redline | 8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a

General

Target

8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe
Size

751KB
MD5

7f19560c3e3968a7fa94beaf1ddcb636
SHA1

65db45b284de8a5c5d77cf8673c732a98cb16361
SHA256

8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a
SHA512

bb0a1bc7d0b6e30c331c1f1a5597a45482d7d91e97158d576381ada74af4f526e482c0cb4c73fb1d20606f46d2f2e531385e5ec14803697cf19a4bd0aa3fdb53
SSDEEP

12288:lMrLy908zdk4hMXuDzpmrrXrO8+/UJHc6qoEiD8Zi7sEV10sFn5A9oDHDPq1QGAV:qy3hk2DzIbO8goHc6JEm8VEV1ddv+1QB

Score

10^/10

redline diza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023273-12.dat	family_redline
behavioral1/memory/1192-15-0x0000000000100000-0x000000000012A000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023273-12.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1192-15-0x0000000000100000-0x000000000012A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 2 IoCs

pid	Process
3388	x0262850.exe
1192	f3690067.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0262850.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3388	3148	8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe	91
PID 3148 wrote to memory of 3388	3148	8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe	91
PID 3148 wrote to memory of 3388	3148	8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe	91
PID 3388 wrote to memory of 1192	3388	x0262850.exe	92
PID 3388 wrote to memory of 1192	3388	x0262850.exe	92
PID 3388 wrote to memory of 1192	3388	x0262850.exe	92

C:\Users\Admin\AppData\Local\Temp\8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe
"C:\Users\Admin\AppData\Local\Temp\8d0a88fb92cebd99e9104f62855693e0217df0a79bf91600281c986387ccef3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0262850.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0262850.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3690067.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3690067.exe
    3⤵
    - Executes dropped EXE
    PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0262850.exe

Filesize
306KB

MD5
44c2e003d7eeae3fc7a9fa21cdded269

SHA1
cdc10a8b2f02590d0bbc7024c5b26a104727798c

SHA256
e29881e1e8ccf604ca3e001c21c9b033838cfd64b4ae5255475f42b778fe4850

SHA512
65863bd5b2babe5314d5d42c719adfdc1ff467dcbba64c917a07ecaf8c57132cbe5f87d893585e8898bcfd24d089621918c8bce60ec660566d4bdbf0f84d6909

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3690067.exe

Filesize
145KB

MD5
09454c5f1efc99b380457bf5999600c9

SHA1
593a23bc19fe5e3b239f5fc7567a6f8059ee5dcb

SHA256
bd08f6ef9c7213c2395e83602533b2025a75f327f00a6f76b32d698aa6360ccc

SHA512
835d1c488b408d9a2b7e2e315d94159d00372f9b104712e4de8ae3a211954bb25a5f251d77b53d6b9f23535ffb3d16d925ed99a1648b3ec18cfe55991a6e7d46

Download Submit
memory/1192-14-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1192-15-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/1192-16-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1192-17-0x0000000005050000-0x0000000005668000-memory.dmp

Filesize
6.1MB

Download
memory/1192-18-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download
memory/1192-19-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1192-20-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/1192-21-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads