redline | 5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8

General

Target

5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe
Size

708KB
MD5

cb72775bb64ed0c498e18b4e56f7f597
SHA1

010e9ec9e60da615373f2367e3e0dc663761803f
SHA256

5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8
SHA512

721eb6120262989e35458bc0d60ffea79952243e72a529c6fa9ddc703bd74fbd22f6a73ad467cc53d59020e976f4044455666786343c07a4bc35d9bb5964b952
SSDEEP

12288:MMrEy901XhZ0dGhK7ZPpvK3EhedF4xUVM3DEqN7GjsQE4UQ7rMpASvnVwz:4yK0dG07nMgedeyM3rkDoAm6

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1608-148-0x0000000007EF0000-0x0000000008508000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4456	x5689210.exe
1608	g3227849.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5689210.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5689210.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4456	3532	5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe	82
PID 3532 wrote to memory of 4456	3532	5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe	82
PID 3532 wrote to memory of 4456	3532	5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe	82
PID 4456 wrote to memory of 1608	4456	x5689210.exe	83
PID 4456 wrote to memory of 1608	4456	x5689210.exe	83
PID 4456 wrote to memory of 1608	4456	x5689210.exe	83

C:\Users\Admin\AppData\Local\Temp\5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe
"C:\Users\Admin\AppData\Local\Temp\5ab1b3850e3fec00145fc6df6de8695d93274053bf2fd53e3a4b9f41ef4a10e8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5689210.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5689210.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3227849.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3227849.exe
    3⤵
    - Executes dropped EXE
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5689210.exe

Filesize
416KB

MD5
734e765b4e967ecb94ed401740d1f34f

SHA1
4bdc70d273e3c6ba35bcd361dfce69d885b036ae

SHA256
0bf851ec1436869f3b145fd16b2e3f9fc3b2e75232df05dc8ec94d284e56b4e0

SHA512
a87027c58e743a7df0e62f4568245b137cf60cf0e4a8731522298ae9287e877ac3bf0c42da0c25d67e9e78d072c7e808eb5653f039fd7e1f0d26412650f9d536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5689210.exe

Filesize
416KB

MD5
734e765b4e967ecb94ed401740d1f34f

SHA1
4bdc70d273e3c6ba35bcd361dfce69d885b036ae

SHA256
0bf851ec1436869f3b145fd16b2e3f9fc3b2e75232df05dc8ec94d284e56b4e0

SHA512
a87027c58e743a7df0e62f4568245b137cf60cf0e4a8731522298ae9287e877ac3bf0c42da0c25d67e9e78d072c7e808eb5653f039fd7e1f0d26412650f9d536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3227849.exe

Filesize
136KB

MD5
23e36b8342c31b6be931821a7553cb20

SHA1
a1036f2cb221da4063a3ee94c38de6ca1ed7d713

SHA256
3fe1df7898f6fdf607f75083d9b130cf5299c29e30b53be3cc2f5035cc27bb93

SHA512
3b78d1ee3de1351a190da7675fe9a8277bb7927309e393dc479389f56ba20948417644992fd69c6d172fef92ca477412550799613b3303962133ed361b35b4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3227849.exe

Filesize
136KB

MD5
23e36b8342c31b6be931821a7553cb20

SHA1
a1036f2cb221da4063a3ee94c38de6ca1ed7d713

SHA256
3fe1df7898f6fdf607f75083d9b130cf5299c29e30b53be3cc2f5035cc27bb93

SHA512
3b78d1ee3de1351a190da7675fe9a8277bb7927309e393dc479389f56ba20948417644992fd69c6d172fef92ca477412550799613b3303962133ed361b35b4ed

Download Submit
memory/1608-147-0x0000000000B10000-0x0000000000B38000-memory.dmp

Filesize
160KB

Download
memory/1608-148-0x0000000007EF0000-0x0000000008508000-memory.dmp

Filesize
6.1MB

Download
memory/1608-149-0x0000000007980000-0x0000000007992000-memory.dmp

Filesize
72KB

Download
memory/1608-150-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

Filesize
1.0MB

Download
memory/1608-151-0x00000000079E0000-0x0000000007A1C000-memory.dmp

Filesize
240KB

Download
memory/1608-152-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/1608-153-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing