redline | 619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688

General

Target

619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe
Size

585KB
MD5

81331424ac5c075ae793bbfcbf756614
SHA1

14226a12419b5741e70780d19efc00225c9692da
SHA256

619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688
SHA512

f71e62d97abd944781b6e9feecc5fe08a2382f83f8d788986b52b7d489e33959e94344ba6d412fd16bce357198cffe0c9beb99baa74d9bffe9c8518411097b81
SSDEEP

12288:2Mryy90TS1XIVbmEWGklIz82F4rDYiYOODW5nYrMBsvOdt7jf9Nj0u:4yqS1YcEAIt4rJHpnYJvI7jf9Ku

Score

10^/10

redline diza discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4572	x7770070.exe
4780	x2592319.exe
2640	f4611847.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2592319.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7770070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7770070.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2592319.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe
2640	f4611847.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	f4611847.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4572	4320	619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe	84
PID 4320 wrote to memory of 4572	4320	619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe	84
PID 4320 wrote to memory of 4572	4320	619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe	84
PID 4572 wrote to memory of 4780	4572	x7770070.exe	85
PID 4572 wrote to memory of 4780	4572	x7770070.exe	85
PID 4572 wrote to memory of 4780	4572	x7770070.exe	85
PID 4780 wrote to memory of 2640	4780	x2592319.exe	86
PID 4780 wrote to memory of 2640	4780	x2592319.exe	86
PID 4780 wrote to memory of 2640	4780	x2592319.exe	86

C:\Users\Admin\AppData\Local\Temp\619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe
"C:\Users\Admin\AppData\Local\Temp\619a3e0c516ce23d55d86a98ffa32db633f10b8dc0c9dcdf4f52c51df8f30688.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7770070.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7770070.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2592319.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2592319.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4611847.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4611847.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7770070.exe

Filesize
378KB

MD5
ff8637c597777d524ac4d8f45b1326fa

SHA1
970a0d925587238f08f5cddc85bbcd71a5c41237

SHA256
fff30bd0cbbb76847ad9ce494f2805a15a6ab6d2de91b248aec207d9b9704c2c

SHA512
1c229b9dfd54f9efc7d256960be4cea8989414c75577df6954e3c55ec3381fc4cdbab0cca23c1aa58529280b1a23b5a3c8a133cdc00d096af8ddb54b8c91a241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7770070.exe

Filesize
378KB

MD5
ff8637c597777d524ac4d8f45b1326fa

SHA1
970a0d925587238f08f5cddc85bbcd71a5c41237

SHA256
fff30bd0cbbb76847ad9ce494f2805a15a6ab6d2de91b248aec207d9b9704c2c

SHA512
1c229b9dfd54f9efc7d256960be4cea8989414c75577df6954e3c55ec3381fc4cdbab0cca23c1aa58529280b1a23b5a3c8a133cdc00d096af8ddb54b8c91a241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2592319.exe

Filesize
206KB

MD5
4d2d86632f5c31f3a346d2ed9e8313f8

SHA1
ad79bd7b10e2870c9ac2b5286f927ff8ee489c34

SHA256
7e012b3327afd9d21f1444c3eefa83cfb3f1d7442efc1081505ea65fcd3ff4ad

SHA512
872e0bc8b1d4529aba7ea83b72be47741e349a3e3444c891498236ee9070c80f479441b816f65c7a2162e541b3c98c426599a4e71716da15c0846d1ace7efdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2592319.exe

Filesize
206KB

MD5
4d2d86632f5c31f3a346d2ed9e8313f8

SHA1
ad79bd7b10e2870c9ac2b5286f927ff8ee489c34

SHA256
7e012b3327afd9d21f1444c3eefa83cfb3f1d7442efc1081505ea65fcd3ff4ad

SHA512
872e0bc8b1d4529aba7ea83b72be47741e349a3e3444c891498236ee9070c80f479441b816f65c7a2162e541b3c98c426599a4e71716da15c0846d1ace7efdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4611847.exe

Filesize
173KB

MD5
eca448e55d88590ecdc3f2debe62de7b

SHA1
4200f84dde84aa6f7a78668138b34d0945a36148

SHA256
b7e86273574b1abd9322206bb34dca3bbd3dadc9591aca57456b4a5a797afc62

SHA512
0226f13d6958f4644130c61aa2a4eca51b4a859cbd7ccd97e4954f3287ee82bd3deb744fac67d924a4a6f8f6fc301138fa6f846469a82c11de3ec649af433dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4611847.exe

Filesize
173KB

MD5
eca448e55d88590ecdc3f2debe62de7b

SHA1
4200f84dde84aa6f7a78668138b34d0945a36148

SHA256
b7e86273574b1abd9322206bb34dca3bbd3dadc9591aca57456b4a5a797afc62

SHA512
0226f13d6958f4644130c61aa2a4eca51b4a859cbd7ccd97e4954f3287ee82bd3deb744fac67d924a4a6f8f6fc301138fa6f846469a82c11de3ec649af433dba

Download Submit
memory/2640-154-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/2640-155-0x000000000ACA0000-0x000000000B2B8000-memory.dmp

Filesize
6.1MB

Download
memory/2640-156-0x000000000A790000-0x000000000A89A000-memory.dmp

Filesize
1.0MB

Download
memory/2640-157-0x000000000A6A0000-0x000000000A6B2000-memory.dmp

Filesize
72KB

Download
memory/2640-158-0x000000000A700000-0x000000000A73C000-memory.dmp

Filesize
240KB

Download
memory/2640-159-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2640-160-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2640-161-0x00000000029F0000-0x0000000002A66000-memory.dmp

Filesize
472KB

Download
memory/2640-162-0x000000000B2C0000-0x000000000B352000-memory.dmp

Filesize
584KB

Download
memory/2640-163-0x000000000B910000-0x000000000BEB4000-memory.dmp

Filesize
5.6MB

Download
memory/2640-164-0x000000000B4A0000-0x000000000B506000-memory.dmp

Filesize
408KB

Download
memory/2640-165-0x000000000B660000-0x000000000B6B0000-memory.dmp

Filesize
320KB

Download
memory/2640-166-0x000000000C090000-0x000000000C252000-memory.dmp

Filesize
1.8MB

Download
memory/2640-167-0x000000000C790000-0x000000000CCBC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing