redline | b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8

General

Target

b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe
Size

585KB
MD5

207f0ab5dfa655be03a64cc9f60a481e
SHA1

4425f4a223b79deb99db48687ac8dfe61469d473
SHA256

b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8
SHA512

8f1cef00cb5b38697f4458239e56854a3ea35fd32c563013827fc6775b76488f9e2addbc8e01f4b55bde30ea7bff6d62eaf6548054dbd718c30d5e054c067926
SSDEEP

12288:bMr6y9089YlQLdIxIjL4t4GykSY4Q1QzU+1ytVbTQIaGQuB8KEbQmR:hyklKYtt/j1QzPOVbTQBpKEbQC

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
64	x9222541.exe
4320	x5051857.exe
4384	f2933640.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5051857.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9222541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9222541.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5051857.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe
4384	f2933640.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	f2933640.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 64	3680	b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe	66
PID 3680 wrote to memory of 64	3680	b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe	66
PID 3680 wrote to memory of 64	3680	b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe	66
PID 64 wrote to memory of 4320	64	x9222541.exe	67
PID 64 wrote to memory of 4320	64	x9222541.exe	67
PID 64 wrote to memory of 4320	64	x9222541.exe	67
PID 4320 wrote to memory of 4384	4320	x5051857.exe	68
PID 4320 wrote to memory of 4384	4320	x5051857.exe	68
PID 4320 wrote to memory of 4384	4320	x5051857.exe	68

C:\Users\Admin\AppData\Local\Temp\b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe
"C:\Users\Admin\AppData\Local\Temp\b39e87b6113fd5c3561cac2303a1ef9848986595c7bd944f888e93860ed239d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9222541.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9222541.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5051857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5051857.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2933640.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2933640.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9222541.exe

Filesize
377KB

MD5
9b6911cd324492c24c09abc507a54bf8

SHA1
8ddd493edaef985f591d635171ab37d66cab8182

SHA256
77c4d48af26328f69223b50bf7647ac82d5a2eee61b46e529c86aa0872ce42b6

SHA512
78e02b40ad30c7befd743e418c838a1d59a299d4bd01ce40aef27d3258033fe0655da3cbf81b56ba87b2c5ae11dd38de5f993bd8b3f5eeba5f1587cc8fe15693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9222541.exe

Filesize
377KB

MD5
9b6911cd324492c24c09abc507a54bf8

SHA1
8ddd493edaef985f591d635171ab37d66cab8182

SHA256
77c4d48af26328f69223b50bf7647ac82d5a2eee61b46e529c86aa0872ce42b6

SHA512
78e02b40ad30c7befd743e418c838a1d59a299d4bd01ce40aef27d3258033fe0655da3cbf81b56ba87b2c5ae11dd38de5f993bd8b3f5eeba5f1587cc8fe15693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5051857.exe

Filesize
206KB

MD5
49844732267f498bb417500f2dcfbb89

SHA1
2f2aa5f3eb02d582739852c299071f8ad8400cf2

SHA256
ad76168b4290c677f67f3ad5079b2beae83534f2b333e832be0a914be17aae37

SHA512
e4222e22d1afd1cc27b8e90d51db63f135158e3cecd8eec3535433217e8e2015c110f1d0369e22c1320b609eabea07ae21d4efddebd373be7928ce403979f1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5051857.exe

Filesize
206KB

MD5
49844732267f498bb417500f2dcfbb89

SHA1
2f2aa5f3eb02d582739852c299071f8ad8400cf2

SHA256
ad76168b4290c677f67f3ad5079b2beae83534f2b333e832be0a914be17aae37

SHA512
e4222e22d1afd1cc27b8e90d51db63f135158e3cecd8eec3535433217e8e2015c110f1d0369e22c1320b609eabea07ae21d4efddebd373be7928ce403979f1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2933640.exe

Filesize
172KB

MD5
2606d78f69c1a88cce88e40ad999eed5

SHA1
956cfa20f35a58e0faba94bc826cd55fccb144de

SHA256
e141ed4bd5b31ff349c04aea5196a1397678e3e061eb8daa7c3cf2d4cfbca529

SHA512
41a80c2000cadaef35d95f3534f5033a7762c8800769ada3bc94ecb04b46aa3431079085e9d4462c9a0d11e0d5b048b15b19ab7ce8286053999d994987d54019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2933640.exe

Filesize
172KB

MD5
2606d78f69c1a88cce88e40ad999eed5

SHA1
956cfa20f35a58e0faba94bc826cd55fccb144de

SHA256
e141ed4bd5b31ff349c04aea5196a1397678e3e061eb8daa7c3cf2d4cfbca529

SHA512
41a80c2000cadaef35d95f3534f5033a7762c8800769ada3bc94ecb04b46aa3431079085e9d4462c9a0d11e0d5b048b15b19ab7ce8286053999d994987d54019

Download Submit
memory/4384-138-0x0000000000F70000-0x0000000000FA0000-memory.dmp

Filesize
192KB

Download
memory/4384-139-0x00000000030E0000-0x00000000030E6000-memory.dmp

Filesize
24KB

Download
memory/4384-140-0x0000000005E80000-0x0000000006486000-memory.dmp

Filesize
6.0MB

Download
memory/4384-141-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4384-142-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/4384-143-0x00000000058F0000-0x000000000592E000-memory.dmp

Filesize
248KB

Download
memory/4384-144-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/4384-145-0x0000000005930000-0x000000000597B000-memory.dmp

Filesize
300KB

Download
memory/4384-146-0x0000000005C00000-0x0000000005C76000-memory.dmp

Filesize
472KB

Download
memory/4384-147-0x0000000005D20000-0x0000000005DB2000-memory.dmp

Filesize
584KB

Download
memory/4384-148-0x0000000006EA0000-0x000000000739E000-memory.dmp

Filesize
5.0MB

Download
memory/4384-149-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4384-150-0x0000000006C70000-0x0000000006E32000-memory.dmp

Filesize
1.8MB

Download
memory/4384-151-0x0000000008BF0000-0x000000000911C000-memory.dmp

Filesize
5.2MB

Download
memory/4384-152-0x00000000073A0000-0x00000000073F0000-memory.dmp

Filesize
320KB

Download
memory/4384-153-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing