redline | 4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd

General

Target

4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe
Size

554KB
MD5

806b93727802ab6e59d30eb60c0d6915
SHA1

ff5bc6534f66fa88c87dc53c9dd386cf2c6dd6cb
SHA256

4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd
SHA512

660e62294c1edd855c0e291e3f1839ceb5f9d9244583cae44207a0aeafd348bd8f43bad584612b1e2d0a2b02c42db5d9ae85e63176857319f0e81e68c8298679
SSDEEP

12288:eMrny90EIVI2PmM7t5XnM3OQm+WLnmGPBXq2iQYWKcaR:NyTIVI2eit5khOPIeaR

Score

10^/10

redline darm discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 2 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3776-148-0x000000000B290000-0x000000000B8A8000-memory.dmp	redline_stealer
behavioral2/memory/3776-157-0x000000000B160000-0x000000000B1C6000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4700	x0047531.exe
3776	g1362961.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0047531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0047531.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3776	g1362961.exe
3776	g1362961.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	g1362961.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4700	3456	4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe	84
PID 3456 wrote to memory of 4700	3456	4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe	84
PID 3456 wrote to memory of 4700	3456	4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe	84
PID 4700 wrote to memory of 3776	4700	x0047531.exe	85
PID 4700 wrote to memory of 3776	4700	x0047531.exe	85
PID 4700 wrote to memory of 3776	4700	x0047531.exe	85

C:\Users\Admin\AppData\Local\Temp\4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe
"C:\Users\Admin\AppData\Local\Temp\4c704574790a3f618497a05ca7e00d3e0acce9f02b921055e81714cf7aee4fbd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0047531.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0047531.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1362961.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1362961.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0047531.exe

Filesize
382KB

MD5
566fd352dab97049f5b38fc2dd4bfc2c

SHA1
65bf7e2116615ae7185369eb48d1e195a006fce2

SHA256
180160a4ef9108cb6d03ba8497f35ac3b0281ec5e5b58198366ce0dd7914faaa

SHA512
8dc46785d3b6c7045ac883d65d79fd919f20dc78ab68c9f9e8d6cfea31c7babdb920bb394372d52f9f9413487797e44e2d42d245ebcb99dfdb667bc2061b50af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0047531.exe

Filesize
382KB

MD5
566fd352dab97049f5b38fc2dd4bfc2c

SHA1
65bf7e2116615ae7185369eb48d1e195a006fce2

SHA256
180160a4ef9108cb6d03ba8497f35ac3b0281ec5e5b58198366ce0dd7914faaa

SHA512
8dc46785d3b6c7045ac883d65d79fd919f20dc78ab68c9f9e8d6cfea31c7babdb920bb394372d52f9f9413487797e44e2d42d245ebcb99dfdb667bc2061b50af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1362961.exe

Filesize
169KB

MD5
875fe879a6710f2d234c364ed16f91f6

SHA1
e046da6a3e0e5b1ee619aa529be24d131bf001cf

SHA256
fd6d75036030d9db26a2a97d25aa9799de99254bfece746fcfff515535ec2ac3

SHA512
e5b23d50b1c9504c1548c44e60d9c023aba4e13fbd4c1837936d1407cd3016cb0106131f41d447ca8e8ae81ea9ee05b8d28a598556d43659ba07d0cfc1fbb0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1362961.exe

Filesize
169KB

MD5
875fe879a6710f2d234c364ed16f91f6

SHA1
e046da6a3e0e5b1ee619aa529be24d131bf001cf

SHA256
fd6d75036030d9db26a2a97d25aa9799de99254bfece746fcfff515535ec2ac3

SHA512
e5b23d50b1c9504c1548c44e60d9c023aba4e13fbd4c1837936d1407cd3016cb0106131f41d447ca8e8ae81ea9ee05b8d28a598556d43659ba07d0cfc1fbb0fe

Download Submit
memory/3776-147-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/3776-148-0x000000000B290000-0x000000000B8A8000-memory.dmp

Filesize
6.1MB

Download
memory/3776-149-0x000000000AEC0000-0x000000000AFCA000-memory.dmp

Filesize
1.0MB

Download
memory/3776-150-0x000000000ADD0000-0x000000000ADE2000-memory.dmp

Filesize
72KB

Download
memory/3776-151-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/3776-152-0x000000000AE30000-0x000000000AE6C000-memory.dmp

Filesize
240KB

Download
memory/3776-153-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/3776-154-0x0000000002E60000-0x0000000002ED6000-memory.dmp

Filesize
472KB

Download
memory/3776-155-0x0000000002CF0000-0x0000000002D82000-memory.dmp

Filesize
584KB

Download
memory/3776-156-0x000000000BE60000-0x000000000C404000-memory.dmp

Filesize
5.6MB

Download
memory/3776-157-0x000000000B160000-0x000000000B1C6000-memory.dmp

Filesize
408KB

Download
memory/3776-158-0x000000000B1D0000-0x000000000B220000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing