redline | 8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b

General

Target

8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe
Size

592KB
MD5

137f782e5984d6915659cbe099882784
SHA1

90b96c04cb1e2f17e8edb4849fa5310893fe2fb9
SHA256

8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b
SHA512

21c3142fc1d994c04ad0cc40f5c51ba5f5d709514fd61f4e7cd69c0395d2913a87836c4beedcca5a0044b38dcd00ed09c11cb81fe293578d8e422c41e4a4aead
SSDEEP

12288:1MrOy90WFf5OGnUWr9ZuMVi/Nj4lKv+ARmhSoS1lH:7ynhOGlPHU14omCmgoS1x

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9690024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9690024.exe	family_redline
behavioral1/memory/3304-154-0x0000000000010000-0x0000000000040000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x0004135.exex5652536.exef9690024.exe

pid process

1164 x0004135.exe
1596 x5652536.exe
3304 f9690024.exe

pid	process
1164	x0004135.exe
1596	x5652536.exe
3304	f9690024.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exex0004135.exex5652536.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0004135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0004135.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5652536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5652536.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exex0004135.exex5652536.exe

description	pid	process	target process
PID 2372 wrote to memory of 1164	2372	8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe	x0004135.exe
PID 2372 wrote to memory of 1164	2372	8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe	x0004135.exe
PID 2372 wrote to memory of 1164	2372	8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe	x0004135.exe
PID 1164 wrote to memory of 1596	1164	x0004135.exe	x5652536.exe
PID 1164 wrote to memory of 1596	1164	x0004135.exe	x5652536.exe
PID 1164 wrote to memory of 1596	1164	x0004135.exe	x5652536.exe
PID 1596 wrote to memory of 3304	1596	x5652536.exe	f9690024.exe
PID 1596 wrote to memory of 3304	1596	x5652536.exe	f9690024.exe
PID 1596 wrote to memory of 3304	1596	x5652536.exe	f9690024.exe

C:\Users\Admin\AppData\Local\Temp\8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe
"C:\Users\Admin\AppData\Local\Temp\8b66eb481dedac7ba0bff38cedef39f13dbf7928f41c4b56167472137c458a5b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0004135.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0004135.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5652536.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5652536.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9690024.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9690024.exe
4⤵
- Executes dropped EXE
PID:3304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0004135.exe
Filesize
378KB

MD5
fc887ce277a96a596e1dbf69c4a0920e

SHA1
3a8f74c7274611e21285b117db99f869be59d746

SHA256
48beaf5a1581377145e073b32e8bb26584d9efc52604310c961bc5996c57f405

SHA512
14a9daa0cae2f4da8a388c71ba08addc9dc5f66b288e93c907080913c977682c5d1523a3280cf3a583bfe544c259af612e30d1cc41b7ff12bf28b92a1a4b16ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0004135.exe
Filesize
378KB

MD5
fc887ce277a96a596e1dbf69c4a0920e

SHA1
3a8f74c7274611e21285b117db99f869be59d746

SHA256
48beaf5a1581377145e073b32e8bb26584d9efc52604310c961bc5996c57f405

SHA512
14a9daa0cae2f4da8a388c71ba08addc9dc5f66b288e93c907080913c977682c5d1523a3280cf3a583bfe544c259af612e30d1cc41b7ff12bf28b92a1a4b16ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5652536.exe
Filesize
206KB

MD5
1d430049527a7e8a51041f149dfc3df8

SHA1
f1168bcc986fef214347cfa0dc34dbdfdee1f4b7

SHA256
de169f3f236ce8953ff4140374acb788683b74773b745f400ae906ae7afed6fe

SHA512
8a419f2b246b01e2db28e79abf75a4a821bfbc84726b9bf35e2d4b589421e73fd24c9f252f55a48192aa38756ce0b7fb3c12b2ff690b8694cc60189bcbcc2367

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5652536.exe
Filesize
206KB

MD5
1d430049527a7e8a51041f149dfc3df8

SHA1
f1168bcc986fef214347cfa0dc34dbdfdee1f4b7

SHA256
de169f3f236ce8953ff4140374acb788683b74773b745f400ae906ae7afed6fe

SHA512
8a419f2b246b01e2db28e79abf75a4a821bfbc84726b9bf35e2d4b589421e73fd24c9f252f55a48192aa38756ce0b7fb3c12b2ff690b8694cc60189bcbcc2367

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9690024.exe
Filesize
173KB

MD5
dfed622bd9dba3c4f4fbb098510f60f3

SHA1
7caf77d31b7293a3bc49703e8086c308cd3b6dc2

SHA256
d58b7b8088d861480dcb57e1cbe7d3bbb7d05354bca148c1d494be8f8136e7be

SHA512
c62d9ff18eedfc9589a9791cd05ebf41eb5ff5c9829b1dc4b0c43243acacbc1faea19ad50246b4fa35087151e5d3a03cf6008d214cc7935cb208d3db3c110d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9690024.exe
Filesize
173KB

MD5
dfed622bd9dba3c4f4fbb098510f60f3

SHA1
7caf77d31b7293a3bc49703e8086c308cd3b6dc2

SHA256
d58b7b8088d861480dcb57e1cbe7d3bbb7d05354bca148c1d494be8f8136e7be

SHA512
c62d9ff18eedfc9589a9791cd05ebf41eb5ff5c9829b1dc4b0c43243acacbc1faea19ad50246b4fa35087151e5d3a03cf6008d214cc7935cb208d3db3c110d38

Download Submit
memory/3304-154-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/3304-155-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/3304-156-0x0000000004AC0000-0x0000000004BCA000-memory.dmp

Filesize
1.0MB

Download
memory/3304-157-0x0000000004430000-0x0000000004442000-memory.dmp

Filesize
72KB

Download
memory/3304-158-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/3304-159-0x00000000049F0000-0x0000000004A2C000-memory.dmp

Filesize
240KB

Download
memory/3304-160-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads