redline | 531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320

General

Target

531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe
Size

480KB
MD5

7cd19f520a91f59277b37d4baa0aaf74
SHA1

87b29a832f3e55a9786dc130d642fda4bca2e615
SHA256

531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320
SHA512

59155067485e9d75cf9de28cf2c4d80ad0952ff9d48d7413b9fc6d5ff3ca18440a54fc91138964e701f1f83d255e987b8492a30298ee71ae024ba74f80f8efd7
SSDEEP

12288:IMr6y90lN+reTk6ta0AdoaDVk/JwXk4hfhFbC3GJii9DY/:CyI+X0aLepwXk4dvbAi9Y/

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3816-148-0x000000000AD20000-0x000000000B338000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2120	y7656646.exe
3816	k8275268.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7656646.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7656646.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2120	1896	531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe	84
PID 1896 wrote to memory of 2120	1896	531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe	84
PID 1896 wrote to memory of 2120	1896	531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe	84
PID 2120 wrote to memory of 3816	2120	y7656646.exe	85
PID 2120 wrote to memory of 3816	2120	y7656646.exe	85
PID 2120 wrote to memory of 3816	2120	y7656646.exe	85

C:\Users\Admin\AppData\Local\Temp\531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe
"C:\Users\Admin\AppData\Local\Temp\531a4fa092db05115532b13d0a71412a1227fbd0cc5338ae1eed38de096b6320.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7656646.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7656646.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8275268.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8275268.exe
    3⤵
    - Executes dropped EXE
    PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7656646.exe

Filesize
308KB

MD5
015193090cde6362827ead4339d253dc

SHA1
e905bf59284c13e395b9bbb3829916707d85fd3f

SHA256
779cd02c465983b240575ad0b08243eae9bb7ddf4d4dec8b0355dddeb4f458b2

SHA512
f6951005bb72295913adf32930f66538afb58130bfe1dfb7b0e2851eff680eb6cb4c7424b4ce86724e6e72067de27011491f3089500ee73373bf0c0602628315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7656646.exe

Filesize
308KB

MD5
015193090cde6362827ead4339d253dc

SHA1
e905bf59284c13e395b9bbb3829916707d85fd3f

SHA256
779cd02c465983b240575ad0b08243eae9bb7ddf4d4dec8b0355dddeb4f458b2

SHA512
f6951005bb72295913adf32930f66538afb58130bfe1dfb7b0e2851eff680eb6cb4c7424b4ce86724e6e72067de27011491f3089500ee73373bf0c0602628315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8275268.exe

Filesize
168KB

MD5
310ea8cbc0ac85e9e66432778d53b372

SHA1
679382b6eadc0f1b01a2c0d09e551ed7355db355

SHA256
ec590a7dbe8983edc673d2027196e0a99230a5bdb1e783de5ef73db95a2ee0aa

SHA512
82c712bc074ff724f9d333ab45646649630502150e359f469635d144c59b1d333eb0f1cd4a78c10b2f2d15aaaa9956757c9b4d901e669f855c8887d70d8783af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8275268.exe

Filesize
168KB

MD5
310ea8cbc0ac85e9e66432778d53b372

SHA1
679382b6eadc0f1b01a2c0d09e551ed7355db355

SHA256
ec590a7dbe8983edc673d2027196e0a99230a5bdb1e783de5ef73db95a2ee0aa

SHA512
82c712bc074ff724f9d333ab45646649630502150e359f469635d144c59b1d333eb0f1cd4a78c10b2f2d15aaaa9956757c9b4d901e669f855c8887d70d8783af

Download Submit
memory/3816-147-0x00000000008C0000-0x00000000008EE000-memory.dmp

Filesize
184KB

Download
memory/3816-148-0x000000000AD20000-0x000000000B338000-memory.dmp

Filesize
6.1MB

Download
memory/3816-149-0x000000000A840000-0x000000000A94A000-memory.dmp

Filesize
1.0MB

Download
memory/3816-150-0x000000000A770000-0x000000000A782000-memory.dmp

Filesize
72KB

Download
memory/3816-151-0x000000000A7D0000-0x000000000A80C000-memory.dmp

Filesize
240KB

Download
memory/3816-152-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/3816-153-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing