redline | 5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006

General

Target

5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe
Size

599KB
MD5

a1c0cdbe4fed5b65ca504ab0d26ea228
SHA1

c9fdf408b943872d47b6057255ec0982d435c365
SHA256

5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006
SHA512

80a4a1677dd04fe986730a374d78692e1421010cae0c6d04abbacbfb85e319de67bfeed250468c1a2594433b391aa766940b886b4f69e2a2d456c1b23f42beb8
SSDEEP

12288:/Mray9003w4cGqnh+1Q8rLZ9yrHOHSiJkxo8xckVKuy1X6cF+WEEREWf0+I:5ytxcV4GkDHS+kxljVKvNPEaV0

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1420-148-0x0000000007AC0000-0x00000000080D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4696	y7794051.exe
1420	k3061196.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7794051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7794051.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 4696	3300	5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe	82
PID 3300 wrote to memory of 4696	3300	5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe	82
PID 3300 wrote to memory of 4696	3300	5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe	82
PID 4696 wrote to memory of 1420	4696	y7794051.exe	83
PID 4696 wrote to memory of 1420	4696	y7794051.exe	83
PID 4696 wrote to memory of 1420	4696	y7794051.exe	83

C:\Users\Admin\AppData\Local\Temp\5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe
"C:\Users\Admin\AppData\Local\Temp\5a970aa98f9cb64b6e9ebe664c8e967a275161d1910fabb8a50f908dad03f006.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7794051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7794051.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3061196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3061196.exe
    3⤵
    - Executes dropped EXE
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7794051.exe

Filesize
308KB

MD5
35de577ac6ae0146a256f849a801830f

SHA1
b5ffa3f7157b0de3cac96aaec74da009559d1e61

SHA256
9172aa928df40bae7066005db4b40de1e6ca960715f493d54204fe1e8bbaa9bd

SHA512
39597b34c553b92cfa07d5009fef8446c8a8184e08862c2f364d576ffed3323a053ef864aff8c981dd161332de89aa5bfc55e59d7ffe03dd60218efbb85b4fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7794051.exe

Filesize
308KB

MD5
35de577ac6ae0146a256f849a801830f

SHA1
b5ffa3f7157b0de3cac96aaec74da009559d1e61

SHA256
9172aa928df40bae7066005db4b40de1e6ca960715f493d54204fe1e8bbaa9bd

SHA512
39597b34c553b92cfa07d5009fef8446c8a8184e08862c2f364d576ffed3323a053ef864aff8c981dd161332de89aa5bfc55e59d7ffe03dd60218efbb85b4fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3061196.exe

Filesize
136KB

MD5
d63e378013a0b95081cb5b3cb7b450f4

SHA1
e607b2f549cdd205b8f699a446e6607f2b08b82d

SHA256
977e125dfb9abf472216b0da77980025c102644b806ef6252f70f38d9e5567c1

SHA512
6eb30e00f571c6a22dcb50f3e4f9eaecff42a7aceca9dcd9be401bac7d8e23575c9511a1d87ec330615f97e66ac0e7845c3853a0f1e8d5fbd6caa600f482d1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3061196.exe

Filesize
136KB

MD5
d63e378013a0b95081cb5b3cb7b450f4

SHA1
e607b2f549cdd205b8f699a446e6607f2b08b82d

SHA256
977e125dfb9abf472216b0da77980025c102644b806ef6252f70f38d9e5567c1

SHA512
6eb30e00f571c6a22dcb50f3e4f9eaecff42a7aceca9dcd9be401bac7d8e23575c9511a1d87ec330615f97e66ac0e7845c3853a0f1e8d5fbd6caa600f482d1c6

Download Submit
memory/1420-147-0x0000000000830000-0x0000000000858000-memory.dmp

Filesize
160KB

Download
memory/1420-148-0x0000000007AC0000-0x00000000080D8000-memory.dmp

Filesize
6.1MB

Download
memory/1420-149-0x0000000007540000-0x0000000007552000-memory.dmp

Filesize
72KB

Download
memory/1420-150-0x0000000007670000-0x000000000777A000-memory.dmp

Filesize
1.0MB

Download
memory/1420-151-0x00000000075A0000-0x00000000075DC000-memory.dmp

Filesize
240KB

Download
memory/1420-152-0x0000000007970000-0x0000000007980000-memory.dmp

Filesize
64KB

Download
memory/1420-153-0x0000000007970000-0x0000000007980000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing