redline | 0371f1d62010e9353db4e55b4cbb4e93829c4535c9e36961aed39a9336bd7002

General

Target

e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe
Size

585KB
MD5

195225de9ad53f7c6bf764eb6714c9aa
SHA1

7ba40d913e60c3d4c8729d4a622135250364c712
SHA256

e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749
SHA512

912757b26395741aaf377aa74b2f1a349fea07d94ee0de3639ff00b7ffe0eba91643d30cd45054e2dae323be9f715416845b5d5f12d2a6039623ed980ab56032
SSDEEP

12288:7MrQy90O2OdSyxIjJygOWZkyjWJj+f4dHmKV3SpvnP9MrninV:zy72OdSyxIjJyghZejDHmK9kn1UninV

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4108	x0131243.exe
3724	x2062612.exe
2496	f3151940.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0131243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0131243.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2062612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2062612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4108	4284	e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe	82
PID 4284 wrote to memory of 4108	4284	e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe	82
PID 4284 wrote to memory of 4108	4284	e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe	82
PID 4108 wrote to memory of 3724	4108	x0131243.exe	83
PID 4108 wrote to memory of 3724	4108	x0131243.exe	83
PID 4108 wrote to memory of 3724	4108	x0131243.exe	83
PID 3724 wrote to memory of 2496	3724	x2062612.exe	84
PID 3724 wrote to memory of 2496	3724	x2062612.exe	84
PID 3724 wrote to memory of 2496	3724	x2062612.exe	84

C:\Users\Admin\AppData\Local\Temp\e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe
"C:\Users\Admin\AppData\Local\Temp\e54b85af68b54873630516e9607bc07d3be2ae54696bf90396d9521ae7d06749.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0131243.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0131243.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2062612.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2062612.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3151940.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3151940.exe
      4⤵
      Executes dropped EXE
      PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0131243.exe

Filesize
378KB

MD5
d1fd913eb1748260a263aa9cc62df994

SHA1
76aea94ec0d27f1d956e91a100099583c87ed4da

SHA256
d0b38855d6ddc3dcba46d60462b54ec9dd29603f4f5767b72f3cea5f1fd37252

SHA512
c8f1cdbb37f1aeae976e5c95d8207180e03b84b217e91e69ecaabce4c5f0affe8905d0416cc9dbd70da37dbed0960aa7a018f96c456038cf3421ac6b5c1f02df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0131243.exe

Filesize
378KB

MD5
d1fd913eb1748260a263aa9cc62df994

SHA1
76aea94ec0d27f1d956e91a100099583c87ed4da

SHA256
d0b38855d6ddc3dcba46d60462b54ec9dd29603f4f5767b72f3cea5f1fd37252

SHA512
c8f1cdbb37f1aeae976e5c95d8207180e03b84b217e91e69ecaabce4c5f0affe8905d0416cc9dbd70da37dbed0960aa7a018f96c456038cf3421ac6b5c1f02df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2062612.exe

Filesize
206KB

MD5
96c03ff762bca5f35eae196421b611d4

SHA1
1cf47c928e837b2d1db1a5e690cb67e42c3488c1

SHA256
a74ed8a9e72b8ed405221a0e8887c9b657d83c5e550ecedd8c1f5634fe224267

SHA512
68616ab84fe944babec1fb5ad9669e7f658f617fa2f65ef7317d5b1e5a6b43fdc50e712c38d06d9239f4fe405d7897a63ec561b2cbaa2d49201e5e38aa18f9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2062612.exe

Filesize
206KB

MD5
96c03ff762bca5f35eae196421b611d4

SHA1
1cf47c928e837b2d1db1a5e690cb67e42c3488c1

SHA256
a74ed8a9e72b8ed405221a0e8887c9b657d83c5e550ecedd8c1f5634fe224267

SHA512
68616ab84fe944babec1fb5ad9669e7f658f617fa2f65ef7317d5b1e5a6b43fdc50e712c38d06d9239f4fe405d7897a63ec561b2cbaa2d49201e5e38aa18f9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3151940.exe

Filesize
172KB

MD5
ec6eb55fafdfd471e701f47c62bc2960

SHA1
eb5488783224cb5b81f00f7d4f35cbe6ae709b51

SHA256
cd6d49aa058026d0ee4900d9d0b2839ad61b347c9873356a704aadb469d066c8

SHA512
54e2003af72ec25bf72d30cdf1d773de9f606ea4368bf2fef2d001a2d54c3932da818c00db2b0bb223a4d657386e3914ea5fdcad7ee4687b1955c0a991714362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3151940.exe

Filesize
172KB

MD5
ec6eb55fafdfd471e701f47c62bc2960

SHA1
eb5488783224cb5b81f00f7d4f35cbe6ae709b51

SHA256
cd6d49aa058026d0ee4900d9d0b2839ad61b347c9873356a704aadb469d066c8

SHA512
54e2003af72ec25bf72d30cdf1d773de9f606ea4368bf2fef2d001a2d54c3932da818c00db2b0bb223a4d657386e3914ea5fdcad7ee4687b1955c0a991714362

Download Submit
memory/2496-154-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download
memory/2496-155-0x000000000A470000-0x000000000AA88000-memory.dmp

Filesize
6.1MB

Download
memory/2496-156-0x0000000009F90000-0x000000000A09A000-memory.dmp

Filesize
1.0MB

Download
memory/2496-157-0x0000000009ED0000-0x0000000009EE2000-memory.dmp

Filesize
72KB

Download
memory/2496-158-0x0000000009F30000-0x0000000009F6C000-memory.dmp

Filesize
240KB

Download
memory/2496-159-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/2496-160-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing