904c1010728f55be757fae35525af905bb4bab4117bc8223e02979c10a7e365f4fcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3222357.exe

Filesize
172KB

MD5
1a2fdc0246f10e4821a8494990fe3296

SHA1
d8d701643a03c3e266cff10d1fd0f3f72613b473

SHA256
63378a143d9344b086a5d9225733188fc3f60556e7ca2194177bf6f52e093f00

SHA512
bbf4f75c0c768859fdb46ac8f6cfdf099f4041325ccec3c4446e976db97581134a57a9ccd0d13e5a23f16030ba65887a7160d10a421b92fc3863e57f15807ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3222357.exe

Filesize
172KB

MD5
1a2fdc0246f10e4821a8494990fe3296

SHA1
d8d701643a03c3e266cff10d1fd0f3f72613b473

SHA256
63378a143d9344b086a5d9225733188fc3f60556e7ca2194177bf6f52e093f00

SHA512
bbf4f75c0c768859fdb46ac8f6cfdf099f4041325ccec3c4446e976db97581134a57a9ccd0d13e5a23f16030ba65887a7160d10a421b92fc3863e57f15807ab7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4222462.exe

Filesize
377KB

MD5
c89158854c5a9750cff4d975aed9e720

SHA1
fe1d72b3c7289088764ad8c5233a38152b4d19e4

SHA256
7055accc4867c6c7237bfbe0fa3007ce05f0b50f41e1b8881062be87efbca265

SHA512
ac2a180ef03c270af9ca94bfda4ef81f88e3c4ed9ba381081dd8e3f6c26cd584c3b8272847502e009bc90a511835758b05c6a1612d2af276ae0cc9a736eadf8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4222462.exe

Filesize
377KB

MD5
c89158854c5a9750cff4d975aed9e720

SHA1
fe1d72b3c7289088764ad8c5233a38152b4d19e4

SHA256
7055accc4867c6c7237bfbe0fa3007ce05f0b50f41e1b8881062be87efbca265

SHA512
ac2a180ef03c270af9ca94bfda4ef81f88e3c4ed9ba381081dd8e3f6c26cd584c3b8272847502e009bc90a511835758b05c6a1612d2af276ae0cc9a736eadf8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9425436.exe

Filesize
206KB

MD5
974da7592be53a6ded51b5776920a569

SHA1
474022b69ad053d848c856dcbd3b5d3711d7ee80

SHA256
1f4bacb5fb3de10d909976a52e61e50fdf357e1589cf4f7ffc90c19d45785f48

SHA512
0788bf48e959eeb8f2de80929ed8214cf698c5db9758dea5959b134296f904c1010728f55be757fae35525af905bb4bab4117bc8223e02979c10a7e365f4fcd9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9425436.exe

Filesize
206KB

MD5
974da7592be53a6ded51b5776920a569

SHA1
474022b69ad053d848c856dcbd3b5d3711d7ee80

SHA256
1f4bacb5fb3de10d909976a52e61e50fdf357e1589cf4f7ffc90c19d45785f48

SHA512
0788bf48e959eeb8f2de80929ed8214cf698c5db9758dea5959b134296f904c1010728f55be757fae35525af905bb4bab4117bc8223e02979c10a7e365f4fcd9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3222357.exe

Filesize
172KB

MD5
1a2fdc0246f10e4821a8494990fe3296

SHA1
d8d701643a03c3e266cff10d1fd0f3f72613b473

SHA256
63378a143d9344b086a5d9225733188fc3f60556e7ca2194177bf6f52e093f00

SHA512
bbf4f75c0c768859fdb46ac8f6cfdf099f4041325ccec3c4446e976db97581134a57a9ccd0d13e5a23f16030ba65887a7160d10a421b92fc3863e57f15807ab7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3222357.exe

Filesize
172KB

MD5
1a2fdc0246f10e4821a8494990fe3296

SHA1
d8d701643a03c3e266cff10d1fd0f3f72613b473

SHA256
63378a143d9344b086a5d9225733188fc3f60556e7ca2194177bf6f52e093f00

SHA512
bbf4f75c0c768859fdb46ac8f6cfdf099f4041325ccec3c4446e976db97581134a57a9ccd0d13e5a23f16030ba65887a7160d10a421b92fc3863e57f15807ab7

Download Submit
memory/728-84-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/728-85-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/728-86-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/728-87-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download