redline | 1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5

General

Target

1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe
Size

755KB
MD5

fd6a1e7174c13b89046024b9163f2c2f
SHA1

f39037e18181bfc3d2038d1fff17bce523f86743
SHA256

1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5
SHA512

9e69a665fe99509ef260ce012af1669edcdfcf3a34d99e7bbd02ad49dbe0da0a992dbe53623b857f1a01e0040928bdf5ccb3f3110fe4169aca7dccd49c05c259
SSDEEP

12288:bMrty90xkEstsqaYIt4GNgJ//DFUuwe7InmgRWxMkz8OqSRGq0OVkPeJ8wQYTTRz:CyYkVs7YSWVLFnwekPWCvsv0OPJ/QYTx

Score

10^/10

redline diza discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.127:19045

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8770764.exe	family_redline
behavioral1/memory/2024-21-0x0000000000B60000-0x0000000000B8E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

x2235111.exex9108986.exef8770764.exe

pid process

4196 x2235111.exe
3448 x9108986.exe
2024 f8770764.exe

pid	process
4196	x2235111.exe
3448	x9108986.exe
2024	f8770764.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x2235111.exex9108986.exe1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2235111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9108986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f8770764.exe1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exex2235111.exex9108986.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8770764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2235111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x9108986.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exex2235111.exex9108986.exe

description	pid	process	target process
PID 732 wrote to memory of 4196	732	1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe	x2235111.exe
PID 732 wrote to memory of 4196	732	1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe	x2235111.exe
PID 732 wrote to memory of 4196	732	1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe	x2235111.exe
PID 4196 wrote to memory of 3448	4196	x2235111.exe	x9108986.exe
PID 4196 wrote to memory of 3448	4196	x2235111.exe	x9108986.exe
PID 4196 wrote to memory of 3448	4196	x2235111.exe	x9108986.exe
PID 3448 wrote to memory of 2024	3448	x9108986.exe	f8770764.exe
PID 3448 wrote to memory of 2024	3448	x9108986.exe	f8770764.exe
PID 3448 wrote to memory of 2024	3448	x9108986.exe	f8770764.exe

C:\Users\Admin\AppData\Local\Temp\1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe
"C:\Users\Admin\AppData\Local\Temp\1ba639e3295968e989c9e4020650817aff587daafbc6a25c928f33b5c49158d5.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2235111.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2235111.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9108986.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9108986.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8770764.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8770764.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2235111.exe

Filesize
445KB

MD5
0568d907860858e36c6ea32cc312b21a

SHA1
84c32806e6052df8b7163a74108fe0938957d867

SHA256
87b88d2ced2eabdc43aa1b82bfee1bdda2b8f2d7b9c10d6a9981a5c963ebbbac

SHA512
e840505d6a9dd29367f0eb8bd9b23ee2809b83531527674f3da2f31059ba2a38415e7bf80a245a0328957318eb8246eaac24280ab2eace4f210882651e78dc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9108986.exe

Filesize
274KB

MD5
892d5e401407bd278ca17b025ea1b731

SHA1
b38e9c53dd3d1da2ceb74d007b333cbd4d2f3150

SHA256
21d430b7200dd9e2205d5b997cbee45a7d072dec7bde2e1b887b1fbd5fd9583d

SHA512
6099d9b7b537aed18a397958d15ac5f1315611386fa268faf75f74e275831940bc0819ae313bc23af375672b0c7e028705a9488796b5ccc99b01c37e72e01de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8770764.exe

Filesize
168KB

MD5
3b4dd112042c1457398db517a75e7b06

SHA1
f1fdd8ea9bb0255b01af7ea3dd14753a8e2ed4c8

SHA256
9703161960a0acf14ecc01106831866cb925dacd12024924e3d7075dee35b8f2

SHA512
6ffac00b7e6df60b03f16de92b3b9e505e285534f7e2c1e6ed6949a9cb95762500c8caa7fc73a41d7db4e292ded1373261efadb192f3c0bbb160941b047d0ecd

Download Submit
memory/2024-21-0x0000000000B60000-0x0000000000B8E000-memory.dmp

Filesize
184KB

Download
memory/2024-22-0x0000000001410000-0x0000000001416000-memory.dmp

Filesize
24KB

Download
memory/2024-23-0x000000000AF00000-0x000000000B518000-memory.dmp

Filesize
6.1MB

Download
memory/2024-24-0x000000000A9F0000-0x000000000AAFA000-memory.dmp

Filesize
1.0MB

Download
memory/2024-25-0x000000000A900000-0x000000000A912000-memory.dmp

Filesize
72KB

Download
memory/2024-26-0x000000000A960000-0x000000000A99C000-memory.dmp

Filesize
240KB

Download
memory/2024-27-0x0000000002D70000-0x0000000002DBC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads