redline | 58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69

General

Target

58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe
Size

709KB
MD5

f792746fb599ad7f9b92b39ecc20d481
SHA1

9897f47af782d2de3814ae078c43a7722164f55e
SHA256

58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69
SHA512

a6f7c7025e6e07538b1ded1fd09fb6f75227c24c0028c48bc97222581ed22fd4aaed8c70c8e39d4958262bfd7f675f1ca643578cd4ee1537793125ef5de5ae3e
SSDEEP

12288:dMr1y900lHB7alS3QXDFB1ztzmYGveFCQv85i1q01AWpsuJwRAy3N5qT+O5k/QM:Yy9RaQ4jm72FHvCL0ZpsuJwRt3N5O5kt

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2648-148-0x0000000007650000-0x0000000007C68000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
5000	x2422182.exe
2648	g7925769.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2422182.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2422182.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 5000	1916	58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe	78
PID 1916 wrote to memory of 5000	1916	58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe	78
PID 1916 wrote to memory of 5000	1916	58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe	78
PID 5000 wrote to memory of 2648	5000	x2422182.exe	79
PID 5000 wrote to memory of 2648	5000	x2422182.exe	79
PID 5000 wrote to memory of 2648	5000	x2422182.exe	79

C:\Users\Admin\AppData\Local\Temp\58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe
"C:\Users\Admin\AppData\Local\Temp\58ac6c6ded05eafb628b4af8b4d9716ee88341bf2bc08576cd21803542078e69.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2422182.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2422182.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7925769.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7925769.exe
    3⤵
    - Executes dropped EXE
    PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2422182.exe

Filesize
417KB

MD5
290a93d238094d6c80bd22402ef554d4

SHA1
57d9a177dc9a8f1e25f40b5f19aec0390f7addec

SHA256
41dcbb94ee361995f7fd8b9db8a989d4e1a7f800685ec5b82dc9bb9c29aa7d59

SHA512
d07ec1bba7e9fa345b5b36a74779f95bbd4593c7e309cddf58abd080353d482f4757d5e46d9cdd2eb6345ba311b9c72559ee74de7baf1e189e4d27861278df61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2422182.exe

Filesize
417KB

MD5
290a93d238094d6c80bd22402ef554d4

SHA1
57d9a177dc9a8f1e25f40b5f19aec0390f7addec

SHA256
41dcbb94ee361995f7fd8b9db8a989d4e1a7f800685ec5b82dc9bb9c29aa7d59

SHA512
d07ec1bba7e9fa345b5b36a74779f95bbd4593c7e309cddf58abd080353d482f4757d5e46d9cdd2eb6345ba311b9c72559ee74de7baf1e189e4d27861278df61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7925769.exe

Filesize
136KB

MD5
5d679fced995714e37641721c969b46b

SHA1
9c25783055ed7fbf6b005fae256506e03e5ab6d8

SHA256
54a608a985d330159dc7fa8b692523a2714e889c3074ce071960b0c45775303c

SHA512
a5d1afa6625c8b423ac17dc0c22be00e65db86b722fa21823dc210f127279846cf77390d86064a7e7bcba91bd870569fb5ba97d29afd99eec9c59f62aa5dc45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7925769.exe

Filesize
136KB

MD5
5d679fced995714e37641721c969b46b

SHA1
9c25783055ed7fbf6b005fae256506e03e5ab6d8

SHA256
54a608a985d330159dc7fa8b692523a2714e889c3074ce071960b0c45775303c

SHA512
a5d1afa6625c8b423ac17dc0c22be00e65db86b722fa21823dc210f127279846cf77390d86064a7e7bcba91bd870569fb5ba97d29afd99eec9c59f62aa5dc45c

Download Submit
memory/2648-147-0x00000000003E0000-0x0000000000408000-memory.dmp

Filesize
160KB

Download
memory/2648-148-0x0000000007650000-0x0000000007C68000-memory.dmp

Filesize
6.1MB

Download
memory/2648-149-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-150-0x0000000007220000-0x000000000732A000-memory.dmp

Filesize
1.0MB

Download
memory/2648-151-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2648-152-0x0000000007150000-0x000000000718C000-memory.dmp

Filesize
240KB

Download
memory/2648-153-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing