redline | 5780810e969d1744281c29d6261873cd53590732ea821c3cd0ee3d7b4e91659a

General

Target

0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe
Size

580KB
MD5

2f04ac814a59dafca189e603d18d196d
SHA1

29148efe87f9303a07a05b45afeec232139243b0
SHA256

0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a
SHA512

aafc6953a4d136c4e0c0de728e6481bc733cd07bdbc4f14c8839f38caf53c7e6f1db8bc7d21397cf61dca0fe73c724ebf6b803da8ee567a319935aed9d6bb77a
SSDEEP

12288:fMrNy90f5MI+IauHzi0A2Ok3k4uzkAxKtP9GzFzeIEG:GyqCVYS2Q4uzPxKWzFeIb

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe	family_redline
behavioral1/memory/3192-21-0x0000000000750000-0x0000000000780000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x0476388.exex2634231.exef1006954.exe

pid process

4028 x0476388.exe
3144 x2634231.exe
3192 f1006954.exe

pid	process
4028	x0476388.exe
3144	x2634231.exe
3192	f1006954.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exex0476388.exex2634231.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0476388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2634231.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exex0476388.exex2634231.exef1006954.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x0476388.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2634231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1006954.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exex0476388.exex2634231.exe

description	pid	process	target process
PID 4340 wrote to memory of 4028	4340	0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe	x0476388.exe
PID 4340 wrote to memory of 4028	4340	0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe	x0476388.exe
PID 4340 wrote to memory of 4028	4340	0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe	x0476388.exe
PID 4028 wrote to memory of 3144	4028	x0476388.exe	x2634231.exe
PID 4028 wrote to memory of 3144	4028	x0476388.exe	x2634231.exe
PID 4028 wrote to memory of 3144	4028	x0476388.exe	x2634231.exe
PID 3144 wrote to memory of 3192	3144	x2634231.exe	f1006954.exe
PID 3144 wrote to memory of 3192	3144	x2634231.exe	f1006954.exe
PID 3144 wrote to memory of 3192	3144	x2634231.exe	f1006954.exe

C:\Users\Admin\AppData\Local\Temp\0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe
"C:\Users\Admin\AppData\Local\Temp\0dd0400b4e1b03d8dddfa68961843b2312ccf6bc7ffa8162567b56d3762e8d0a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0476388.exe

Filesize
377KB

MD5
6346502ea9b0242fb32b62da5a0e856f

SHA1
c1211b9b1fc8d9f7197a7d1727a741370eb83c0d

SHA256
d1d5c5e389152c9d208f98abd0edca1f452d2b364bb4435218a02abcef77f113

SHA512
4dbac0562509b115ae33a2b49e39f9f76f6a2328c541d4fc90f54195a191327eb55c5a39f46811f28bac68e2be7921b67409b52ca0ee9818bfe7399a26c989a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2634231.exe

Filesize
206KB

MD5
8cedee880088fe68f3c4c585069bc3ba

SHA1
780d2090d7379a9eeb6d0d99babd572c1fc5f6bf

SHA256
aa56cf399b17f61588283ab834fc2d2be5bfaee6a64eea2b027d4a5e2522bc89

SHA512
4f27ee5a22ba8a5c4bf45c78823f002dc724b3c58ad9485e0b090b162fee779fc501593f02e4ae431dfbc089fa5ddc0825d475412df1326812bafcb61366761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1006954.exe

Filesize
172KB

MD5
48000a3f8eda69e5d8e2dbec2658dfce

SHA1
0b30d4e0a4279c813fdb973c9eb8d363d2f9bae0

SHA256
29e3016d2036cfffbd86161c5dc777c06b11fca77c32bcddb14b8cbc21c11915

SHA512
69be2602fa2ec2f123bebcee5f8bf983e5f7646424e4dccc76808ff1ac04b99ecbb4087baf26c58420b37c088563fdf96fbd57c1fc96f42227a50bc3318f3bb1

Download Submit
memory/3192-21-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download
memory/3192-22-0x0000000002A80000-0x0000000002A86000-memory.dmp

Filesize
24KB

Download
memory/3192-23-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/3192-24-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/3192-25-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/3192-26-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download
memory/3192-27-0x0000000005180000-0x00000000051CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads