redline | 359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f

General

Target

359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe
Size

708KB
MD5

fe17086a75844f486a61653bfb3b8541
SHA1

3c03377a559be9bdbc1bf1ee3469b43dffcbf42c
SHA256

359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f
SHA512

06c4eb22a52df90bc23ca826fcce5cc700a58db1fe551a2295ce7324316f841f82bb9fe33fa36bd63557a464764bb3638388c69a088238277f98449ee4515623
SSDEEP

12288:VMrRy90Cy8d7H/yKtXgJSj5jj4zhsQvSUEf/ELZ7HDo:0ymuzqKKJSFj4zh0UIElDDo

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/856-148-0x000000000AD90000-0x000000000B3A8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1692	x1227727.exe
856	g6073181.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1227727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1227727.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1692	2804	359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe	84
PID 2804 wrote to memory of 1692	2804	359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe	84
PID 2804 wrote to memory of 1692	2804	359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe	84
PID 1692 wrote to memory of 856	1692	x1227727.exe	85
PID 1692 wrote to memory of 856	1692	x1227727.exe	85
PID 1692 wrote to memory of 856	1692	x1227727.exe	85

C:\Users\Admin\AppData\Local\Temp\359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe
"C:\Users\Admin\AppData\Local\Temp\359b94ffcdbf0c25281017d4c13855b6f64814b43f9aaa00930c429328ca246f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1227727.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1227727.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6073181.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6073181.exe
    3⤵
    - Executes dropped EXE
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1227727.exe

Filesize
416KB

MD5
28595a6752bdc0f7650a0486159591ad

SHA1
038346de0bdda94c6cdc966aac9d4fd5b20160dd

SHA256
2ed8bf3e22b87f7ac9e032bbf1d619df7ab92e5e9cf6b67ec938d0357711def1

SHA512
a8ebca7003b5cc11d62a9e8d455078f49caeb620f59e8f2ebabec73c391bb74803e71a4bce4c03bbbe3912913bf8581731a7c32c31944ca46e033ad89d75f3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1227727.exe

Filesize
416KB

MD5
28595a6752bdc0f7650a0486159591ad

SHA1
038346de0bdda94c6cdc966aac9d4fd5b20160dd

SHA256
2ed8bf3e22b87f7ac9e032bbf1d619df7ab92e5e9cf6b67ec938d0357711def1

SHA512
a8ebca7003b5cc11d62a9e8d455078f49caeb620f59e8f2ebabec73c391bb74803e71a4bce4c03bbbe3912913bf8581731a7c32c31944ca46e033ad89d75f3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6073181.exe

Filesize
168KB

MD5
3d3b79d0b0ea8a1eb1c6cd3042d89693

SHA1
bae1b7089094b257b6c364087f178e557d442e6a

SHA256
158a6c7224ee661f04d3f0a9335a81211106c99c56d9a9e3b3ed4f170fe6f401

SHA512
bc2122c7a7d0a618f52c7958e4c275ff31cd9add4ba3dc1c4ffe4785cad23f9352c51b989a0b226a8cad8d67d3122376d84518e8de1c437556772e2d85445b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6073181.exe

Filesize
168KB

MD5
3d3b79d0b0ea8a1eb1c6cd3042d89693

SHA1
bae1b7089094b257b6c364087f178e557d442e6a

SHA256
158a6c7224ee661f04d3f0a9335a81211106c99c56d9a9e3b3ed4f170fe6f401

SHA512
bc2122c7a7d0a618f52c7958e4c275ff31cd9add4ba3dc1c4ffe4785cad23f9352c51b989a0b226a8cad8d67d3122376d84518e8de1c437556772e2d85445b37

Download Submit
memory/856-147-0x00000000008F0000-0x000000000091E000-memory.dmp

Filesize
184KB

Download
memory/856-148-0x000000000AD90000-0x000000000B3A8000-memory.dmp

Filesize
6.1MB

Download
memory/856-149-0x000000000A880000-0x000000000A98A000-memory.dmp

Filesize
1.0MB

Download
memory/856-150-0x000000000A7A0000-0x000000000A7B2000-memory.dmp

Filesize
72KB

Download
memory/856-151-0x000000000A800000-0x000000000A83C000-memory.dmp

Filesize
240KB

Download
memory/856-152-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/856-153-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing