redline | 5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a

General

Target

5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
Size

479KB
MD5

f4cbc0adc6dac9c02101434fe9208dcd
SHA1

651338431eaa421a164ec448e56e694165667355
SHA256

5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a
SHA512

6d6eafbe69e19b995f75eb0f3a412c6adaca8350ca4d8d67075a74cc48a67303be6cb77086c34b2d3da44fdced797784ecd6b9397d9eefca0c27412232e41dc3
SSDEEP

12288:OMrSy90aro2G7B+8FRa0n9DkUvgusoysnwFOhci:Iy16F+8FRaC9kkJ9wFg1

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1484-148-0x00000000077D0000-0x0000000007DE8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2196	x6267625.exe
1484	g7244565.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6267625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6267625.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2196	3420	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	83
PID 3420 wrote to memory of 2196	3420	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	83
PID 3420 wrote to memory of 2196	3420	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	83
PID 2196 wrote to memory of 1484	2196	x6267625.exe	84
PID 2196 wrote to memory of 1484	2196	x6267625.exe	84
PID 2196 wrote to memory of 1484	2196	x6267625.exe	84

C:\Users\Admin\AppData\Local\Temp\5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
"C:\Users\Admin\AppData\Local\Temp\5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe
    3⤵
    - Executes dropped EXE
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe

Filesize
307KB

MD5
e3a3cf86a4fe6e60a3f2a7a3eb42c0a6

SHA1
ea1003e2d452f17165ffc57f7beff28a090d9672

SHA256
47214080d942ad45da462eb66a04f4371191e7248b512fdd9a3e416db243e16c

SHA512
64e7b9c1b8662038163b33b356fed9fdde806db7de4c865c67db89fe89560458c8e27d25c5065a5fb55209f166143916222730bf4bb9d057bc638c634bbe158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe

Filesize
307KB

MD5
e3a3cf86a4fe6e60a3f2a7a3eb42c0a6

SHA1
ea1003e2d452f17165ffc57f7beff28a090d9672

SHA256
47214080d942ad45da462eb66a04f4371191e7248b512fdd9a3e416db243e16c

SHA512
64e7b9c1b8662038163b33b356fed9fdde806db7de4c865c67db89fe89560458c8e27d25c5065a5fb55209f166143916222730bf4bb9d057bc638c634bbe158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/1484-147-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/1484-148-0x00000000077D0000-0x0000000007DE8000-memory.dmp

Filesize
6.1MB

Download
memory/1484-149-0x0000000007200000-0x0000000007212000-memory.dmp

Filesize
72KB

Download
memory/1484-150-0x0000000007330000-0x000000000743A000-memory.dmp

Filesize
1.0MB

Download
memory/1484-151-0x0000000007280000-0x00000000072BC000-memory.dmp

Filesize
240KB

Download
memory/1484-152-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/1484-153-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing