redline | 795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951

General

Target

795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe
Size

643KB
MD5

fc4291ed81f8ad2adcb89d82f19255d7
SHA1

9f550d184efa8617cd66d54bc169a84df0a86136
SHA256

795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951
SHA512

244118be211ca9f48104b917f2909366a67eb209be157ac5577aa0c4344df5e5bca669d43f99a6e9adb642cda1cfcea255b0418c33e1158274f415bedd5a9e34
SSDEEP

12288:uMryy90vagMPPaVhY1ZR8eBdDJoRhuypxhNjvOW324Mq+:MyMMPUcP8uBJoRcypxzjH3LMq+

Score

10^/10

redline darm infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4404-148-0x000000000B120000-0x000000000B738000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1804	x0347165.exe
4404	g3999647.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0347165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0347165.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1804	1504	795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe	79
PID 1504 wrote to memory of 1804	1504	795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe	79
PID 1504 wrote to memory of 1804	1504	795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe	79
PID 1804 wrote to memory of 4404	1804	x0347165.exe	80
PID 1804 wrote to memory of 4404	1804	x0347165.exe	80
PID 1804 wrote to memory of 4404	1804	x0347165.exe	80

C:\Users\Admin\AppData\Local\Temp\795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe
"C:\Users\Admin\AppData\Local\Temp\795b7ab1ad5e4cf80c1adbe3d88acfacfbd6e27ac41dcc28ea6baf7b7d72d951.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0347165.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0347165.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3999647.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3999647.exe
    3⤵
    - Executes dropped EXE
    PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0347165.exe

Filesize
383KB

MD5
77080185d810000474144b16bc3f4ca4

SHA1
ede2127b5f0cf7ed67a306aa229c44a12ac1c347

SHA256
5e298ee95ed65f3d627e63a297b547a3c60dfd0462d55c51bef7e91692bdc369

SHA512
c594479a6bf87fd5bd3ac27524c69fc83cfd28be0d6d1105d883a40e24a97bca310efa5007e06a87c9dd2751ffe7ede502130bf09fc19b4efbeb662e40bb79b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0347165.exe

Filesize
383KB

MD5
77080185d810000474144b16bc3f4ca4

SHA1
ede2127b5f0cf7ed67a306aa229c44a12ac1c347

SHA256
5e298ee95ed65f3d627e63a297b547a3c60dfd0462d55c51bef7e91692bdc369

SHA512
c594479a6bf87fd5bd3ac27524c69fc83cfd28be0d6d1105d883a40e24a97bca310efa5007e06a87c9dd2751ffe7ede502130bf09fc19b4efbeb662e40bb79b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3999647.exe

Filesize
168KB

MD5
dd0217722683a4c54052d8a60c9eddcb

SHA1
d1a67391226bf0969ef886bbece999bfd93eecbb

SHA256
ebb3207f63a265a56553196191d98178eeb2025192018edaa605b02b1bc3fc69

SHA512
ecc94d9e17307a2f59efa781c4cc6abee3df695c11804c40c43bcd6ff227be95f45dbc6620fd4641daaaf568e4c63d7c98acd1a989eea9241f84cbe7a79e0447

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3999647.exe

Filesize
168KB

MD5
dd0217722683a4c54052d8a60c9eddcb

SHA1
d1a67391226bf0969ef886bbece999bfd93eecbb

SHA256
ebb3207f63a265a56553196191d98178eeb2025192018edaa605b02b1bc3fc69

SHA512
ecc94d9e17307a2f59efa781c4cc6abee3df695c11804c40c43bcd6ff227be95f45dbc6620fd4641daaaf568e4c63d7c98acd1a989eea9241f84cbe7a79e0447

Download Submit
memory/4404-147-0x0000000000B20000-0x0000000000B50000-memory.dmp

Filesize
192KB

Download
memory/4404-148-0x000000000B120000-0x000000000B738000-memory.dmp

Filesize
6.1MB

Download
memory/4404-149-0x000000000AC10000-0x000000000AD1A000-memory.dmp

Filesize
1.0MB

Download
memory/4404-150-0x000000000AB20000-0x000000000AB32000-memory.dmp

Filesize
72KB

Download
memory/4404-151-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/4404-152-0x000000000AB80000-0x000000000ABBC000-memory.dmp

Filesize
240KB

Download
memory/4404-153-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing