redline | 8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6

General

Target

8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe
Size

480KB
MD5

124daeae49d2eefb9461dbf582eaf004
SHA1

9dc0eaef943222f92df6ffb60c11d9d29aad0701
SHA256

8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6
SHA512

9b557f524418f87713a2318f48c62a10bf0c20640d364d70a1e71bb6bf3299066101aa04bd84078dacc00e5052b8bca8e9719fbd43e32f70a1621873510fc384
SSDEEP

12288:cMrVy90RQSrM3fMyriD3r4AgG+wmEzFO89Ngc3I:Byqfrn8W3sAfvzkaHY

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3908-148-0x000000000AE50000-0x000000000B468000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
5040	y2892290.exe
3908	k3769556.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2892290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2892290.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 5040	2616	8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe	79
PID 2616 wrote to memory of 5040	2616	8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe	79
PID 2616 wrote to memory of 5040	2616	8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe	79
PID 5040 wrote to memory of 3908	5040	y2892290.exe	80
PID 5040 wrote to memory of 3908	5040	y2892290.exe	80
PID 5040 wrote to memory of 3908	5040	y2892290.exe	80

C:\Users\Admin\AppData\Local\Temp\8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe
"C:\Users\Admin\AppData\Local\Temp\8978f930a360237f150867056bdbc26bfaf5b574aa85dc321ae5d35350e415b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2892290.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2892290.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3769556.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3769556.exe
    3⤵
    - Executes dropped EXE
    PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2892290.exe

Filesize
308KB

MD5
d652b6a710ef319c84b7082db502cf3a

SHA1
2a29e2d311ed4a236baa55e3ec08dd4914f17160

SHA256
7821ba70b7a60d1d3df920ebd6006e75e4fb41c9ef27d202d886e6a816448a6d

SHA512
2e3921624167498982ef30f178857e4c81ca28e42a0d45c695858f90155fe2b45e861fab2f255bfb147c1174284ca1140097b4f0e7d2fb7ab0b24775112d59ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2892290.exe

Filesize
308KB

MD5
d652b6a710ef319c84b7082db502cf3a

SHA1
2a29e2d311ed4a236baa55e3ec08dd4914f17160

SHA256
7821ba70b7a60d1d3df920ebd6006e75e4fb41c9ef27d202d886e6a816448a6d

SHA512
2e3921624167498982ef30f178857e4c81ca28e42a0d45c695858f90155fe2b45e861fab2f255bfb147c1174284ca1140097b4f0e7d2fb7ab0b24775112d59ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3769556.exe

Filesize
168KB

MD5
3e53acc69fd26cd9f18e7bfb2bba414e

SHA1
3374b4584d1cfca1955ca6cc9e71a2fd8609f6dd

SHA256
1775ee91750df560b1bb17e4f90c9c8f967c3d9ce8c807121fa520f4a65b5586

SHA512
6d2d78dd96d77fad7bb85e88bc67417afd58acf52522902cf1d556267bb25ea7bd2f484575f4763f663920f0b18ff3bbad00f44e372d2864d40b5846122a8a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3769556.exe

Filesize
168KB

MD5
3e53acc69fd26cd9f18e7bfb2bba414e

SHA1
3374b4584d1cfca1955ca6cc9e71a2fd8609f6dd

SHA256
1775ee91750df560b1bb17e4f90c9c8f967c3d9ce8c807121fa520f4a65b5586

SHA512
6d2d78dd96d77fad7bb85e88bc67417afd58acf52522902cf1d556267bb25ea7bd2f484575f4763f663920f0b18ff3bbad00f44e372d2864d40b5846122a8a4b

Download Submit
memory/3908-147-0x00000000009F0000-0x0000000000A1E000-memory.dmp

Filesize
184KB

Download
memory/3908-148-0x000000000AE50000-0x000000000B468000-memory.dmp

Filesize
6.1MB

Download
memory/3908-149-0x000000000A970000-0x000000000AA7A000-memory.dmp

Filesize
1.0MB

Download
memory/3908-150-0x000000000A8E0000-0x000000000A8F2000-memory.dmp

Filesize
72KB

Download
memory/3908-151-0x000000000AB80000-0x000000000ABBC000-memory.dmp

Filesize
240KB

Download
memory/3908-152-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3908-153-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing