redline | 06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75

General

Target

06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe
Size

376KB
MD5

67369d806a77b5701196bbdf978d6683
SHA1

5df72527a581244410c744136d531a146ca3097e
SHA256

06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75
SHA512

5d37bf508725e53cc9a9598c4bed4bce229364bfc8db601ceb2e73c83b3751f89cb620f6f268515496d7e3abcbf4803e0b3c9755ff2a6ffe60ef6d34512fa8e9
SSDEEP

6144:KDy+bnr+Bp0yN90QEAXAprVp7EkkmRaVklpBagdSMV+CXeejkwK8AA:hMr5y90KYrVJEORaVcxSw+C4wUA

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1396-148-0x00000000076E0000-0x0000000007CF8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4748	x6236474.exe
1396	g1446515.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6236474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6236474.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4748	1316	06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe	84
PID 1316 wrote to memory of 4748	1316	06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe	84
PID 1316 wrote to memory of 4748	1316	06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe	84
PID 4748 wrote to memory of 1396	4748	x6236474.exe	85
PID 4748 wrote to memory of 1396	4748	x6236474.exe	85
PID 4748 wrote to memory of 1396	4748	x6236474.exe	85

C:\Users\Admin\AppData\Local\Temp\06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe
"C:\Users\Admin\AppData\Local\Temp\06d48c2a74323de006c9ecc8ea3392e574cade6f2fd1ab1403959c0a2662ff75.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6236474.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6236474.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1446515.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1446515.exe
    3⤵
    - Executes dropped EXE
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6236474.exe

Filesize
204KB

MD5
bfe7d0df3563cf0349d8340aab2c5858

SHA1
5ac5968ac68d7a711ef5bda858c4a85f11ad7a7f

SHA256
88a2c03201eeb44350c4a3bd860e1b45e203a7e47be08d42dbc6b9fad90ad84e

SHA512
0651cb8ad193081ca34e513d66095447573249faf3d341fd5c60008b3ebd0648d842d9bbb15b258f26ac8e2b3f0d520f715367b15b65c3b49cf9eb26d58b4431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6236474.exe

Filesize
204KB

MD5
bfe7d0df3563cf0349d8340aab2c5858

SHA1
5ac5968ac68d7a711ef5bda858c4a85f11ad7a7f

SHA256
88a2c03201eeb44350c4a3bd860e1b45e203a7e47be08d42dbc6b9fad90ad84e

SHA512
0651cb8ad193081ca34e513d66095447573249faf3d341fd5c60008b3ebd0648d842d9bbb15b258f26ac8e2b3f0d520f715367b15b65c3b49cf9eb26d58b4431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1446515.exe

Filesize
136KB

MD5
25432ffd81bdd925172138e87f5e8284

SHA1
cac5f3f0630ac7b085cfccc7afe6824d5a96b10c

SHA256
f6bcd9afd2adaea0576ce5a226511073660814d3657bdeff58bb714a1a8b8505

SHA512
383e3116d6f5ebf25b6619cc772849c0cb467b4f00cd9fa012b1f8bef4da3c0f30dd0d2e50f824d89ddfab5aa9bbf9901a4f36665f5dea7371975a763bb87072

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1446515.exe

Filesize
136KB

MD5
25432ffd81bdd925172138e87f5e8284

SHA1
cac5f3f0630ac7b085cfccc7afe6824d5a96b10c

SHA256
f6bcd9afd2adaea0576ce5a226511073660814d3657bdeff58bb714a1a8b8505

SHA512
383e3116d6f5ebf25b6619cc772849c0cb467b4f00cd9fa012b1f8bef4da3c0f30dd0d2e50f824d89ddfab5aa9bbf9901a4f36665f5dea7371975a763bb87072

Download Submit
memory/1396-147-0x0000000000430000-0x0000000000458000-memory.dmp

Filesize
160KB

Download
memory/1396-148-0x00000000076E0000-0x0000000007CF8000-memory.dmp

Filesize
6.1MB

Download
memory/1396-149-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/1396-150-0x0000000007270000-0x000000000737A000-memory.dmp

Filesize
1.0MB

Download
memory/1396-151-0x00000000071E0000-0x000000000721C000-memory.dmp

Filesize
240KB

Download
memory/1396-152-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1396-153-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing