redline | 52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9

General

Target

52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
Size

587KB
MD5

08fe701adcd51f0fc850c5a8ad0bdeea
SHA1

beded60d590d4f4b737127dda2e9d6c034f82fed
SHA256

52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9
SHA512

72e6666c3e361aa1eac920b5ff27cab033f303433b71890bd8f635be8beb86a58a76c17220025ec541b83f16487a76491a44bc87bcbd532e372f9ebecfe9b89b
SSDEEP

12288:5MrXy90BGCYgSJGQY1BApUBTBy/xWoXrWbPVisPqqpPL4ZuQe6d2c:myDg65aBFBTBy/xWXDdpPLxQ/dT

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4400-149-0x000000000A420000-0x000000000AA38000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
916	x3755299.exe
4400	g1978789.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3755299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3755299.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 916	2680	52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe	81
PID 2680 wrote to memory of 916	2680	52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe	81
PID 2680 wrote to memory of 916	2680	52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe	81
PID 916 wrote to memory of 4400	916	x3755299.exe	82
PID 916 wrote to memory of 4400	916	x3755299.exe	82
PID 916 wrote to memory of 4400	916	x3755299.exe	82

C:\Users\Admin\AppData\Local\Temp\52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
"C:\Users\Admin\AppData\Local\Temp\52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3755299.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3755299.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1978789.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1978789.exe
    3⤵
    - Executes dropped EXE
    PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3755299.exe

Filesize
416KB

MD5
a3880680f21ce2d3552dba6f7868385c

SHA1
70ebb8ee630c0abe71acc1183288dfcc80c962ea

SHA256
0bd9737d5d185bf0c211c90cf2c93160ecf5de91d8ee32097c21519b8a52e296

SHA512
680fb46504532611ea0fd31729822b7ae906f5e65005e887ff70019de63bec1345b1dc99bc5a3a698a0c9e989758551839328170c877dc7af40d85c732dabe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3755299.exe

Filesize
416KB

MD5
a3880680f21ce2d3552dba6f7868385c

SHA1
70ebb8ee630c0abe71acc1183288dfcc80c962ea

SHA256
0bd9737d5d185bf0c211c90cf2c93160ecf5de91d8ee32097c21519b8a52e296

SHA512
680fb46504532611ea0fd31729822b7ae906f5e65005e887ff70019de63bec1345b1dc99bc5a3a698a0c9e989758551839328170c877dc7af40d85c732dabe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1978789.exe

Filesize
168KB

MD5
2d4a90923aef12b646f39f621dfc2ed0

SHA1
b5e7efce80b1d023f386ec4bb5db13e80168338f

SHA256
c7c380167153e25ae7b1ecb88c87b89898d51e7a9db5dc6e2d9a46399c600a48

SHA512
a9f779731397f5f3ac704999eb32e8989789e577d62a06ab125cb4d2a4e3444496be4ee9dcc3c6a71ebd6618fa04473d55d2c2250a98760ab35138b5beba2a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1978789.exe

Filesize
168KB

MD5
2d4a90923aef12b646f39f621dfc2ed0

SHA1
b5e7efce80b1d023f386ec4bb5db13e80168338f

SHA256
c7c380167153e25ae7b1ecb88c87b89898d51e7a9db5dc6e2d9a46399c600a48

SHA512
a9f779731397f5f3ac704999eb32e8989789e577d62a06ab125cb4d2a4e3444496be4ee9dcc3c6a71ebd6618fa04473d55d2c2250a98760ab35138b5beba2a7a

Download Submit
memory/4400-148-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/4400-149-0x000000000A420000-0x000000000AA38000-memory.dmp

Filesize
6.1MB

Download
memory/4400-150-0x0000000009F10000-0x000000000A01A000-memory.dmp

Filesize
1.0MB

Download
memory/4400-151-0x0000000009E00000-0x0000000009E12000-memory.dmp

Filesize
72KB

Download
memory/4400-152-0x0000000009E20000-0x0000000009E5C000-memory.dmp

Filesize
240KB

Download
memory/4400-153-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4400-154-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing