redline | 65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9

General

Target

65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Size

599KB
MD5

9fcf210a9e62502d2332c6cf658b50d5
SHA1

91ed85654df42d0f41c02cc344bac9f11c858f34
SHA256

65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9
SHA512

ebbb43549280464616956cfa60d1755deeaf0918c46f1023f7c8c0105b1362b267b9190cb49eabadf9f04618d14d8a21cdb2810ffedbadfb33ecdf916146774c
SSDEEP

12288:sMrSy90mYT6rZjgyo7HoX1Id3CWyEh62U2+6cWCLxCs88Zpg2FaUOZ/t:OymTmJyHgasPv2RwK2bO7

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3476-148-0x0000000008280000-0x0000000008898000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3028	y4520007.exe
3476	k9594817.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4520007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4520007.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3028	4488	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	81
PID 4488 wrote to memory of 3028	4488	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	81
PID 4488 wrote to memory of 3028	4488	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	81
PID 3028 wrote to memory of 3476	3028	y4520007.exe	82
PID 3028 wrote to memory of 3476	3028	y4520007.exe	82
PID 3028 wrote to memory of 3476	3028	y4520007.exe	82

C:\Users\Admin\AppData\Local\Temp\65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
"C:\Users\Admin\AppData\Local\Temp\65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe
    3⤵
    - Executes dropped EXE
    PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe

Filesize
307KB

MD5
e4d1ae8baed68e4158c2a0e0271241ae

SHA1
ab5d03a6d558323053b181e2934d841e594f9080

SHA256
b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb

SHA512
7e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe

Filesize
307KB

MD5
e4d1ae8baed68e4158c2a0e0271241ae

SHA1
ab5d03a6d558323053b181e2934d841e594f9080

SHA256
b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb

SHA512
7e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe

Filesize
137KB

MD5
3c86b66f6b7eb077a276399f63928dfb

SHA1
df370706189600c6e338fc5801dfa3e9dbe24ed4

SHA256
40d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367

SHA512
5d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe

Filesize
137KB

MD5
3c86b66f6b7eb077a276399f63928dfb

SHA1
df370706189600c6e338fc5801dfa3e9dbe24ed4

SHA256
40d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367

SHA512
5d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805

Download Submit
memory/3476-147-0x0000000000EC0000-0x0000000000EE8000-memory.dmp

Filesize
160KB

Download
memory/3476-148-0x0000000008280000-0x0000000008898000-memory.dmp

Filesize
6.1MB

Download
memory/3476-149-0x0000000007D10000-0x0000000007D22000-memory.dmp

Filesize
72KB

Download
memory/3476-150-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3476-151-0x0000000007D70000-0x0000000007DAC000-memory.dmp

Filesize
240KB

Download
memory/3476-152-0x0000000007E00000-0x0000000007E10000-memory.dmp

Filesize
64KB

Download
memory/3476-153-0x0000000007E00000-0x0000000007E10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing