redline | 06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34

General

Target

06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe
Size

707KB
MD5

eea516911c040a3232afdb61533cb10b
SHA1

3928c44a1c8b7064494d469c1c95e77c48d23ef9
SHA256

06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34
SHA512

71174674a611c708e89b333e75d5bdaacb215f5da6592b4705c8403f5a885c636fa0a6a616e33dbf26ba2e3d70c0ef9dcc91d7452ac46c4e718a7fe79e011faa
SSDEEP

12288:aMrXy90RYpaGc1N2ZN1y/Rl7rn7TUZdvOprelaTaXEDHZ5u74dYqFSmW:1yRaGR1yJhAZd2pClaTd95u0dY7mW

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1480-148-0x0000000007AB0000-0x00000000080C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3584	x1887348.exe
1480	g9521718.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1887348.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1887348.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3584	4204	06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe	81
PID 4204 wrote to memory of 3584	4204	06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe	81
PID 4204 wrote to memory of 3584	4204	06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe	81
PID 3584 wrote to memory of 1480	3584	x1887348.exe	82
PID 3584 wrote to memory of 1480	3584	x1887348.exe	82
PID 3584 wrote to memory of 1480	3584	x1887348.exe	82

C:\Users\Admin\AppData\Local\Temp\06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe
"C:\Users\Admin\AppData\Local\Temp\06c5d28afa1db33d1ffeeb1c3ac882dcbb497fa6a263bbb1adb1227fdc172f34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1887348.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1887348.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9521718.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9521718.exe
    3⤵
    - Executes dropped EXE
    PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1887348.exe

Filesize
416KB

MD5
6b8a93afc45cfb74a5ebc198c6a18dfc

SHA1
b0b3bee996d245a1fd06f76c3ec4eda26112d7b5

SHA256
61a51f8f8810671f0320950da1d390c61a33daa7b46c2d96e1f7ed46b183bf63

SHA512
0dbcc7c29feae1c89940d9c1fe7643d88419e6397097ced487fa95c7fa8642ef8af3bb0456926c344492dcf2da6e3be57d46fbd14a13ddcaaba08e589b228eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1887348.exe

Filesize
416KB

MD5
6b8a93afc45cfb74a5ebc198c6a18dfc

SHA1
b0b3bee996d245a1fd06f76c3ec4eda26112d7b5

SHA256
61a51f8f8810671f0320950da1d390c61a33daa7b46c2d96e1f7ed46b183bf63

SHA512
0dbcc7c29feae1c89940d9c1fe7643d88419e6397097ced487fa95c7fa8642ef8af3bb0456926c344492dcf2da6e3be57d46fbd14a13ddcaaba08e589b228eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9521718.exe

Filesize
136KB

MD5
2c9b41bdcb7e5d28c07ece1fff15e78d

SHA1
0ed91ea5abfd1becc6d4acdd4838e33e62ba773b

SHA256
b2f56b55e92fe822ae24fae171b6766cdf004c388a8f407560725daea21c9ed5

SHA512
2dff106fc7ce25b92905e71bc2ed7387cc7cb2cc53514683dbfd2032f28206c86bb79ed767456fbd913bf3cdaa5b8387f0900f882478c89eb1358250c935bf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9521718.exe

Filesize
136KB

MD5
2c9b41bdcb7e5d28c07ece1fff15e78d

SHA1
0ed91ea5abfd1becc6d4acdd4838e33e62ba773b

SHA256
b2f56b55e92fe822ae24fae171b6766cdf004c388a8f407560725daea21c9ed5

SHA512
2dff106fc7ce25b92905e71bc2ed7387cc7cb2cc53514683dbfd2032f28206c86bb79ed767456fbd913bf3cdaa5b8387f0900f882478c89eb1358250c935bf94

Download Submit
memory/1480-147-0x0000000000820000-0x0000000000848000-memory.dmp

Filesize
160KB

Download
memory/1480-148-0x0000000007AB0000-0x00000000080C8000-memory.dmp

Filesize
6.1MB

Download
memory/1480-149-0x0000000007530000-0x0000000007542000-memory.dmp

Filesize
72KB

Download
memory/1480-150-0x0000000007660000-0x000000000776A000-memory.dmp

Filesize
1.0MB

Download
memory/1480-151-0x0000000007590000-0x00000000075CC000-memory.dmp

Filesize
240KB

Download
memory/1480-152-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/1480-153-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing