redline | 9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785

General

Target

9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe
Size

1.1MB
MD5

78759a370d9984c95c657c515369afb6
SHA1

bd2239398fc00e030df52bd235e5cc2d220bd742
SHA256

9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785
SHA512

c31446fc19b703bad33d35b825f82d5f3c9321fca6edffc36efc9aa81efbe306d4746c16c3927604db9b68f924b9f95a3682cbd3ada1af360a26063e92e19281
SSDEEP

24576:cy4ZlrwSR0Y397zpteD91pZAcEFtqWvduVlD3e1YgFB9Ud6zZmSM:L6lrwSR0Y39npID91pZOqWFuHD3+FB9n

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1840-155-0x00000000078F0000-0x0000000007F08000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2672	y4948776.exe
2908	y0119048.exe
1840	k9610519.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4948776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4948776.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0119048.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0119048.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 2672	4776	9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe	77
PID 4776 wrote to memory of 2672	4776	9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe	77
PID 4776 wrote to memory of 2672	4776	9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe	77
PID 2672 wrote to memory of 2908	2672	y4948776.exe	78
PID 2672 wrote to memory of 2908	2672	y4948776.exe	78
PID 2672 wrote to memory of 2908	2672	y4948776.exe	78
PID 2908 wrote to memory of 1840	2908	y0119048.exe	79
PID 2908 wrote to memory of 1840	2908	y0119048.exe	79
PID 2908 wrote to memory of 1840	2908	y0119048.exe	79

C:\Users\Admin\AppData\Local\Temp\9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe
"C:\Users\Admin\AppData\Local\Temp\9fa7b13610b981c7cd872e514c3e930df25002eab3ee5c4e9c744d2995e9b785.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4948776.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4948776.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0119048.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0119048.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9610519.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9610519.exe
      4⤵
      Executes dropped EXE
      PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4948776.exe

Filesize
598KB

MD5
1cd8e6a9c08cd921458e124226ea121f

SHA1
406dea461ad0b7d5da11a0b681a1d898a6644f8a

SHA256
69d0f6857c2db347dd537bf87ae7e99553f1233d9d9635e301a214f79b24bffc

SHA512
59f1b3fd6de68e362d60e61dd9007b4321868209964c167a0bce836e103f9995ffc71b984919e5a2ed128d324d003ece1b174d89cf976132ba75650bf3b68805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4948776.exe

Filesize
598KB

MD5
1cd8e6a9c08cd921458e124226ea121f

SHA1
406dea461ad0b7d5da11a0b681a1d898a6644f8a

SHA256
69d0f6857c2db347dd537bf87ae7e99553f1233d9d9635e301a214f79b24bffc

SHA512
59f1b3fd6de68e362d60e61dd9007b4321868209964c167a0bce836e103f9995ffc71b984919e5a2ed128d324d003ece1b174d89cf976132ba75650bf3b68805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0119048.exe

Filesize
395KB

MD5
78cc7b8cf45e9a68fa86816fb2592267

SHA1
dd49c216f5f1aa3c17970d86310ebbceb02f3d23

SHA256
bcaebea9a78e984456e04f672c48f1997561c3f394ee033d03df1b13548962ca

SHA512
50595437e9ff94a80175d5fa2b5ef51dba70aca1f30a8230e46b162e545014ef87f75518e347c9512cf5fa965ece3687c0b0f63e25258a87c148aa9953ef7afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0119048.exe

Filesize
395KB

MD5
78cc7b8cf45e9a68fa86816fb2592267

SHA1
dd49c216f5f1aa3c17970d86310ebbceb02f3d23

SHA256
bcaebea9a78e984456e04f672c48f1997561c3f394ee033d03df1b13548962ca

SHA512
50595437e9ff94a80175d5fa2b5ef51dba70aca1f30a8230e46b162e545014ef87f75518e347c9512cf5fa965ece3687c0b0f63e25258a87c148aa9953ef7afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9610519.exe

Filesize
137KB

MD5
43272bd97716dbae4385a467df1cb91c

SHA1
7b5af319b6ffcdf8dbf585b941e0c01ca1cda775

SHA256
81b7f168a6562dcd08248a9dc11f0f151811657e4684c6f912c174dd07cd3b66

SHA512
68957caf3b8546d8575e1fa29ce6ce9855c65e3887226141e1f29235f1aabe6cb83bbb1eae3ed93c728ad96074c1c3f9cb26532b3e892e96a7122da18fb9284a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9610519.exe

Filesize
137KB

MD5
43272bd97716dbae4385a467df1cb91c

SHA1
7b5af319b6ffcdf8dbf585b941e0c01ca1cda775

SHA256
81b7f168a6562dcd08248a9dc11f0f151811657e4684c6f912c174dd07cd3b66

SHA512
68957caf3b8546d8575e1fa29ce6ce9855c65e3887226141e1f29235f1aabe6cb83bbb1eae3ed93c728ad96074c1c3f9cb26532b3e892e96a7122da18fb9284a

Download Submit
memory/1840-154-0x0000000000680000-0x00000000006A8000-memory.dmp

Filesize
160KB

Download
memory/1840-155-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/1840-156-0x0000000007390000-0x00000000073A2000-memory.dmp

Filesize
72KB

Download
memory/1840-157-0x0000000007600000-0x000000000770A000-memory.dmp

Filesize
1.0MB

Download
memory/1840-158-0x0000000002510000-0x000000000254C000-memory.dmp

Filesize
240KB

Download
memory/1840-159-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1840-160-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing