redline | 4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c

General

Target

4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe
Size

480KB
MD5

68f1e9940eca94eae5afc7262020ac89
SHA1

5bb896f17d17608e9849606e191ade4b254538f4
SHA256

4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c
SHA512

27db8e0b5074df81034431c2379730085b5cade901449b8c06a176f7381f1ae1df8f86b9b75f1abc348ea6d5c7d33619feecb819573e5521adca78c41930d71a
SSDEEP

6144:KHy+bnr+/up0yN90QEKLhxkL4Q5xCW6Rd7HDByt7mne+kMt4+wDri20ET2gDmAbT:tMrIvy90cYJ5xuRdbcOthwy2wgX3

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3008-148-0x000000000A5E0000-0x000000000ABF8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1832	y9371405.exe
3008	k2589588.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9371405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9371405.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 1832	4152	4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe	82
PID 4152 wrote to memory of 1832	4152	4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe	82
PID 4152 wrote to memory of 1832	4152	4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe	82
PID 1832 wrote to memory of 3008	1832	y9371405.exe	83
PID 1832 wrote to memory of 3008	1832	y9371405.exe	83
PID 1832 wrote to memory of 3008	1832	y9371405.exe	83

C:\Users\Admin\AppData\Local\Temp\4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe
"C:\Users\Admin\AppData\Local\Temp\4684f3e1b8f09396c15c5404fbf5a6920612c0bac27f1efcfc1fc677443fb09c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9371405.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9371405.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2589588.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2589588.exe
    3⤵
    - Executes dropped EXE
    PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9371405.exe

Filesize
308KB

MD5
63f63bcef9868c18d599e9fbd7461c62

SHA1
5b5c99dfb002fc3147b5d5ffa0937ebb060deb58

SHA256
927c96e806c7d149fce4d5136843cab463fba2440c489ca6837bc5a1907d568d

SHA512
dff89bcd1c12a3036482ccc65a455390f44cd8078ce654d6ad8a94d2899d9e1410d4612f50afccdda2950373fdf5beee6202c2600a4203738a0b4042c262a7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9371405.exe

Filesize
308KB

MD5
63f63bcef9868c18d599e9fbd7461c62

SHA1
5b5c99dfb002fc3147b5d5ffa0937ebb060deb58

SHA256
927c96e806c7d149fce4d5136843cab463fba2440c489ca6837bc5a1907d568d

SHA512
dff89bcd1c12a3036482ccc65a455390f44cd8078ce654d6ad8a94d2899d9e1410d4612f50afccdda2950373fdf5beee6202c2600a4203738a0b4042c262a7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2589588.exe

Filesize
168KB

MD5
5d4af04a4859feafaaffd273b293bb8a

SHA1
7c1ad03de8609e93757557c5cd332ee21500c181

SHA256
60712b463c640bb3c7ecdeb7f1f27b0d6c60b192213905549e7b71f8546a0180

SHA512
06b1df0a6f415d3cf67255c498591cc3d4c98ee0129eb78049f4b06ecee8830c147bd249cbc16d10f6555e2a84547a5df5e79d950ad8eaa7bff7d36750fd7ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2589588.exe

Filesize
168KB

MD5
5d4af04a4859feafaaffd273b293bb8a

SHA1
7c1ad03de8609e93757557c5cd332ee21500c181

SHA256
60712b463c640bb3c7ecdeb7f1f27b0d6c60b192213905549e7b71f8546a0180

SHA512
06b1df0a6f415d3cf67255c498591cc3d4c98ee0129eb78049f4b06ecee8830c147bd249cbc16d10f6555e2a84547a5df5e79d950ad8eaa7bff7d36750fd7ec7

Download Submit
memory/3008-147-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/3008-148-0x000000000A5E0000-0x000000000ABF8000-memory.dmp

Filesize
6.1MB

Download
memory/3008-149-0x000000000A0D0000-0x000000000A1DA000-memory.dmp

Filesize
1.0MB

Download
memory/3008-150-0x0000000009FE0000-0x0000000009FF2000-memory.dmp

Filesize
72KB

Download
memory/3008-151-0x000000000A040000-0x000000000A07C000-memory.dmp

Filesize
240KB

Download
memory/3008-152-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/3008-153-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing