redline | 562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650

General

Target

562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe
Size

753KB
MD5

f56ec16840381a04c84ee869939821dc
SHA1

807fe5d5f710b06db4eae3f088d47468b5225557
SHA256

562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650
SHA512

57cdda7e01e2ef3e2608fc9465b10a5e78224c8fab136ac88a2e1a54865f6b691e56c997d4216f385ce7e60bc4b4873f657609fb8832c19e8ecad6dc3df325ac
SSDEEP

12288:qMrMy90uVRSBallONcek5Q7JhqduA/MLMqakheOTrj3WipJ3sqCB5qpyMy:OyzlOHQorRA6ay9vOTBgy

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.127:19045

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5263724.exe	family_redline
behavioral1/memory/4356-21-0x0000000000130000-0x000000000015E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x9264871.exex8732063.exef5263724.exe

pid process

4804 x9264871.exe
1148 x8732063.exe
4356 f5263724.exe

pid	process
4804	x9264871.exe
1148	x8732063.exe
4356	f5263724.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exex9264871.exex8732063.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9264871.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8732063.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exex9264871.exex8732063.exef5263724.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9264871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8732063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5263724.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exex9264871.exex8732063.exe

description	pid	process	target process
PID 2668 wrote to memory of 4804	2668	562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe	x9264871.exe
PID 2668 wrote to memory of 4804	2668	562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe	x9264871.exe
PID 2668 wrote to memory of 4804	2668	562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe	x9264871.exe
PID 4804 wrote to memory of 1148	4804	x9264871.exe	x8732063.exe
PID 4804 wrote to memory of 1148	4804	x9264871.exe	x8732063.exe
PID 4804 wrote to memory of 1148	4804	x9264871.exe	x8732063.exe
PID 1148 wrote to memory of 4356	1148	x8732063.exe	f5263724.exe
PID 1148 wrote to memory of 4356	1148	x8732063.exe	f5263724.exe
PID 1148 wrote to memory of 4356	1148	x8732063.exe	f5263724.exe

C:\Users\Admin\AppData\Local\Temp\562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe
"C:\Users\Admin\AppData\Local\Temp\562b213f814916f2d0c71d1de710cb186edcf92628ca149054db37c213864650.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9264871.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9264871.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8732063.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8732063.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5263724.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5263724.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9264871.exe

Filesize
446KB

MD5
64ed5a26f8a89d044b446116035a77e4

SHA1
b0ac0805b35d43215872b345d485a991df89e19e

SHA256
329c047201ee092ec2bdbad25ff89320bc703e5409c19f88b56405fb8dafc999

SHA512
02aad1aa6ab3d18863dba628748fb77ab3d8066404ac13d2b851260b0ee1f5d28d9482ec3593d3167f477b4ce9039e510d0b8510a61a69d6765899648578f788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8732063.exe

Filesize
274KB

MD5
f8af47b179e89edcc51ee9174b85b81d

SHA1
f43c462edf08313cbc3c5cae58d0b043dbd50496

SHA256
29d344e9f8e5ea7b49b55d115b72c16171fc6405c2590b1f4366853917f25f38

SHA512
dce5cde73f3a75e0388e45bc136bb7f82876a2b20470fd74fbc82b17c232ac0d23655bcd7ba29b31091252512df1264da7725c2835d502bd12b964bd6da7ba3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5263724.exe

Filesize
168KB

MD5
c6462e97b1d017a1956df5349a4e9c64

SHA1
834cc1625d2810dc762928dbf0ace5c937f6ded8

SHA256
a802bee6a57a0819ffdf0ec303a8ef24031cffee466fa3c5069411246fa39e8e

SHA512
ee98453b9e3b727ff97cf0e796ca790caaa363468b57b2c485fbfd91f2a50ad1e436e7e8575d5c8bdb55b1b09f925b0291a308cbf31b9ae8df39255f56d92b2e

Download Submit
memory/4356-21-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download
memory/4356-22-0x0000000002420000-0x0000000002426000-memory.dmp

Filesize
24KB

Download
memory/4356-23-0x00000000050E0000-0x00000000056F8000-memory.dmp

Filesize
6.1MB

Download
memory/4356-24-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download
memory/4356-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/4356-26-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

Filesize
240KB

Download
memory/4356-27-0x0000000004B60000-0x0000000004BAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads