redline | 3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa

General

Target

3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe
Size

709KB
MD5

d289175365ed703066947652e50b9254
SHA1

1b9c154d5b52580d60df232c9006e0294e4c354f
SHA256

3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa
SHA512

0ecf06529b76b25e6f0e1807138ff0b8cd99e6821e44a9a7bd2d8f544c18313bf699597fafd64da2cf9fe06a276a3f8cec8211a04e4853e2cb1d124dcbc96798
SSDEEP

12288:WMrpy90fOHyXBqJibmBza9dc7uYHjj37A79T/0dvv3UiweOPQa+aXEW8SqolTU7Q:HyJHGsaTcfHf3kRsNciwrPQa+dW87YTN

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1076-148-0x00000000080B0000-0x00000000086C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2180	x5818055.exe
1076	g6509270.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5818055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5818055.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2180	3192	3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe	82
PID 3192 wrote to memory of 2180	3192	3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe	82
PID 3192 wrote to memory of 2180	3192	3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe	82
PID 2180 wrote to memory of 1076	2180	x5818055.exe	83
PID 2180 wrote to memory of 1076	2180	x5818055.exe	83
PID 2180 wrote to memory of 1076	2180	x5818055.exe	83

C:\Users\Admin\AppData\Local\Temp\3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe
"C:\Users\Admin\AppData\Local\Temp\3368176c9021efc27f157714ce44b328a5e08d02f92ab536fd2cade22e7540fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5818055.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5818055.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509270.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509270.exe
    3⤵
    - Executes dropped EXE
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5818055.exe

Filesize
417KB

MD5
3ed21807239d107a9bd6f39268527c57

SHA1
8e511118dd6f1ceb50fc1af675456ebfe57fa232

SHA256
c1bb181a9fc23aebfda44e1b7d8e52f6b8e07b104d9e7e7b3860f33d8a014730

SHA512
ad49d11af1208ee3e0dca2a04593b76e8d5b4efa3abcbe9468337877f025a9f2cac00223cc8e2d3573db726cc3e6ec8124f8b480c94ef20f64044c6c12beba64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5818055.exe

Filesize
417KB

MD5
3ed21807239d107a9bd6f39268527c57

SHA1
8e511118dd6f1ceb50fc1af675456ebfe57fa232

SHA256
c1bb181a9fc23aebfda44e1b7d8e52f6b8e07b104d9e7e7b3860f33d8a014730

SHA512
ad49d11af1208ee3e0dca2a04593b76e8d5b4efa3abcbe9468337877f025a9f2cac00223cc8e2d3573db726cc3e6ec8124f8b480c94ef20f64044c6c12beba64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509270.exe

Filesize
136KB

MD5
0270979bbf3484edd73278130c446f5d

SHA1
64384fe5ece88911be2e47abae471834b042f916

SHA256
cbe5626a663dba36bb09c157899bdd0635408ebf180e09c340a9ed8b1fc4e6d6

SHA512
ed37fe4ae19c8ea579470c4be0c855b7452a9c7306617826bd90758f85d24f311494da9a55f490355d56d263ff6a7b5577c7d49963de9851432a0cdcdde1c07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509270.exe

Filesize
136KB

MD5
0270979bbf3484edd73278130c446f5d

SHA1
64384fe5ece88911be2e47abae471834b042f916

SHA256
cbe5626a663dba36bb09c157899bdd0635408ebf180e09c340a9ed8b1fc4e6d6

SHA512
ed37fe4ae19c8ea579470c4be0c855b7452a9c7306617826bd90758f85d24f311494da9a55f490355d56d263ff6a7b5577c7d49963de9851432a0cdcdde1c07e

Download Submit
memory/1076-147-0x0000000000E20000-0x0000000000E48000-memory.dmp

Filesize
160KB

Download
memory/1076-148-0x00000000080B0000-0x00000000086C8000-memory.dmp

Filesize
6.1MB

Download
memory/1076-149-0x0000000007B50000-0x0000000007B62000-memory.dmp

Filesize
72KB

Download
memory/1076-150-0x0000000007C80000-0x0000000007D8A000-memory.dmp

Filesize
1.0MB

Download
memory/1076-151-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/1076-152-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

Filesize
240KB

Download
memory/1076-153-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing