redline | b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef

General

Target

foto0195.bin.exe
Size

1.0MB
MD5

fcec5bd6e991dabef70f77e08e42bccd
SHA1

3ae3b13a9757d327ed4227102d5b0b54712f19d4
SHA256

b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef
SHA512

59a2d1cc2576e55beff18f52573b6ac7baae8839dbbf536d5126f88d873375ebb9bb287606021e9c3c14533b004bde6bc3e28511fa646ef65cafabe6fdd4573b
SSDEEP

24576:PyvzwYJvJY4834KiT25Y/fUlpyY4yWvHIPnpAOD6FA7dZJ7Rj:arwamDIn2i38WPIpDzR

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3980	x1101592.exe
2412	x5310347.exe
3632	f6752633.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto0195.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto0195.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1101592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1101592.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5310347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5310347.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3980	1148	foto0195.bin.exe	84
PID 1148 wrote to memory of 3980	1148	foto0195.bin.exe	84
PID 1148 wrote to memory of 3980	1148	foto0195.bin.exe	84
PID 3980 wrote to memory of 2412	3980	x1101592.exe	85
PID 3980 wrote to memory of 2412	3980	x1101592.exe	85
PID 3980 wrote to memory of 2412	3980	x1101592.exe	85
PID 2412 wrote to memory of 3632	2412	x5310347.exe	87
PID 2412 wrote to memory of 3632	2412	x5310347.exe	87
PID 2412 wrote to memory of 3632	2412	x5310347.exe	87

C:\Users\Admin\AppData\Local\Temp\foto0195.bin.exe
"C:\Users\Admin\AppData\Local\Temp\foto0195.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1101592.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1101592.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5310347.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5310347.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6752633.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6752633.exe
      4⤵
      Executes dropped EXE
      PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1101592.exe

Filesize
750KB

MD5
a71d1485c6def63e3a12a56cef3df216

SHA1
6356ae641fe06783171f255072b3f06c3e53fe5a

SHA256
f71aeabbf5f3f4fa0a150bad2b24cd2db183e723cecd2296815fdc1582b31297

SHA512
b7f7ab9fada5915189862df412f319de2f1958606d40c24bb31060352d07f94c4300c849aa9e61efb3a0e30a458c17afad573a145a326ee56c02c5e19fb19393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1101592.exe

Filesize
750KB

MD5
a71d1485c6def63e3a12a56cef3df216

SHA1
6356ae641fe06783171f255072b3f06c3e53fe5a

SHA256
f71aeabbf5f3f4fa0a150bad2b24cd2db183e723cecd2296815fdc1582b31297

SHA512
b7f7ab9fada5915189862df412f319de2f1958606d40c24bb31060352d07f94c4300c849aa9e61efb3a0e30a458c17afad573a145a326ee56c02c5e19fb19393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5310347.exe

Filesize
306KB

MD5
59758d08e26d80f2b560b43915a196e7

SHA1
191e46484309a701c87f826cfeca3c5590f41c75

SHA256
2b21dfe635c66e24e5cbba2203c09083e228789c3bed18a1dde42d38b19ee924

SHA512
548c92ed1205a43648fa218af44b77811a149e4c82a48943a164e3464f035b2ef56a89aa1270311a7410aaf8c98e1b7383290a796a53dc3da450edd6f77f618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5310347.exe

Filesize
306KB

MD5
59758d08e26d80f2b560b43915a196e7

SHA1
191e46484309a701c87f826cfeca3c5590f41c75

SHA256
2b21dfe635c66e24e5cbba2203c09083e228789c3bed18a1dde42d38b19ee924

SHA512
548c92ed1205a43648fa218af44b77811a149e4c82a48943a164e3464f035b2ef56a89aa1270311a7410aaf8c98e1b7383290a796a53dc3da450edd6f77f618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6752633.exe

Filesize
145KB

MD5
fc89ffae6d5ecc9374ef6b75d0d09edb

SHA1
8440ad5c070d5bb75d10308525777a70d42d18fc

SHA256
5d2c14e89b6b1b95fead94182a17aebfeaca900df36f4eb7cb87cd52829196da

SHA512
558f2e2b7ed661b8f486c980483d04148f09e1c692469d978e6efc98425f5cd32393351684f90cc3ba6611193a4ac58724e31310f358055e75dca30ced3d8752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6752633.exe

Filesize
145KB

MD5
fc89ffae6d5ecc9374ef6b75d0d09edb

SHA1
8440ad5c070d5bb75d10308525777a70d42d18fc

SHA256
5d2c14e89b6b1b95fead94182a17aebfeaca900df36f4eb7cb87cd52829196da

SHA512
558f2e2b7ed661b8f486c980483d04148f09e1c692469d978e6efc98425f5cd32393351684f90cc3ba6611193a4ac58724e31310f358055e75dca30ced3d8752

Download Submit
memory/3632-154-0x00000000000B0000-0x00000000000DA000-memory.dmp

Filesize
168KB

Download
memory/3632-155-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/3632-156-0x0000000004B50000-0x0000000004C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3632-157-0x0000000004A80000-0x0000000004A92000-memory.dmp

Filesize
72KB

Download
memory/3632-158-0x0000000004C60000-0x0000000004C9C000-memory.dmp

Filesize
240KB

Download
memory/3632-159-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3632-160-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing