redline | 3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395

General

Target

3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe
Size

376KB
MD5

8b82dcd4258e70fe99cfc9017c97b67c
SHA1

9b120a9cd65a9660cbea61782d0c9c7d180a3655
SHA256

3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395
SHA512

ef3e5c3006399e2a6c4bf3fb11afd3b04c1a5dbbb9e509b8854177230165aa81921fc9f3103dbd06b4c402aad40c86258daf8b8e97d6c908c909ef6be2ec6973
SSDEEP

6144:K1y+bnr+fp0yN90QE7X7zbfzy+zH0tWKiamOdP/N967qtAbB+S1Ma6Vc+:7Mrry90h7fu+gEKiAk7qtAbYqMDVc+

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1168-148-0x0000000007A80000-0x0000000008098000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4744	x5275479.exe
1168	g0493495.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5275479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5275479.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4744	4868	3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe	80
PID 4868 wrote to memory of 4744	4868	3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe	80
PID 4868 wrote to memory of 4744	4868	3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe	80
PID 4744 wrote to memory of 1168	4744	x5275479.exe	81
PID 4744 wrote to memory of 1168	4744	x5275479.exe	81
PID 4744 wrote to memory of 1168	4744	x5275479.exe	81

C:\Users\Admin\AppData\Local\Temp\3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe
"C:\Users\Admin\AppData\Local\Temp\3393e925480732e15e616ae5df5755ebae98ed2b9b2ea58cdfab8b20132e4395.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5275479.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5275479.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0493495.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0493495.exe
    3⤵
    - Executes dropped EXE
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5275479.exe

Filesize
204KB

MD5
b5a5b117d5aff7e8ae12f14d4d27d3fc

SHA1
db02da7fe049e213be127b2672e11524a76705a7

SHA256
fe1ad78b85461b459043c393f7fe635c187c112fed3ac790dad4ea0f13f7ae12

SHA512
1fb1e61f76aeb82b1719d872512a20a7975daa9e261ecd8215e30a500935b01e0613744edee898b0e32c707cdfa1bc4be312d7a505bb6c0d15db6c22b500b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5275479.exe

Filesize
204KB

MD5
b5a5b117d5aff7e8ae12f14d4d27d3fc

SHA1
db02da7fe049e213be127b2672e11524a76705a7

SHA256
fe1ad78b85461b459043c393f7fe635c187c112fed3ac790dad4ea0f13f7ae12

SHA512
1fb1e61f76aeb82b1719d872512a20a7975daa9e261ecd8215e30a500935b01e0613744edee898b0e32c707cdfa1bc4be312d7a505bb6c0d15db6c22b500b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0493495.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0493495.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/1168-147-0x00000000006B0000-0x00000000006D8000-memory.dmp

Filesize
160KB

Download
memory/1168-148-0x0000000007A80000-0x0000000008098000-memory.dmp

Filesize
6.1MB

Download
memory/1168-149-0x0000000007500000-0x0000000007512000-memory.dmp

Filesize
72KB

Download
memory/1168-150-0x0000000007630000-0x000000000773A000-memory.dmp

Filesize
1.0MB

Download
memory/1168-151-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/1168-152-0x00000000075A0000-0x00000000075DC000-memory.dmp

Filesize
240KB

Download
memory/1168-153-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing