redline | 4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe

General

Target

4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
Size

479KB
MD5

a7197f87435b55aed36005c1d7a44054
SHA1

35673ff66b6ea4c9057a9e56d838511d29d2845e
SHA256

4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe
SHA512

28a22752459740b48ead8ccb06160a525d1b4700edfb945c34ad0efd1202f495b76ede88e8139cc769decd425bf4cace41a3da7516c1a432c8a2181b0849abe0
SSDEEP

12288:nMrxy90FOgdm8vDKJgGZKVBPmGn88bwZpf30kpd:qyrWCVZUhS8c/30gd

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 2 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4280-148-0x0000000008280000-0x0000000008898000-memory.dmp	redline_stealer
behavioral2/memory/4280-151-0x0000000007D20000-0x0000000007D30000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1404	x5782298.exe
4280	g2913555.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5782298.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5782298.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 1404	3280	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	80
PID 3280 wrote to memory of 1404	3280	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	80
PID 3280 wrote to memory of 1404	3280	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	80
PID 1404 wrote to memory of 4280	1404	x5782298.exe	81
PID 1404 wrote to memory of 4280	1404	x5782298.exe	81
PID 1404 wrote to memory of 4280	1404	x5782298.exe	81

C:\Users\Admin\AppData\Local\Temp\4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
"C:\Users\Admin\AppData\Local\Temp\4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe
    3⤵
    - Executes dropped EXE
    PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe

Filesize
308KB

MD5
c11417d0f2ae2e687434d7a8299428a0

SHA1
5e79129836d34a887322964f23d82f01f221d02e

SHA256
780ce1a07fc44af73bb29df7e5fefdb032a038811f93b3f0139a487242273af3

SHA512
c198bf6dfb7d890f1575fd60ed7e702f6bb452f8a06d87332a931a9dafb7893bdde2cc6d593aa605ba00cad72b80ace55e78c7a6ab99edd89e7a7baad47e17e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe

Filesize
308KB

MD5
c11417d0f2ae2e687434d7a8299428a0

SHA1
5e79129836d34a887322964f23d82f01f221d02e

SHA256
780ce1a07fc44af73bb29df7e5fefdb032a038811f93b3f0139a487242273af3

SHA512
c198bf6dfb7d890f1575fd60ed7e702f6bb452f8a06d87332a931a9dafb7893bdde2cc6d593aa605ba00cad72b80ace55e78c7a6ab99edd89e7a7baad47e17e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe

Filesize
136KB

MD5
4b2e594eefb2a3e883b2db4fae05f3b6

SHA1
2dd0cc22701588ff040fdba5ae91ac0044cf1e44

SHA256
975ec8b091898fff325c1d7ed26a13198985750592ec50e96d76d4d0ef12ce82

SHA512
c20665dbb80f63d0a62a8a29766d3492574234ee7c363beaae81bea3c46388b65435f8f98ce6cc5d723234369da05f2300b2ccc09fbded294f0cd4177778070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe

Filesize
136KB

MD5
4b2e594eefb2a3e883b2db4fae05f3b6

SHA1
2dd0cc22701588ff040fdba5ae91ac0044cf1e44

SHA256
975ec8b091898fff325c1d7ed26a13198985750592ec50e96d76d4d0ef12ce82

SHA512
c20665dbb80f63d0a62a8a29766d3492574234ee7c363beaae81bea3c46388b65435f8f98ce6cc5d723234369da05f2300b2ccc09fbded294f0cd4177778070b

Download Submit
memory/4280-147-0x0000000000FB0000-0x0000000000FD8000-memory.dmp

Filesize
160KB

Download
memory/4280-148-0x0000000008280000-0x0000000008898000-memory.dmp

Filesize
6.1MB

Download
memory/4280-149-0x0000000007CE0000-0x0000000007CF2000-memory.dmp

Filesize
72KB

Download
memory/4280-150-0x0000000007E10000-0x0000000007F1A000-memory.dmp

Filesize
1.0MB

Download
memory/4280-151-0x0000000007D20000-0x0000000007D30000-memory.dmp

Filesize
64KB

Download
memory/4280-152-0x0000000007D70000-0x0000000007DAC000-memory.dmp

Filesize
240KB

Download
memory/4280-153-0x0000000007D20000-0x0000000007D30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing