redline | 81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8

General

Target

81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe
Size

585KB
MD5

2c3ad349ff47fadb539ca43c1e222f5c
SHA1

e91b9f64b84ac120ce48a5e0b79540e5a62e82cf
SHA256

81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8
SHA512

a7bd33c2ffa92d29f7d4f2baa946df0618029da241fac43a47a96e547594b66152021047a747d7e6231ca55ff74de302a129a942bea04d2c3dc9e8ced01e3e97
SSDEEP

12288:hMrBy906dNKS7GeCmONe7v9kyBgV1VOYCuLNcSXXHMyxcOglqJ:wy8mOu4ROeLt/cl+

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2564	x0746146.exe
3088	x2847130.exe
4876	f9441094.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0746146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0746146.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2847130.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2847130.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe
4876	f9441094.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	f9441094.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2564	2496	81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe	66
PID 2496 wrote to memory of 2564	2496	81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe	66
PID 2496 wrote to memory of 2564	2496	81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe	66
PID 2564 wrote to memory of 3088	2564	x0746146.exe	67
PID 2564 wrote to memory of 3088	2564	x0746146.exe	67
PID 2564 wrote to memory of 3088	2564	x0746146.exe	67
PID 3088 wrote to memory of 4876	3088	x2847130.exe	68
PID 3088 wrote to memory of 4876	3088	x2847130.exe	68
PID 3088 wrote to memory of 4876	3088	x2847130.exe	68

C:\Users\Admin\AppData\Local\Temp\81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe
"C:\Users\Admin\AppData\Local\Temp\81123a61222c36165f40d485258e9235228309de64aaf66d8fba26f82565dec8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0746146.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0746146.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2847130.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2847130.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9441094.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9441094.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0746146.exe

Filesize
377KB

MD5
e066125c29f1c1fb6217b1eb37aceafe

SHA1
9c99ad38b5b442802b57c47924a6e0d60432b361

SHA256
33d67e33d537603431d8a9eb89fa1081d35210f83cf1cb793e89cbcfd4138e53

SHA512
bc9d6726fac187498de01b7285a354dfea1dd35c7f1f5465795c67bc0bd8f926f43c63c34ed4044bc5424cbdcafd328ffac6fbb0f74d47773c3c002459bb57c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0746146.exe

Filesize
377KB

MD5
e066125c29f1c1fb6217b1eb37aceafe

SHA1
9c99ad38b5b442802b57c47924a6e0d60432b361

SHA256
33d67e33d537603431d8a9eb89fa1081d35210f83cf1cb793e89cbcfd4138e53

SHA512
bc9d6726fac187498de01b7285a354dfea1dd35c7f1f5465795c67bc0bd8f926f43c63c34ed4044bc5424cbdcafd328ffac6fbb0f74d47773c3c002459bb57c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2847130.exe

Filesize
206KB

MD5
a7b4a1d4c9dde9bd1327934705c51c20

SHA1
b866f9e2ea37526ea479d61df60f2a601eec69fc

SHA256
347323341e762d573835a96dcb05f4a27457a4b66d90b970ba7a1621ac03cd3e

SHA512
7cee0ee57b2bfaceb8ab71bd05dc24c7204959d895aa4945105a33f4ecd6bfb76a389ca877936ff7a448a802a89791e3cb6accc719e2e7bd59eefd0816864c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2847130.exe

Filesize
206KB

MD5
a7b4a1d4c9dde9bd1327934705c51c20

SHA1
b866f9e2ea37526ea479d61df60f2a601eec69fc

SHA256
347323341e762d573835a96dcb05f4a27457a4b66d90b970ba7a1621ac03cd3e

SHA512
7cee0ee57b2bfaceb8ab71bd05dc24c7204959d895aa4945105a33f4ecd6bfb76a389ca877936ff7a448a802a89791e3cb6accc719e2e7bd59eefd0816864c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9441094.exe

Filesize
172KB

MD5
6c9248319ad1298c679dc4a982879baa

SHA1
3edfdc5a60d7c727a73e1fef142ff948293e2c84

SHA256
6d7ba5e4605e807dd0a041d7416ebe04757057f192b1fb7886a5585a305fb038

SHA512
471d02c05bbf32556524773268b0215cff256c119325fb4f8267d583a36c0dc5c2ef6debbba3b406fff0dc64f8266c3361587a39342b24ec22027cbdc72b30db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9441094.exe

Filesize
172KB

MD5
6c9248319ad1298c679dc4a982879baa

SHA1
3edfdc5a60d7c727a73e1fef142ff948293e2c84

SHA256
6d7ba5e4605e807dd0a041d7416ebe04757057f192b1fb7886a5585a305fb038

SHA512
471d02c05bbf32556524773268b0215cff256c119325fb4f8267d583a36c0dc5c2ef6debbba3b406fff0dc64f8266c3361587a39342b24ec22027cbdc72b30db

Download Submit
memory/4876-142-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

Filesize
192KB

Download
memory/4876-143-0x0000000005370000-0x0000000005376000-memory.dmp

Filesize
24KB

Download
memory/4876-144-0x000000000AEA0000-0x000000000B4A6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-145-0x000000000A9C0000-0x000000000AACA000-memory.dmp

Filesize
1.0MB

Download
memory/4876-146-0x000000000A8F0000-0x000000000A902000-memory.dmp

Filesize
72KB

Download
memory/4876-147-0x000000000A950000-0x000000000A98E000-memory.dmp

Filesize
248KB

Download
memory/4876-148-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4876-149-0x000000000AAD0000-0x000000000AB1B000-memory.dmp

Filesize
300KB

Download
memory/4876-150-0x000000000AC70000-0x000000000ACE6000-memory.dmp

Filesize
472KB

Download
memory/4876-151-0x000000000AD90000-0x000000000AE22000-memory.dmp

Filesize
584KB

Download
memory/4876-152-0x000000000B9B0000-0x000000000BEAE000-memory.dmp

Filesize
5.0MB

Download
memory/4876-153-0x000000000AE30000-0x000000000AE96000-memory.dmp

Filesize
408KB

Download
memory/4876-154-0x000000000C180000-0x000000000C342000-memory.dmp

Filesize
1.8MB

Download
memory/4876-155-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4876-156-0x000000000C880000-0x000000000CDAC000-memory.dmp

Filesize
5.2MB

Download
memory/4876-157-0x000000000C050000-0x000000000C0A0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing