redline | 56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c

General

Target

56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
Size

643KB
MD5

537626c1376fc48f62dce4c6f3b47924
SHA1

0db4310258602b3a1c788034e1b4235a44eaad92
SHA256

56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c
SHA512

450ca1c8da4bccf978e5456b9e9e1415974d2772eb5a6d088f818ca542cedd6801132726be0faf84f25202ae846a819b305a90c971b25eac0e784aaeefe922f8
SSDEEP

12288:JMrFy90ABlYOiXFoqnxa8sONhYxtR8D9aHscFHxbJnyUkLyLzP44S9XdYlhf:Ey8BFrnx7sj8ZaMcdh7kLyLzPvSPi

Score

10^/10

redline darm infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3860-148-0x000000000AA50000-0x000000000B068000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3360	x2397502.exe
3860	g2748512.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2397502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2397502.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3360	1044	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	85
PID 1044 wrote to memory of 3360	1044	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	85
PID 1044 wrote to memory of 3360	1044	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	85
PID 3360 wrote to memory of 3860	3360	x2397502.exe	86
PID 3360 wrote to memory of 3860	3360	x2397502.exe	86
PID 3360 wrote to memory of 3860	3360	x2397502.exe	86

C:\Users\Admin\AppData\Local\Temp\56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
"C:\Users\Admin\AppData\Local\Temp\56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe
    3⤵
    - Executes dropped EXE
    PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe

Filesize
383KB

MD5
0090e627f4bcd11d7f395c28a337c421

SHA1
471f8518118320d89e4a2069bde3d3c4eaee9d4c

SHA256
5740774b15b56a8acc2c517c32419928b438dc414bbe541264dab0aaf2703efd

SHA512
8ea20a86e5e68c1b93ad4b5622a882d83a7a2392296291f88b99262873dbb047a8555e646c6bdd1604939bf54265093a780ad37ff5e59273242a0f277e3a38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe

Filesize
383KB

MD5
0090e627f4bcd11d7f395c28a337c421

SHA1
471f8518118320d89e4a2069bde3d3c4eaee9d4c

SHA256
5740774b15b56a8acc2c517c32419928b438dc414bbe541264dab0aaf2703efd

SHA512
8ea20a86e5e68c1b93ad4b5622a882d83a7a2392296291f88b99262873dbb047a8555e646c6bdd1604939bf54265093a780ad37ff5e59273242a0f277e3a38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe

Filesize
168KB

MD5
416d9ed85163fb53dfc7f9f98ede4201

SHA1
cbc2080f1fc82aed2b3d3e2fdec49085aa4aeef9

SHA256
5bcd0023054804203a0e5d55bf02e8b42046a58734e5d033fff6267d3aa5144a

SHA512
f3df3c33ff6405b963dfc0409bd0e0a46dcc7bb366b7e13bd843589759473bc41e71d65767f59cb475a6d3026faa98392bf9a7ab1283a5097b2a250a285e2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe

Filesize
168KB

MD5
416d9ed85163fb53dfc7f9f98ede4201

SHA1
cbc2080f1fc82aed2b3d3e2fdec49085aa4aeef9

SHA256
5bcd0023054804203a0e5d55bf02e8b42046a58734e5d033fff6267d3aa5144a

SHA512
f3df3c33ff6405b963dfc0409bd0e0a46dcc7bb366b7e13bd843589759473bc41e71d65767f59cb475a6d3026faa98392bf9a7ab1283a5097b2a250a285e2349

Download Submit
memory/3860-147-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download
memory/3860-148-0x000000000AA50000-0x000000000B068000-memory.dmp

Filesize
6.1MB

Download
memory/3860-149-0x000000000A590000-0x000000000A69A000-memory.dmp

Filesize
1.0MB

Download
memory/3860-151-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/3860-150-0x000000000A4C0000-0x000000000A4D2000-memory.dmp

Filesize
72KB

Download
memory/3860-152-0x000000000A520000-0x000000000A55C000-memory.dmp

Filesize
240KB

Download
memory/3860-153-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing