redline | 05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3

General

Target

05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe
Size

754KB
MD5

feb73eaeeb487dadcf64f10c9cc21b68
SHA1

a9fd73c8b79377ba6caf6c0b0224e954e6e54a66
SHA256

05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3
SHA512

d11345f97c26a0f3c899ddff2505cd0d09f7e06ddda415cb5e330ae54fabfce8cebc998851d2538d7bcc11d0c71dd888a07c047ef922f5adbb9b0365052882cf
SSDEEP

12288:dMrty90ZkDtl4goFGCDL3NyOY6PVkJcFzJQGtut:UyLlwVDLNHbPPhJkt

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.127:19045

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6202099.exe	family_redline
behavioral1/memory/3240-21-0x0000000000360000-0x000000000038E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x2666385.exex5890911.exef6202099.exe

pid process

4468 x2666385.exe
4640 x5890911.exe
3240 f6202099.exe

pid	process
4468	x2666385.exe
4640	x5890911.exe
3240	f6202099.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exex2666385.exex5890911.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2666385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5890911.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exex2666385.exex5890911.exef6202099.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2666385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x5890911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6202099.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exex2666385.exex5890911.exe

description	pid	process	target process
PID 1460 wrote to memory of 4468	1460	05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe	x2666385.exe
PID 1460 wrote to memory of 4468	1460	05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe	x2666385.exe
PID 1460 wrote to memory of 4468	1460	05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe	x2666385.exe
PID 4468 wrote to memory of 4640	4468	x2666385.exe	x5890911.exe
PID 4468 wrote to memory of 4640	4468	x2666385.exe	x5890911.exe
PID 4468 wrote to memory of 4640	4468	x2666385.exe	x5890911.exe
PID 4640 wrote to memory of 3240	4640	x5890911.exe	f6202099.exe
PID 4640 wrote to memory of 3240	4640	x5890911.exe	f6202099.exe
PID 4640 wrote to memory of 3240	4640	x5890911.exe	f6202099.exe

C:\Users\Admin\AppData\Local\Temp\05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe
"C:\Users\Admin\AppData\Local\Temp\05824f82e70a1564cfc105478c64f1c40fcb939f4f2d65bf2aef4b3a8fcb03f3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2666385.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2666385.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5890911.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5890911.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6202099.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6202099.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2666385.exe

Filesize
446KB

MD5
f7c86cd57ade4f8e4ef665f1935e6ca9

SHA1
f6859e4d22f27cfe8700a95614e7ebe4b7dd9034

SHA256
ee197de5c84328de13ba27c9119ab2afe34440d96729728e33eaab4252ec5998

SHA512
cf15e6d67eea5e8a6b3523df36c30b3d5e9f260b28d25b1baa41618cd6d68ceaab2ce66c4146a43b7eefe2d1b3013543fc813849bc2179648dc7fe9271757bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5890911.exe

Filesize
274KB

MD5
1ee004cfde213107497acd69e6838907

SHA1
2a42a06b936717664bd9d0639523c3d7a4ff975e

SHA256
587e0758afbc687fe1a0ea0aa66d09a3dd46e63d9bb059f00f5c946ee37370a5

SHA512
820eb86449902bc39b7f0be06873702f6ad366b82de47692d830af06bc740a2bca50079625885d197b6639a081400b957f63626b2599f6fa410f6379d6659393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6202099.exe

Filesize
168KB

MD5
45b09e29a98f50cfc461fc804dacf40c

SHA1
9e6a148297cbd1c810d61e977ed41361e6acb629

SHA256
cb25e1aa22646ed241beb16ae9d10c8148db2a24d3d92351df9d033e285a0642

SHA512
eb4975232944f679bbe744f85805e3fe71f070ed4ed9bfd9421b4f21eb2ad773a8abad61836abfa9cc58cf67aa134a77d324a9bae5f3cdc130630e1ce746971f

Download Submit
memory/3240-21-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/3240-22-0x0000000002750000-0x0000000002756000-memory.dmp

Filesize
24KB

Download
memory/3240-23-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/3240-24-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

Filesize
1.0MB

Download
memory/3240-25-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/3240-26-0x0000000004E80000-0x0000000004EBC000-memory.dmp

Filesize
240KB

Download
memory/3240-27-0x0000000005000000-0x000000000504C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads