redline | ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4

General

Target

ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe
Size

602KB
MD5

1f47c4d24a14f869aefef7057cbdb578
SHA1

5a13c99f8b60e30f0326eb7f4e4780a86b933cb5
SHA256

ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4
SHA512

ede8fec8ef2ac0bb066089af440c661508357bce72da0159d2edbd1c1266aa6eded8935f6ac2e8f471a1ea3b66a5cebddb481b3b6c55d192ffada9d1b1ae359a
SSDEEP

12288:GMr9y90xrOlXM1BmEsYUmdWLNDJ73O67ldawn3j07:DyaOXWOySNDJDXaQ3j07

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2521514.exe	family_redline
behavioral1/memory/1724-21-0x00000000004C0000-0x00000000004F0000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1683568.exex6682647.exef2521514.exe

pid process

212 x1683568.exe
2332 x6682647.exe
1724 f2521514.exe

pid	process
212	x1683568.exe
2332	x6682647.exe
1724	f2521514.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exex1683568.exex6682647.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1683568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6682647.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exex1683568.exex6682647.exef2521514.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1683568.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6682647.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2521514.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exex1683568.exex6682647.exe

description	pid	process	target process
PID 1552 wrote to memory of 212	1552	ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe	x1683568.exe
PID 1552 wrote to memory of 212	1552	ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe	x1683568.exe
PID 1552 wrote to memory of 212	1552	ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe	x1683568.exe
PID 212 wrote to memory of 2332	212	x1683568.exe	x6682647.exe
PID 212 wrote to memory of 2332	212	x1683568.exe	x6682647.exe
PID 212 wrote to memory of 2332	212	x1683568.exe	x6682647.exe
PID 2332 wrote to memory of 1724	2332	x6682647.exe	f2521514.exe
PID 2332 wrote to memory of 1724	2332	x6682647.exe	f2521514.exe
PID 2332 wrote to memory of 1724	2332	x6682647.exe	f2521514.exe

C:\Users\Admin\AppData\Local\Temp\ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe
"C:\Users\Admin\AppData\Local\Temp\ad899ebc75e725ff8553a27b5c79c99c86867483ddf66a7f76a25d4f1edfd1b4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1683568.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1683568.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6682647.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6682647.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2521514.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2521514.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1683568.exe

Filesize
378KB

MD5
b2925699f2df306d6588c0ae27102f49

SHA1
49b4c6868b32b23ee746429ddaa77d6a7cad838a

SHA256
4b02f358e361d5bf807098194f3899010ea243a1a1fb559a038bce254eec3408

SHA512
718df52987e158fa9c14877b2971164612d83f8b30f9452f615f3260908f8c44147f84987dc51845808646be87a7692132a130377a7a218f3b2c64408cf0fd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6682647.exe

Filesize
206KB

MD5
8b077218b0d66010fa095809829e6964

SHA1
4407b5879967d6f603808a349b80d7a4186708f6

SHA256
39c90acfe3d628f42b17d7412b414b1a237d6cc5cf7e82dc1a6f23df260ed6f5

SHA512
d8b14b9f514ce7c6b7ccfac848da7d109cf6643821922309db068283bc4fcebb6622d28d946c498688eae37b66cc289d615098202dfd236afc67abd73e7ada48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2521514.exe

Filesize
173KB

MD5
f8cf67c874988a06ab70f6c763ab2837

SHA1
7eba6eef185112ac86219934cb33f41a90f5c643

SHA256
f79d4b4183cf3e1671c94af0962423a3f150c9e14e575b98798e60f6e5c568d4

SHA512
438c68e10d4e93d76e39374a68e537169fdb20e3e7ae44099a04419acc2e84facbadace399982f086780004c19f4bbdcf2351b8fd128eafdeedff55fd1944602

Download Submit
memory/1724-21-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/1724-22-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download
memory/1724-23-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/1724-24-0x0000000005100000-0x000000000520A000-memory.dmp

Filesize
1.0MB

Download
memory/1724-25-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1724-26-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/1724-27-0x0000000005030000-0x000000000507C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads