redline | 5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74

General

Target

5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe
Size

585KB
MD5

0415bb6aee1df9f71ecffe14f537c363
SHA1

2d762d61dc1930e12a5e36628fda3a5c960a0e2c
SHA256

5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74
SHA512

ddffa01b2414e0b694b45a357fc499685e306ca8e77a2c6c8e4693e17f5ffa406598cd263020cc60cce2b1be805af6547c38bf5a91eaf88066e11d1686a332c0
SSDEEP

12288:KMrWy90ILho/DJV9pYr0Jyp4/uCZz7PZpj1lAiz+g:wyLLh2mcuC/lA4

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2276	x0730499.exe
2520	x4005576.exe
2836	f6641470.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0730499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0730499.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4005576.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4005576.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe
2836	f6641470.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	f6641470.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2276	2052	5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe	66
PID 2052 wrote to memory of 2276	2052	5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe	66
PID 2052 wrote to memory of 2276	2052	5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe	66
PID 2276 wrote to memory of 2520	2276	x0730499.exe	67
PID 2276 wrote to memory of 2520	2276	x0730499.exe	67
PID 2276 wrote to memory of 2520	2276	x0730499.exe	67
PID 2520 wrote to memory of 2836	2520	x4005576.exe	68
PID 2520 wrote to memory of 2836	2520	x4005576.exe	68
PID 2520 wrote to memory of 2836	2520	x4005576.exe	68

C:\Users\Admin\AppData\Local\Temp\5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe
"C:\Users\Admin\AppData\Local\Temp\5b5060bfcb1f0633fc56ef13f1b224095aaf8d64284b09639ac34d54c9d09f74.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730499.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730499.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4005576.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4005576.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6641470.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6641470.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730499.exe

Filesize
378KB

MD5
5ce9fb1247c2f6a023e97c02f4e2c3f1

SHA1
bafc30622167d4173ee544d9d7b24b6332684f52

SHA256
5c411c6ab804e423a71bf3a94d4014966b825fce712ce02643ac1c51f8a3e541

SHA512
d7d34bb33bd92dc1a641bc01c36550ea0b603bd6a1e7d84cd68a993498c8d94ff65850c9607d0465dda800787abfa254bd04a553ab0f448cf4e34112a4a832de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730499.exe

Filesize
378KB

MD5
5ce9fb1247c2f6a023e97c02f4e2c3f1

SHA1
bafc30622167d4173ee544d9d7b24b6332684f52

SHA256
5c411c6ab804e423a71bf3a94d4014966b825fce712ce02643ac1c51f8a3e541

SHA512
d7d34bb33bd92dc1a641bc01c36550ea0b603bd6a1e7d84cd68a993498c8d94ff65850c9607d0465dda800787abfa254bd04a553ab0f448cf4e34112a4a832de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4005576.exe

Filesize
206KB

MD5
d7fc4f7a230a5899790fd1733b9ad109

SHA1
5283960fe969b0223a65753eee1f068940f5a868

SHA256
5458b5526d674572bc8e83a3d47f993022ee7d417146205b2f9a485bdcad27ee

SHA512
dd51bccf059d596d04d3ca02009b3371b77f98816851c796a0b19faac86bc1c77be1375f00b51a43e1d579e65a1419bf4fe672f8f8c241d2923dacb6b1074fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4005576.exe

Filesize
206KB

MD5
d7fc4f7a230a5899790fd1733b9ad109

SHA1
5283960fe969b0223a65753eee1f068940f5a868

SHA256
5458b5526d674572bc8e83a3d47f993022ee7d417146205b2f9a485bdcad27ee

SHA512
dd51bccf059d596d04d3ca02009b3371b77f98816851c796a0b19faac86bc1c77be1375f00b51a43e1d579e65a1419bf4fe672f8f8c241d2923dacb6b1074fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6641470.exe

Filesize
172KB

MD5
e636fab1e7cbbe129250e6ce6e59eebe

SHA1
2f174f8e18b9d30b85bce25024173f45a7b5a21b

SHA256
b3aa263b5df5a52438c8cd4baac02fa1983d2c57e9a139f222a67f4f90b7901c

SHA512
cc97d9742f74dbe11d87d5b89545ef3c8b36bdf7825d8b018f95a02bde55b24d45f7530e6a136198b87afe860261b1094d706aab880c3f11f18eba2cb6c67ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6641470.exe

Filesize
172KB

MD5
e636fab1e7cbbe129250e6ce6e59eebe

SHA1
2f174f8e18b9d30b85bce25024173f45a7b5a21b

SHA256
b3aa263b5df5a52438c8cd4baac02fa1983d2c57e9a139f222a67f4f90b7901c

SHA512
cc97d9742f74dbe11d87d5b89545ef3c8b36bdf7825d8b018f95a02bde55b24d45f7530e6a136198b87afe860261b1094d706aab880c3f11f18eba2cb6c67ff1

Download Submit
memory/2836-142-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/2836-143-0x0000000007A70000-0x0000000007A76000-memory.dmp

Filesize
24KB

Download
memory/2836-144-0x0000000005E00000-0x0000000006406000-memory.dmp

Filesize
6.0MB

Download
memory/2836-145-0x0000000005940000-0x0000000005A4A000-memory.dmp

Filesize
1.0MB

Download
memory/2836-146-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/2836-147-0x00000000058D0000-0x000000000590E000-memory.dmp

Filesize
248KB

Download
memory/2836-148-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/2836-149-0x0000000005A50000-0x0000000005A9B000-memory.dmp

Filesize
300KB

Download
memory/2836-150-0x0000000005BF0000-0x0000000005C66000-memory.dmp

Filesize
472KB

Download
memory/2836-151-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/2836-152-0x0000000006D20000-0x000000000721E000-memory.dmp

Filesize
5.0MB

Download
memory/2836-153-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download
memory/2836-154-0x0000000006A20000-0x0000000006A70000-memory.dmp

Filesize
320KB

Download
memory/2836-155-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/2836-156-0x00000000073F0000-0x00000000075B2000-memory.dmp

Filesize
1.8MB

Download
memory/2836-157-0x0000000008FB0000-0x00000000094DC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing