redline | 3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194

General

Target

3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
Size

600KB
MD5

7f879c5078f21fe470e3aae4f7a242c8
SHA1

d6be024f66129ce6eb455874776d2a4b87c5ad3c
SHA256

3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194
SHA512

cdd89a235aa898187f10c1b8f1cf357623d5d1930f8d777d318cfa9e8cbc2ab26afb6663e47d7685b10863546a1a0e85aea2920fdd9892ce383d9c79178a1a36
SSDEEP

12288:rMruy90ZAhzXWg0ywSav9BGEZqj1u90Helkn/pFh/JRS21JVUVZo:ZyD0yGVEEZqhe0HeOn/p3/TD1J2no

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2104-148-0x0000000007C50000-0x0000000008268000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4960	y6502237.exe
2104	k1062174.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6502237.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6502237.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4960	996	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	83
PID 996 wrote to memory of 4960	996	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	83
PID 996 wrote to memory of 4960	996	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	83
PID 4960 wrote to memory of 2104	4960	y6502237.exe	84
PID 4960 wrote to memory of 2104	4960	y6502237.exe	84
PID 4960 wrote to memory of 2104	4960	y6502237.exe	84

C:\Users\Admin\AppData\Local\Temp\3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
"C:\Users\Admin\AppData\Local\Temp\3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe
    3⤵
    - Executes dropped EXE
    PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe

Filesize
307KB

MD5
4739e13004ceb6ed5976a1e12d2c7b48

SHA1
8e20e6e29d8f1b5d6dde4f04fa225b7a08ff506c

SHA256
63ddbc3615fbd9f5c65d98aec255ecc0f636258db9e11e07a8b5485d7ef95a59

SHA512
29094d961269003932211586d705aac5c86f665c6e734a562da7873a98b2343d7938fcda8ecb6ff0690f453c58c464c283a0946364f188b1fcf356607fecb9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe

Filesize
307KB

MD5
4739e13004ceb6ed5976a1e12d2c7b48

SHA1
8e20e6e29d8f1b5d6dde4f04fa225b7a08ff506c

SHA256
63ddbc3615fbd9f5c65d98aec255ecc0f636258db9e11e07a8b5485d7ef95a59

SHA512
29094d961269003932211586d705aac5c86f665c6e734a562da7873a98b2343d7938fcda8ecb6ff0690f453c58c464c283a0946364f188b1fcf356607fecb9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe

Filesize
136KB

MD5
c2d4dd7877b80ec0e2cd76dfe12c7fe7

SHA1
78bd3110d1a3be940a4df9b71748242e3b46b310

SHA256
870df0572b5ed6417e9a7b8e39781812e1e6eebe6dc4463b85cc8679edf0cdf2

SHA512
7934a46507497bc59109c0a3c55e4a40acb82b7818448fe4b7248781ed32aecdb3795d52298ffa196ae287b2bc24f5ac653cb37338deb640b32b7e636e662693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe

Filesize
136KB

MD5
c2d4dd7877b80ec0e2cd76dfe12c7fe7

SHA1
78bd3110d1a3be940a4df9b71748242e3b46b310

SHA256
870df0572b5ed6417e9a7b8e39781812e1e6eebe6dc4463b85cc8679edf0cdf2

SHA512
7934a46507497bc59109c0a3c55e4a40acb82b7818448fe4b7248781ed32aecdb3795d52298ffa196ae287b2bc24f5ac653cb37338deb640b32b7e636e662693

Download Submit
memory/2104-147-0x0000000000840000-0x0000000000868000-memory.dmp

Filesize
160KB

Download
memory/2104-148-0x0000000007C50000-0x0000000008268000-memory.dmp

Filesize
6.1MB

Download
memory/2104-149-0x00000000076B0000-0x00000000076C2000-memory.dmp

Filesize
72KB

Download
memory/2104-150-0x00000000077E0000-0x00000000078EA000-memory.dmp

Filesize
1.0MB

Download
memory/2104-151-0x0000000007710000-0x000000000774C000-memory.dmp

Filesize
240KB

Download
memory/2104-152-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2104-153-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing