redline | 42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6

General

Target

42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
Size

1.1MB
MD5

84ff71bb33d737094a9d28a8987e3659
SHA1

ae21eea2aed54c2ee9a8034e3b263d0657f4a3a8
SHA256

42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6
SHA512

f110e6acb842901319552dd5fc79916c075124bda88763bf643de43cfddc030be4c0033269f78c53141c62f27ca035339789b45882e55325283d2aee9d323ee8
SSDEEP

24576:ky6Pw9tDwaKpyyFTSh6Apz5eYTFBXyPWf:zcw9qzy+TSh6G7FBXy

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/800-155-0x0000000008290000-0x00000000088A8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4220	y2489530.exe
2640	y5049967.exe
800	k2460310.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2489530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2489530.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5049967.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5049967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 4220	2512	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	83
PID 2512 wrote to memory of 4220	2512	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	83
PID 2512 wrote to memory of 4220	2512	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	83
PID 4220 wrote to memory of 2640	4220	y2489530.exe	84
PID 4220 wrote to memory of 2640	4220	y2489530.exe	84
PID 4220 wrote to memory of 2640	4220	y2489530.exe	84
PID 2640 wrote to memory of 800	2640	y5049967.exe	85
PID 2640 wrote to memory of 800	2640	y5049967.exe	85
PID 2640 wrote to memory of 800	2640	y5049967.exe	85

C:\Users\Admin\AppData\Local\Temp\42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
"C:\Users\Admin\AppData\Local\Temp\42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe
      4⤵
      Executes dropped EXE
      PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe

Filesize
599KB

MD5
638ee350c3843dbd462e0a6054c96d9b

SHA1
35932139bf5c907986226e946e54333bb8598353

SHA256
c0bad89c9dc8a34af84235e2b5915ad2a2088a98a566d1d74d2fccd9d5b0a35f

SHA512
8829b0a3f422fc6c65fd38819ca3d39e3f1b14222fd954670bc6a0565f5160ee46a6e69d62f5f3ec807742ef9778cfd686a0b9fff548d9a96562fe20a716ac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe

Filesize
599KB

MD5
638ee350c3843dbd462e0a6054c96d9b

SHA1
35932139bf5c907986226e946e54333bb8598353

SHA256
c0bad89c9dc8a34af84235e2b5915ad2a2088a98a566d1d74d2fccd9d5b0a35f

SHA512
8829b0a3f422fc6c65fd38819ca3d39e3f1b14222fd954670bc6a0565f5160ee46a6e69d62f5f3ec807742ef9778cfd686a0b9fff548d9a96562fe20a716ac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe

Filesize
395KB

MD5
c6b111893551215495bd6da934612fbb

SHA1
5cb8ad0fab07b75961359268292ee9f58ff3e563

SHA256
2b5fc247c4b0d6dc01245d6ac51e765f234cb3f0af54eb4bb5d5011a81154986

SHA512
e41a867ecb3b84c6b2dcc8c072ed9be6e9954a18c2cc1aa92cd41692767325644565f7ee5b8ed8bfb307aae691a97f66099cda804c2b99091a7d04298ec4f012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe

Filesize
395KB

MD5
c6b111893551215495bd6da934612fbb

SHA1
5cb8ad0fab07b75961359268292ee9f58ff3e563

SHA256
2b5fc247c4b0d6dc01245d6ac51e765f234cb3f0af54eb4bb5d5011a81154986

SHA512
e41a867ecb3b84c6b2dcc8c072ed9be6e9954a18c2cc1aa92cd41692767325644565f7ee5b8ed8bfb307aae691a97f66099cda804c2b99091a7d04298ec4f012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe

Filesize
136KB

MD5
709dee1d89ebc755e200d90726736e26

SHA1
f91ee62f5fefb53f086b2f243761130b902593aa

SHA256
909862eed1f1b927165a16dd48ef0df23a27890d0a5ae5f06f866c5867d1eaaa

SHA512
674a41587896dd034e15c2c9b1789ce635bf4f6fe8cbf3bd1646e2e210c8139d45a8e82e4e365a3d3b8f1d5c2b7e39c7b372213b29c6b98ba8938fc11600aea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe

Filesize
136KB

MD5
709dee1d89ebc755e200d90726736e26

SHA1
f91ee62f5fefb53f086b2f243761130b902593aa

SHA256
909862eed1f1b927165a16dd48ef0df23a27890d0a5ae5f06f866c5867d1eaaa

SHA512
674a41587896dd034e15c2c9b1789ce635bf4f6fe8cbf3bd1646e2e210c8139d45a8e82e4e365a3d3b8f1d5c2b7e39c7b372213b29c6b98ba8938fc11600aea4

Download Submit
memory/800-154-0x0000000000FE0000-0x0000000001008000-memory.dmp

Filesize
160KB

Download
memory/800-155-0x0000000008290000-0x00000000088A8000-memory.dmp

Filesize
6.1MB

Download
memory/800-156-0x0000000007D10000-0x0000000007D22000-memory.dmp

Filesize
72KB

Download
memory/800-157-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/800-158-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/800-159-0x0000000007D70000-0x0000000007DAC000-memory.dmp

Filesize
240KB

Download
memory/800-160-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing