redline | 8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0

General

Target

8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe
Size

585KB
MD5

0383ffddee8dc923b2b96c80a4efd011
SHA1

2926ae6f85cbdeb1a7ec96d1e4ec5371dd95843b
SHA256

8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0
SHA512

3c155c185947aba29630932080af01640d4d3bb4364bc706cd1692b8090b938595b35325bf9bf77a2f65fa610f64af3bf3916edb455a8414a11c1a25625ec3b6
SSDEEP

12288:JMryy90KPzMSkQLob3jSsa2SIBUhfUonUJM3TENWUEIrrl:jyJzkQLozSN2XqhfPVYNXl

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2020	x3181102.exe
3820	x3653828.exe
400	f1604289.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3653828.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3181102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3181102.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3653828.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe
400	f1604289.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	f1604289.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2020	1764	8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe	84
PID 1764 wrote to memory of 2020	1764	8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe	84
PID 1764 wrote to memory of 2020	1764	8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe	84
PID 2020 wrote to memory of 3820	2020	x3181102.exe	85
PID 2020 wrote to memory of 3820	2020	x3181102.exe	85
PID 2020 wrote to memory of 3820	2020	x3181102.exe	85
PID 3820 wrote to memory of 400	3820	x3653828.exe	86
PID 3820 wrote to memory of 400	3820	x3653828.exe	86
PID 3820 wrote to memory of 400	3820	x3653828.exe	86

C:\Users\Admin\AppData\Local\Temp\8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe
"C:\Users\Admin\AppData\Local\Temp\8417123e4a038a3b16346babc5269a0a931f8577e6be41f88e75137af33c43e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3181102.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3181102.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3653828.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3653828.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1604289.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1604289.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3181102.exe

Filesize
377KB

MD5
ea61aead2b99b3aaf9285249e1cac4ac

SHA1
b482f32a361577458e278b69b7d2d826a08d4b5f

SHA256
c1309f958ccc00c4bf7e4b2638f06eb3c0c95cf51d1b519243493a1075e2f0cc

SHA512
ebe67176ac6a4f760faa7b64327f3b3c1bfbc441e319b9b49fb343d0d4183bc16cce154470d53b39365f746c507d8c4299f8b5e9302e4448d2cbe6096ec18aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3181102.exe

Filesize
377KB

MD5
ea61aead2b99b3aaf9285249e1cac4ac

SHA1
b482f32a361577458e278b69b7d2d826a08d4b5f

SHA256
c1309f958ccc00c4bf7e4b2638f06eb3c0c95cf51d1b519243493a1075e2f0cc

SHA512
ebe67176ac6a4f760faa7b64327f3b3c1bfbc441e319b9b49fb343d0d4183bc16cce154470d53b39365f746c507d8c4299f8b5e9302e4448d2cbe6096ec18aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3653828.exe

Filesize
206KB

MD5
95945ed5e0f9de6391c4fc6b8c8f9699

SHA1
915e5e2ddd0af4f1c1459b587681a6f15fa1084d

SHA256
2565bcaa973ddf5c3f86a55bcd4b5c88eeeaff902156fa731a7f5896f3eb4e60

SHA512
cdb0835e04904f243ad45a34737a927ccabde3fd9546cbd399940addde5fad101db6e3ee9ec479c43def0531666b825fc85c4d46d5650207187ac50093332461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3653828.exe

Filesize
206KB

MD5
95945ed5e0f9de6391c4fc6b8c8f9699

SHA1
915e5e2ddd0af4f1c1459b587681a6f15fa1084d

SHA256
2565bcaa973ddf5c3f86a55bcd4b5c88eeeaff902156fa731a7f5896f3eb4e60

SHA512
cdb0835e04904f243ad45a34737a927ccabde3fd9546cbd399940addde5fad101db6e3ee9ec479c43def0531666b825fc85c4d46d5650207187ac50093332461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1604289.exe

Filesize
172KB

MD5
e008a87849a90c41ef068d47c3656764

SHA1
67d95c7b3c6827214c1ce46d58d6fca9d8afb979

SHA256
95702b84e1078055cb8cd720af41d797e9fb3dab9bc5a2d7b3f7f993a5d98736

SHA512
4ae9c920544e2e55e5190a02654c0c0e576f880010430cd90ad41903638df8abafe3b29e238a5785841140d59ce3f1d578b3e2344f9c027143a468af0dd77e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1604289.exe

Filesize
172KB

MD5
e008a87849a90c41ef068d47c3656764

SHA1
67d95c7b3c6827214c1ce46d58d6fca9d8afb979

SHA256
95702b84e1078055cb8cd720af41d797e9fb3dab9bc5a2d7b3f7f993a5d98736

SHA512
4ae9c920544e2e55e5190a02654c0c0e576f880010430cd90ad41903638df8abafe3b29e238a5785841140d59ce3f1d578b3e2344f9c027143a468af0dd77e78

Download Submit
memory/400-154-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/400-155-0x000000000AB50000-0x000000000B168000-memory.dmp

Filesize
6.1MB

Download
memory/400-156-0x000000000A6B0000-0x000000000A7BA000-memory.dmp

Filesize
1.0MB

Download
memory/400-157-0x000000000A5F0000-0x000000000A602000-memory.dmp

Filesize
72KB

Download
memory/400-158-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/400-159-0x000000000A650000-0x000000000A68C000-memory.dmp

Filesize
240KB

Download
memory/400-160-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/400-161-0x000000000A3F0000-0x000000000A466000-memory.dmp

Filesize
472KB

Download
memory/400-162-0x000000000A470000-0x000000000A502000-memory.dmp

Filesize
584KB

Download
memory/400-163-0x000000000B720000-0x000000000BCC4000-memory.dmp

Filesize
5.6MB

Download
memory/400-164-0x000000000B270000-0x000000000B2D6000-memory.dmp

Filesize
408KB

Download
memory/400-165-0x000000000B550000-0x000000000B5A0000-memory.dmp

Filesize
320KB

Download
memory/400-166-0x000000000BEA0000-0x000000000C062000-memory.dmp

Filesize
1.8MB

Download
memory/400-167-0x000000000C5A0000-0x000000000CACC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing