redline | 0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d

General

Target

0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
Size

479KB
MD5

74fc1501b8b739a6a86dc77599ab2ebd
SHA1

fe123f17a1229326e2b096dd82fc773a8d120155
SHA256

0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d
SHA512

bcee2d8c08dca2f5fdf92a10a8f4f09093a488df9294ebed4a56dd20e77b065e3c528148fd7bb64f429c1e38e51e06c79990ddaa771700490ede764fddc5eec3
SSDEEP

12288:5MrTy90hOFEENQZuTO3DwCdfm39YWl03S:eyIGuZuIDwh3pkS

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4840-148-0x0000000007E80000-0x0000000008498000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2076	x7568755.exe
4840	g0095314.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7568755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7568755.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2076	448	0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe	83
PID 448 wrote to memory of 2076	448	0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe	83
PID 448 wrote to memory of 2076	448	0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe	83
PID 2076 wrote to memory of 4840	2076	x7568755.exe	84
PID 2076 wrote to memory of 4840	2076	x7568755.exe	84
PID 2076 wrote to memory of 4840	2076	x7568755.exe	84

C:\Users\Admin\AppData\Local\Temp\0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
"C:\Users\Admin\AppData\Local\Temp\0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568755.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568755.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0095314.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0095314.exe
    3⤵
    - Executes dropped EXE
    PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568755.exe

Filesize
307KB

MD5
d85d9fc996e80ca32dc16e5c61d9b64e

SHA1
fb36721ce4f1448a615042dd6cf3500c1e1b5e96

SHA256
3314c1cf1b9c658958c2c7afe0411d25d3b23a2782eb00303a8d407de3e7fde3

SHA512
a847e07cbf5cda76bd33222d2b845ad466dbed6863278562521c14a278117220b365bd4e7c92ffa0d303f945aee1357f1429d30343a9cfb1e41085bddfe6ef65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568755.exe

Filesize
307KB

MD5
d85d9fc996e80ca32dc16e5c61d9b64e

SHA1
fb36721ce4f1448a615042dd6cf3500c1e1b5e96

SHA256
3314c1cf1b9c658958c2c7afe0411d25d3b23a2782eb00303a8d407de3e7fde3

SHA512
a847e07cbf5cda76bd33222d2b845ad466dbed6863278562521c14a278117220b365bd4e7c92ffa0d303f945aee1357f1429d30343a9cfb1e41085bddfe6ef65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0095314.exe

Filesize
136KB

MD5
1a335f9aa910bcee72ecfb07046b1409

SHA1
98ed2675d3bb617431d3cc2fbd1431852fb818a4

SHA256
ad96a293d8102ba443508a4aca4ca26b44975260d26bba67db9cf0f9327f9eab

SHA512
0fccf320f6c4a094331f70a33b30775e1c5fb5ecc19d0e76ce6aa69a6069f2af6ca5c885a04fc31b7f2190e761b5c191e70a19ff84310e16384fc085aa58ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0095314.exe

Filesize
136KB

MD5
1a335f9aa910bcee72ecfb07046b1409

SHA1
98ed2675d3bb617431d3cc2fbd1431852fb818a4

SHA256
ad96a293d8102ba443508a4aca4ca26b44975260d26bba67db9cf0f9327f9eab

SHA512
0fccf320f6c4a094331f70a33b30775e1c5fb5ecc19d0e76ce6aa69a6069f2af6ca5c885a04fc31b7f2190e761b5c191e70a19ff84310e16384fc085aa58ce43

Download Submit
memory/4840-147-0x0000000000A80000-0x0000000000AA8000-memory.dmp

Filesize
160KB

Download
memory/4840-148-0x0000000007E80000-0x0000000008498000-memory.dmp

Filesize
6.1MB

Download
memory/4840-149-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download
memory/4840-150-0x0000000007A00000-0x0000000007B0A000-memory.dmp

Filesize
1.0MB

Download
memory/4840-151-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/4840-152-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download
memory/4840-153-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing