redline | 9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb

General

Target

9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe
Size

591KB
MD5

d2a9653e031a3b80c8dfb16b39a80454
SHA1

c32ef34bd1ae9ef3086facd7a384c7c3a977e4cb
SHA256

9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb
SHA512

acaa6751b6ee03c4f954bc88f03c7a2ea75566234725485131681a2b7eb1a080d8f44631df522001931dd71a3ed3a8f3228fe506f77eb14e35e2241ce49e04b1
SSDEEP

12288:uMrQy90DkLeFwa5qiiG2amCkRanJeMfEH/gSicECFED95mO:uyaa7Va3kRanJ1fEHvKeO

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6070923.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6070923.exe	family_redline
behavioral1/memory/4904-140-0x0000000000330000-0x0000000000360000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x2561167.exex3199991.exef6070923.exe

pid process

2668 x2561167.exe
4444 x3199991.exe
4904 f6070923.exe

pid	process
2668	x2561167.exe
4444	x3199991.exe
4904	f6070923.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exex2561167.exex3199991.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2561167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2561167.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3199991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3199991.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exex2561167.exex3199991.exe

description	pid	process	target process
PID 4100 wrote to memory of 2668	4100	9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe	x2561167.exe
PID 4100 wrote to memory of 2668	4100	9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe	x2561167.exe
PID 4100 wrote to memory of 2668	4100	9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe	x2561167.exe
PID 2668 wrote to memory of 4444	2668	x2561167.exe	x3199991.exe
PID 2668 wrote to memory of 4444	2668	x2561167.exe	x3199991.exe
PID 2668 wrote to memory of 4444	2668	x2561167.exe	x3199991.exe
PID 4444 wrote to memory of 4904	4444	x3199991.exe	f6070923.exe
PID 4444 wrote to memory of 4904	4444	x3199991.exe	f6070923.exe
PID 4444 wrote to memory of 4904	4444	x3199991.exe	f6070923.exe

C:\Users\Admin\AppData\Local\Temp\9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe
"C:\Users\Admin\AppData\Local\Temp\9f9ee66f403c70c599702a3fa4503d01a43547edc9f98fbd792451752ade8aeb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2561167.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2561167.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3199991.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3199991.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6070923.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6070923.exe
4⤵
- Executes dropped EXE
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2561167.exe
Filesize
378KB

MD5
0d884d8ec1fbc56abd8a724c756848ec

SHA1
91b7064ffafe6395b83bb2119e6ea92f289f86e9

SHA256
06410dc756d96ea43d1919f77e70e796333c5710a1d426ed8626b6fc387dad6a

SHA512
6fa91bfc6fb44fe3c8d0671215aa1117240ea73ba43d5a7622984d9b22d0d58a8a6242d915dcb6ffa8b3bd86ce78730a679e500f2ba5cd3086ccddedf2b581bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2561167.exe
Filesize
378KB

MD5
0d884d8ec1fbc56abd8a724c756848ec

SHA1
91b7064ffafe6395b83bb2119e6ea92f289f86e9

SHA256
06410dc756d96ea43d1919f77e70e796333c5710a1d426ed8626b6fc387dad6a

SHA512
6fa91bfc6fb44fe3c8d0671215aa1117240ea73ba43d5a7622984d9b22d0d58a8a6242d915dcb6ffa8b3bd86ce78730a679e500f2ba5cd3086ccddedf2b581bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3199991.exe
Filesize
206KB

MD5
47c8b2546163bcebef7a16a700b3764e

SHA1
9771b0bb3a29d3ab1025e0d1864ede4c0252550c

SHA256
02c4f93745ebff16aa5e4d94f92b7bfae89bbd16f017beb896459438bd4e0013

SHA512
7422c28d1dc354572fd7eb23e1fe9d257a3da6efe2cab77654dc7417d386af54eb9c097a07ba9f0ce5be122396788ca88dcc90ab6a06e69787a7eaf2adedb1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3199991.exe
Filesize
206KB

MD5
47c8b2546163bcebef7a16a700b3764e

SHA1
9771b0bb3a29d3ab1025e0d1864ede4c0252550c

SHA256
02c4f93745ebff16aa5e4d94f92b7bfae89bbd16f017beb896459438bd4e0013

SHA512
7422c28d1dc354572fd7eb23e1fe9d257a3da6efe2cab77654dc7417d386af54eb9c097a07ba9f0ce5be122396788ca88dcc90ab6a06e69787a7eaf2adedb1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6070923.exe
Filesize
173KB

MD5
8e36cbb0b529bb0d51272cf7f1638fbd

SHA1
f58e75a3d37addbdff8a26bc78a29482d7f3f59f

SHA256
61d923d98c373d4f1682565bb989542424df3dc01dfa25fc3c2a15a63fa203d3

SHA512
91b571e5786a55300747c6fe9479a34ede54a1d7df17b2107a2d6cddd44a4563872c21a2ee81e371cb2279123a75d6cb51642d6bc6f879d9bb2cbd2a070e0510

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6070923.exe
Filesize
173KB

MD5
8e36cbb0b529bb0d51272cf7f1638fbd

SHA1
f58e75a3d37addbdff8a26bc78a29482d7f3f59f

SHA256
61d923d98c373d4f1682565bb989542424df3dc01dfa25fc3c2a15a63fa203d3

SHA512
91b571e5786a55300747c6fe9479a34ede54a1d7df17b2107a2d6cddd44a4563872c21a2ee81e371cb2279123a75d6cb51642d6bc6f879d9bb2cbd2a070e0510

Download Submit
memory/4904-140-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/4904-141-0x0000000000A00000-0x0000000000A06000-memory.dmp

Filesize
24KB

Download
memory/4904-142-0x000000000A700000-0x000000000AD06000-memory.dmp

Filesize
6.0MB

Download
memory/4904-143-0x000000000A200000-0x000000000A30A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-144-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/4904-145-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/4904-146-0x000000000A0F0000-0x000000000A12E000-memory.dmp

Filesize
248KB

Download
memory/4904-147-0x0000000004C00000-0x0000000004C4B000-memory.dmp

Filesize
300KB

Download
memory/4904-148-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads