redline | 59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167

General

Target

59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe
Size

479KB
MD5

2fde26f710df3a0a68c74d918ca996fc
SHA1

3d332867439b0a86880e13373de20f77081eb224
SHA256

59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167
SHA512

b6e9100341c1f046efb0552770b9cbf5ec7cc59982ff664d6c3b75f362ac4bb2adb1f04c55764a48ce1870c5c857a74a382e182a1e5f4aa57f27af1d932a99a0
SSDEEP

6144:KNy+bnr+Wp0yN90QErbSyfn6jkzdtoOBZ/44zkiY7nJ4gwQQ4fY9:jMrOy90RbSS643j74+ZBQQ4f2

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1912-148-0x00000000080B0000-0x00000000086C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
376	x7722859.exe
1912	g1308045.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7722859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7722859.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 376	2592	59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe	84
PID 2592 wrote to memory of 376	2592	59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe	84
PID 2592 wrote to memory of 376	2592	59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe	84
PID 376 wrote to memory of 1912	376	x7722859.exe	85
PID 376 wrote to memory of 1912	376	x7722859.exe	85
PID 376 wrote to memory of 1912	376	x7722859.exe	85

C:\Users\Admin\AppData\Local\Temp\59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe
"C:\Users\Admin\AppData\Local\Temp\59c6d42fd136febd0caa33659e78bbb3257c5f8c7e049859d22f42f721b4a167.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722859.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722859.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1308045.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1308045.exe
    3⤵
    - Executes dropped EXE
    PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722859.exe

Filesize
307KB

MD5
bf9acb565b46eaf01edc0bce481ab87a

SHA1
616f27d00c8ae91f8364e2b91f20c15d6fc4951d

SHA256
e2c8aa995e974848e4e19878727a90b703f50175b02580d1f0754d70a7d1c0b7

SHA512
ff01a361b71fcd6d2e0df601af22f1d4703c3503e9f458dce034498a005f1ab2a994f13205aa92bf8dc2fa07a8d3490fb20b7517284d7e0b03561a4be20795a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722859.exe

Filesize
307KB

MD5
bf9acb565b46eaf01edc0bce481ab87a

SHA1
616f27d00c8ae91f8364e2b91f20c15d6fc4951d

SHA256
e2c8aa995e974848e4e19878727a90b703f50175b02580d1f0754d70a7d1c0b7

SHA512
ff01a361b71fcd6d2e0df601af22f1d4703c3503e9f458dce034498a005f1ab2a994f13205aa92bf8dc2fa07a8d3490fb20b7517284d7e0b03561a4be20795a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1308045.exe

Filesize
136KB

MD5
7f087a710fb62fc07e2c7af00d69e2e4

SHA1
e06e4803f57cd8b3b8598c867ef5c71138d6c538

SHA256
476d92ad2069448bc6d8ca16e6c60ee1fa668fafc5c0224a924e13b0fa6c4c9b

SHA512
b1a43c64374284fdfdbb63c72b8afe86256eb0f2571ef56916aadde03f3018b6ca214bc5d6fe461951ed4690d7d2eae20c90457030944900166fa97431856dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1308045.exe

Filesize
136KB

MD5
7f087a710fb62fc07e2c7af00d69e2e4

SHA1
e06e4803f57cd8b3b8598c867ef5c71138d6c538

SHA256
476d92ad2069448bc6d8ca16e6c60ee1fa668fafc5c0224a924e13b0fa6c4c9b

SHA512
b1a43c64374284fdfdbb63c72b8afe86256eb0f2571ef56916aadde03f3018b6ca214bc5d6fe461951ed4690d7d2eae20c90457030944900166fa97431856dac

Download Submit
memory/1912-147-0x0000000000E10000-0x0000000000E38000-memory.dmp

Filesize
160KB

Download
memory/1912-148-0x00000000080B0000-0x00000000086C8000-memory.dmp

Filesize
6.1MB

Download
memory/1912-149-0x0000000007B20000-0x0000000007B32000-memory.dmp

Filesize
72KB

Download
memory/1912-150-0x0000000007C50000-0x0000000007D5A000-memory.dmp

Filesize
1.0MB

Download
memory/1912-151-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

Filesize
240KB

Download
memory/1912-152-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/1912-153-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing