redline | 87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79

General

Target

87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe
Size

753KB
MD5

d046988a63ccf6b3c4860b1710ae1cd3
SHA1

0c72a1967602398435178b094c948df2280ff9c5
SHA256

87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79
SHA512

1bac09b5f92159f7d6350d38957d668e339a420df0524cf71b5d8ca016b2305ab288781dcf3f88506a3feeaac9f28385f2308db3362cc2ec9c71508025fb9ecc
SSDEEP

12288:qMr1y90v166/uOrGpjwlauj6PDri9cMJJq1NP1WfT+WWmbuv/hbamDv1D9iC/w:/yodruh86r29cMqB1AiWWmitlcsw

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.127:19045

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2942600.exe	family_redline
behavioral1/memory/4808-21-0x0000000000210000-0x000000000023E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x2145095.exex9511238.exef2942600.exe

pid process

2780 x2145095.exe
4688 x9511238.exe
4808 f2942600.exe

pid	process
2780	x2145095.exe
4688	x9511238.exe
4808	f2942600.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exex2145095.exex9511238.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2145095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9511238.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x2145095.exex9511238.exef2942600.exe87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2145095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9511238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2942600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exex2145095.exex9511238.exe

description	pid	process	target process
PID 3516 wrote to memory of 2780	3516	87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe	x2145095.exe
PID 3516 wrote to memory of 2780	3516	87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe	x2145095.exe
PID 3516 wrote to memory of 2780	3516	87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe	x2145095.exe
PID 2780 wrote to memory of 4688	2780	x2145095.exe	x9511238.exe
PID 2780 wrote to memory of 4688	2780	x2145095.exe	x9511238.exe
PID 2780 wrote to memory of 4688	2780	x2145095.exe	x9511238.exe
PID 4688 wrote to memory of 4808	4688	x9511238.exe	f2942600.exe
PID 4688 wrote to memory of 4808	4688	x9511238.exe	f2942600.exe
PID 4688 wrote to memory of 4808	4688	x9511238.exe	f2942600.exe

C:\Users\Admin\AppData\Local\Temp\87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe
"C:\Users\Admin\AppData\Local\Temp\87f1d99d4e547ee5bd94b94ef3881ca8e5d73d67cc282100c2c379563c57cb79.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2145095.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2145095.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9511238.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9511238.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2942600.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2942600.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2145095.exe

Filesize
446KB

MD5
9d4caeb7c41435b669cf0ea2f0e33dbf

SHA1
6e5f55c47fd624402cf64a44bc62a6a9a13b4e50

SHA256
17a9c92d5d02d9437db09166278074022a07082e8927ba7b95688ad644ea9f6e

SHA512
8f2425765bb1b85c30e5fd5908999fe5d693bf6505004e3dc61ce3fdf65e1aa86f0382519c5f1f8d2ae41bb0a04b67cb702e9e58dbd64748bb23b7cf8560d3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9511238.exe

Filesize
274KB

MD5
775ea6cadedb56f606915b42d30fd303

SHA1
07bc353d55ab5c499894b66195097fdbbaf50e5d

SHA256
595af61970fab97f59e9a047313718b84a527994a26a789ace2ab229d049b125

SHA512
911ea67c0ff3f2ece2d1346e8585f53ec1d8280190d064202bd97a2c0e4b261f6437bd729465d09ef1074165b0934d652f3c824e36e0fa3d8c63f985f6062e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2942600.exe

Filesize
168KB

MD5
5e986fca191c0777b1973f6bd97e66bb

SHA1
febcd3328d94032fa13d043107de08ac793fa35d

SHA256
d9cbd7adada173d20b477fbf51412bf72babb5188cdd274e61d92c8d37a5d04d

SHA512
7c335affe6c36e5be112f50470aca0d8db5bf79b29609b5e96b6f5efcfeb663f5a2e63aa148271919b4d1afe5400f0cbad6c8324fe6635a5bdd1480dd6276cd7

Download Submit
memory/4808-21-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/4808-22-0x0000000004B30000-0x0000000004B36000-memory.dmp

Filesize
24KB

Download
memory/4808-23-0x000000000A640000-0x000000000AC58000-memory.dmp

Filesize
6.1MB

Download
memory/4808-24-0x000000000A1C0000-0x000000000A2CA000-memory.dmp

Filesize
1.0MB

Download
memory/4808-25-0x000000000A0F0000-0x000000000A102000-memory.dmp

Filesize
72KB

Download
memory/4808-26-0x000000000A150000-0x000000000A18C000-memory.dmp

Filesize
240KB

Download
memory/4808-27-0x00000000044E0000-0x000000000452C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads