redline | baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286

General

Target

baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe
Size

578KB
MD5

c50799711ce8dc440be02ff22284d793
SHA1

6415a306b36cbb303a86f86c63f6167d6a04a815
SHA256

baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286
SHA512

f40737a9f605b6cddc3dccdf310c4075efd5cfdcdb0d289a31498a17ecf323add8cfc2bd81d916dae00134d126b6b4aa130233737cd66a3266b172295c9d7b4e
SSDEEP

12288:HMrfy90YM7u1XIr1fw6wClvWlPOdHHAZQoOWFsD:Yyn8u1YiQdWloHHAzFo

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0010483.exe	family_redline
behavioral1/memory/836-21-0x0000000000260000-0x0000000000290000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1148924.exex3706188.exef0010483.exe

pid process

3936 x1148924.exe
4316 x3706188.exe
836 f0010483.exe

pid	process
3936	x1148924.exe
4316	x3706188.exe
836	f0010483.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x1148924.exex3706188.exebaa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1148924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3706188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exex1148924.exex3706188.exef0010483.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1148924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3706188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0010483.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exex1148924.exex3706188.exe

description	pid	process	target process
PID 1480 wrote to memory of 3936	1480	baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe	x1148924.exe
PID 1480 wrote to memory of 3936	1480	baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe	x1148924.exe
PID 1480 wrote to memory of 3936	1480	baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe	x1148924.exe
PID 3936 wrote to memory of 4316	3936	x1148924.exe	x3706188.exe
PID 3936 wrote to memory of 4316	3936	x1148924.exe	x3706188.exe
PID 3936 wrote to memory of 4316	3936	x1148924.exe	x3706188.exe
PID 4316 wrote to memory of 836	4316	x3706188.exe	f0010483.exe
PID 4316 wrote to memory of 836	4316	x3706188.exe	f0010483.exe
PID 4316 wrote to memory of 836	4316	x3706188.exe	f0010483.exe

C:\Users\Admin\AppData\Local\Temp\baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe
"C:\Users\Admin\AppData\Local\Temp\baa3f3ae7b9f0bd13de207a7050b183abeca4ce58657ad99f1915e06e1e6a286.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1148924.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1148924.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706188.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706188.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0010483.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0010483.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1148924.exe

Filesize
378KB

MD5
d4ab42a79a7944aaea9896e1925c040e

SHA1
af8fd83591cff39c8ccd1bf3a07b2280fd25fed9

SHA256
846f5ce91d72b2b5f81f752f5bfb1a6b788082432ab501da299ddfe9ef46613b

SHA512
538776624ff4476030c7422c9561fc47d5219fca5a689ff5d37ffd21d42e626035f32de313e0b0bc337b7c9699d0d7837f77904765d83c3ab42e51166809a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3706188.exe

Filesize
206KB

MD5
9ee7e1c3b965641c60bcdf3700be8285

SHA1
42fdcef3ec2b63568e0dd14cde0315df737edd9b

SHA256
95b3a39efc91c197a7520fc6cd7581dae8f3464c239ac175e9e49997d861cf89

SHA512
57c0d3decfc42086c43c948576ef260fedf8303f0b639f711b301735a3db108070d1687d764c3e016285e9b44f868e9caff8fd174f332f746365f049ca308695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0010483.exe

Filesize
172KB

MD5
32688bcab829e64fa0f0e16b7530a415

SHA1
06504bbf6fd9758685eb09c37cba0e5d169b75f8

SHA256
8a25e86045ee80596824efb3b1a35853e47b6de3fe1c3363d40075342d73ca85

SHA512
069b02b036a2becfd85d81f407f446ade23c75976842bdabc395caf456335a83d86428f43bfa4a83ed9afef27f2f37aae2a7cce042ed8c0f651bebf4f015485c

Download Submit
memory/836-21-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/836-22-0x00000000025F0000-0x00000000025F6000-memory.dmp

Filesize
24KB

Download
memory/836-23-0x000000000A5F0000-0x000000000AC08000-memory.dmp

Filesize
6.1MB

Download
memory/836-24-0x000000000A0E0000-0x000000000A1EA000-memory.dmp

Filesize
1.0MB

Download
memory/836-25-0x000000000A010000-0x000000000A022000-memory.dmp

Filesize
72KB

Download
memory/836-26-0x000000000A070000-0x000000000A0AC000-memory.dmp

Filesize
240KB

Download
memory/836-27-0x0000000000CC0000-0x0000000000D0C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads