redline | 99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901

General

Target

99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe
Size

754KB
MD5

6a64de7e5de482f3ef22aba0140c3c4f
SHA1

fc0a38cbb779baba6411d748275bbfc75e327309
SHA256

99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901
SHA512

c5d82d8144f9849a8f78d769f869341b532bf670f164f52cb6dd6090cb73cb4ae849ae74e47b1fd061250f5d4d3a695fa6964811f4b5a46eafa86d89fb1bcc89
SSDEEP

12288:6Mr5y90lSglzgROOH8zT6xUZrqaWRGpA5I2mZtsyHz47BFilaHiv3dk8IM6zT1+o:TyRgWJH26xim7GpApKlHk9CXdk5H1+k5

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.127:19045

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3093659.exe	family_redline
behavioral1/memory/3260-21-0x0000000000B10000-0x0000000000B3E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x1874771.exex3204309.exef3093659.exe

pid process

1856 x1874771.exe
3068 x3204309.exe
3260 f3093659.exe

pid	process
1856	x1874771.exe
3068	x3204309.exe
3260	f3093659.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exex1874771.exex3204309.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1874771.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3204309.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exex1874771.exex3204309.exef3093659.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1874771.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x3204309.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3093659.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exex1874771.exex3204309.exe

description	pid	process	target process
PID 928 wrote to memory of 1856	928	99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe	x1874771.exe
PID 928 wrote to memory of 1856	928	99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe	x1874771.exe
PID 928 wrote to memory of 1856	928	99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe	x1874771.exe
PID 1856 wrote to memory of 3068	1856	x1874771.exe	x3204309.exe
PID 1856 wrote to memory of 3068	1856	x1874771.exe	x3204309.exe
PID 1856 wrote to memory of 3068	1856	x1874771.exe	x3204309.exe
PID 3068 wrote to memory of 3260	3068	x3204309.exe	f3093659.exe
PID 3068 wrote to memory of 3260	3068	x3204309.exe	f3093659.exe
PID 3068 wrote to memory of 3260	3068	x3204309.exe	f3093659.exe

C:\Users\Admin\AppData\Local\Temp\99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe
"C:\Users\Admin\AppData\Local\Temp\99d3db7df116c5c903adfa36b7737dd7a2a77ce5970621ace31e560def653901.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1874771.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1874771.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3204309.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3204309.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3093659.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3093659.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1874771.exe

Filesize
445KB

MD5
4e8c13c7c5df954babf78093148abf2b

SHA1
e32c570dc84b136595fe626cdb3ed2d3f38c8ffd

SHA256
fce3e5a4d58176a3a2f8ef6ec4940f623245f7b11d8094949d3da310212937c5

SHA512
49c73b609dfbc3f92157fabbaec768fa208417668bfe3a67f5f823f6db2454c825838f50ce6c5454c671fd112c7d5e0e3764ade52de57febab998e8e9f69da33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3204309.exe

Filesize
274KB

MD5
bdf505dee5e0649c990a51c40e671099

SHA1
8b1738b0a216d771b3de3b65c4d8d0895eecd15f

SHA256
012164d3de6ed4b61e2306cbc86385a89c95e13d5a07926322f1be3725453e20

SHA512
9f775d6534265981a6300f42e21fcdb1b08c2a4ca7fb00dbe82dee44194e180f33eb639307eebed7f3a46f351f23297c1fe46b6c3dca16e1cc57d88d756f1684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3093659.exe

Filesize
168KB

MD5
2eb1ca67cd181f31cfd41f0028e335ca

SHA1
e9ef6c4822693a95728e54de05baf86bac49a344

SHA256
862c4dbc25625defc709a1a93cff55287f7af71380b06941d0d2de359e4f1996

SHA512
c88e66536cd44f9ef931bc1dd30146d4fa2a3a01510c44f7b7969922c4b15425314b192272c8252a2d397268c367f10be5bf6b405fcf646e3cf0e688769af1dc

Download Submit
memory/3260-21-0x0000000000B10000-0x0000000000B3E000-memory.dmp

Filesize
184KB

Download
memory/3260-22-0x0000000002E60000-0x0000000002E66000-memory.dmp

Filesize
24KB

Download
memory/3260-23-0x0000000005BE0000-0x00000000061F8000-memory.dmp

Filesize
6.1MB

Download
memory/3260-24-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/3260-25-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/3260-26-0x0000000005640000-0x000000000567C000-memory.dmp

Filesize
240KB

Download
memory/3260-27-0x0000000005680000-0x00000000056CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads