redline | 03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd

General

Target

03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe
Size

479KB
MD5

973bb318f1df1f635491077188ac5e4b
SHA1

3e59a536851d015cf186b5e756a8ee60d0aa9bfc
SHA256

03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd
SHA512

c57bf5fce21e3866f0bbec8d1e86755c277c989ecbeb80eb124ec86eed5b228c94835ccd6e1d188537e90375d83f120965e1c4487c7a8b68f3eb838f32fc4f35
SSDEEP

12288:bMrjty90OZ13IXn7rWGsdLfBMdd/uST1a7Cfx:0tyTU7rWGmLSdwSxR5

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3204-148-0x0000000007430000-0x0000000007A48000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1944	x8409730.exe
3204	g7320293.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8409730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8409730.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 1944	3336	03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe	84
PID 3336 wrote to memory of 1944	3336	03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe	84
PID 3336 wrote to memory of 1944	3336	03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe	84
PID 1944 wrote to memory of 3204	1944	x8409730.exe	85
PID 1944 wrote to memory of 3204	1944	x8409730.exe	85
PID 1944 wrote to memory of 3204	1944	x8409730.exe	85

C:\Users\Admin\AppData\Local\Temp\03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe
"C:\Users\Admin\AppData\Local\Temp\03486810ae4e24c6532938d0c5a5a4ecc13a4f6bfaf0d8b4367b88922d67e6dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8409730.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8409730.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7320293.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7320293.exe
    3⤵
    - Executes dropped EXE
    PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8409730.exe

Filesize
307KB

MD5
a150e3b563bc4a94f4cfb60b454cfd75

SHA1
e7252f55fefdcf87eb9dddef0fd404946c59d198

SHA256
b021db168d7a53f27376e459029bcc70ec637a23632255e06fe5e4acc4abeffa

SHA512
bdecc46c4a72498f59d4191ac17d07b27f212db562f00d34189016149a07615a0ab1218df68c6d873bee33503cc995f2c71b36a2cb9cc1fc55a668c1eecbf071

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8409730.exe

Filesize
307KB

MD5
a150e3b563bc4a94f4cfb60b454cfd75

SHA1
e7252f55fefdcf87eb9dddef0fd404946c59d198

SHA256
b021db168d7a53f27376e459029bcc70ec637a23632255e06fe5e4acc4abeffa

SHA512
bdecc46c4a72498f59d4191ac17d07b27f212db562f00d34189016149a07615a0ab1218df68c6d873bee33503cc995f2c71b36a2cb9cc1fc55a668c1eecbf071

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7320293.exe

Filesize
137KB

MD5
23de4b48a1351aa2ae1efeaadd269604

SHA1
9523df2ef8b2c651d8f6f995734f970edc188746

SHA256
dd7f29e2c72025047bcfeac4cd65ae9840401f5eaa50bd2e91db464bbb7a61b0

SHA512
a88c985f01bacc933bfddf3441413898dbcaa745c576576daf70fa14bb8954f5e8b6712e3395d4a646dd04f7703788b0d8107e1ff20c35fd19f40be46e241cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7320293.exe

Filesize
137KB

MD5
23de4b48a1351aa2ae1efeaadd269604

SHA1
9523df2ef8b2c651d8f6f995734f970edc188746

SHA256
dd7f29e2c72025047bcfeac4cd65ae9840401f5eaa50bd2e91db464bbb7a61b0

SHA512
a88c985f01bacc933bfddf3441413898dbcaa745c576576daf70fa14bb8954f5e8b6712e3395d4a646dd04f7703788b0d8107e1ff20c35fd19f40be46e241cbd

Download Submit
memory/3204-147-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/3204-148-0x0000000007430000-0x0000000007A48000-memory.dmp

Filesize
6.1MB

Download
memory/3204-149-0x0000000006EB0000-0x0000000006EC2000-memory.dmp

Filesize
72KB

Download
memory/3204-150-0x0000000006FE0000-0x00000000070EA000-memory.dmp

Filesize
1.0MB

Download
memory/3204-151-0x0000000006F10000-0x0000000006F4C000-memory.dmp

Filesize
240KB

Download
memory/3204-152-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3204-153-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing