redline | 45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81

General

Target

45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe
Size

479KB
MD5

fd7d427b3041dc3758fcde4d6c7dba33
SHA1

e966159f3ddeaadc7bf7e46e3c38d0027ff0987c
SHA256

45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81
SHA512

4a1063a72ef2affb14d500f5c60e55a469076e87fec5a1c2ba9bc60add4127c4d8f487fbefdadb41dfcd6ca96c58c20ebd728b55ed793a8605030290415dc768
SSDEEP

12288:UMrly907WLPkqHmYfNm1ST9MwOujOeEFDtubyzT:Jy6OPkGfAb2EFpjzT

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4028-148-0x0000000008160000-0x0000000008778000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4124	x7569641.exe
4028	g5366696.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7569641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7569641.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4124	4576	45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe	80
PID 4576 wrote to memory of 4124	4576	45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe	80
PID 4576 wrote to memory of 4124	4576	45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe	80
PID 4124 wrote to memory of 4028	4124	x7569641.exe	81
PID 4124 wrote to memory of 4028	4124	x7569641.exe	81
PID 4124 wrote to memory of 4028	4124	x7569641.exe	81

C:\Users\Admin\AppData\Local\Temp\45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe
"C:\Users\Admin\AppData\Local\Temp\45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7569641.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7569641.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5366696.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5366696.exe
    3⤵
    - Executes dropped EXE
    PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7569641.exe

Filesize
307KB

MD5
26174960f90b36a73cbbf5a90d068beb

SHA1
e6d5b33c34d75091bcb6a9f87b05ccd6b98f15ae

SHA256
23bbb60a110f373dc6cb48022fd4ea852b7a0f63ea76267956f5d7f797289253

SHA512
7b8823189e382c28b56aeab3a90d21de55091fc66ce6956a37414e60c2846e65b0d73eeda4143cb007f83b2bdd0bd13acbaba9dd3d2c41c0fc4096777a3b5919

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7569641.exe

Filesize
307KB

MD5
26174960f90b36a73cbbf5a90d068beb

SHA1
e6d5b33c34d75091bcb6a9f87b05ccd6b98f15ae

SHA256
23bbb60a110f373dc6cb48022fd4ea852b7a0f63ea76267956f5d7f797289253

SHA512
7b8823189e382c28b56aeab3a90d21de55091fc66ce6956a37414e60c2846e65b0d73eeda4143cb007f83b2bdd0bd13acbaba9dd3d2c41c0fc4096777a3b5919

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5366696.exe

Filesize
136KB

MD5
a9e07edf511b7f0a590242db0beb45ab

SHA1
44c8df05c09989a6cd64ad4c1953c0489de4c73f

SHA256
20e7df9333d48b9aade5b1d213cc7226f44267a9c9528fda0cc27aea2e32fdbe

SHA512
8d314898abdb98364a17da544c28d24d3a0a626a588d7b69da118e592e289f9ad85ef4d92202a77d080b0b1c1617495655fb5a0a9ed6c2015c8812dd2aac8cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5366696.exe

Filesize
136KB

MD5
a9e07edf511b7f0a590242db0beb45ab

SHA1
44c8df05c09989a6cd64ad4c1953c0489de4c73f

SHA256
20e7df9333d48b9aade5b1d213cc7226f44267a9c9528fda0cc27aea2e32fdbe

SHA512
8d314898abdb98364a17da544c28d24d3a0a626a588d7b69da118e592e289f9ad85ef4d92202a77d080b0b1c1617495655fb5a0a9ed6c2015c8812dd2aac8cf0

Download Submit
memory/4028-147-0x0000000000E90000-0x0000000000EB8000-memory.dmp

Filesize
160KB

Download
memory/4028-148-0x0000000008160000-0x0000000008778000-memory.dmp

Filesize
6.1MB

Download
memory/4028-149-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/4028-150-0x0000000007E50000-0x0000000007F5A000-memory.dmp

Filesize
1.0MB

Download
memory/4028-151-0x0000000007D80000-0x0000000007DBC000-memory.dmp

Filesize
240KB

Download
memory/4028-152-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/4028-153-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing