redline | 35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f

General

Target

35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe
Size

599KB
MD5

80aeb93aa49ddc9b56bba4617dadfc7a
SHA1

f2d03b1af84b222ced11c4d30583b56daccb03da
SHA256

35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f
SHA512

135db8784e39c33977006442776b7a906abba19f4755d18c7a990ca2cb52ce73393183babdf6c0d1e42fffc3f4cb63e59d92e1c025f8c39f5ebe99c99246c4b2
SSDEEP

12288:RMrJy900pubB1HoX1IbSlGsgoT83Y69IBxF08sTXqSAvT:IyqBlgaGlwppGBxF08sTaSq

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3748-148-0x0000000007440000-0x0000000007A58000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2920	y1913773.exe
3748	k6553588.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1913773.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1913773.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2920	2544	35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe	84
PID 2544 wrote to memory of 2920	2544	35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe	84
PID 2544 wrote to memory of 2920	2544	35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe	84
PID 2920 wrote to memory of 3748	2920	y1913773.exe	85
PID 2920 wrote to memory of 3748	2920	y1913773.exe	85
PID 2920 wrote to memory of 3748	2920	y1913773.exe	85

C:\Users\Admin\AppData\Local\Temp\35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe
"C:\Users\Admin\AppData\Local\Temp\35c202bfe7f86976531ab2e87f23c7d1a66648af312db25d1fff4c97df26a06f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1913773.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1913773.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6553588.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6553588.exe
    3⤵
    - Executes dropped EXE
    PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1913773.exe

Filesize
307KB

MD5
f1c7037362df4933056786d6b48fa356

SHA1
51a27f73fff1f768908f8d9c35e1ba0747429bcf

SHA256
ce0b70c77ddcc6ec5e886aead610b4d5208ff531ed3f221f8098fffd770cf1d5

SHA512
deaef8cc087fe76bbb5fb8c38dc5c7635382255d14b5f598e261f17b5bdee272232b52fc6618e033bdfb901eaf1649c7f8088c6a38de09ab5c53df263353fd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1913773.exe

Filesize
307KB

MD5
f1c7037362df4933056786d6b48fa356

SHA1
51a27f73fff1f768908f8d9c35e1ba0747429bcf

SHA256
ce0b70c77ddcc6ec5e886aead610b4d5208ff531ed3f221f8098fffd770cf1d5

SHA512
deaef8cc087fe76bbb5fb8c38dc5c7635382255d14b5f598e261f17b5bdee272232b52fc6618e033bdfb901eaf1649c7f8088c6a38de09ab5c53df263353fd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6553588.exe

Filesize
136KB

MD5
7d7bf850d6751741f0ad5c68dbf2a479

SHA1
866af70b6bfa408ef0753f189e5804ca8ac51200

SHA256
f36dbf5d68a63a203685cc2ac6946d85cb80f92b9d93d6cebd30bf42afd5bff5

SHA512
cbad66cfc28955f92f5488b519e24b42b076958e1ba79e4e3201e6e7f35fdb9465fce14f4c9feaf558da51234634d3aa35be46c1512ffca603258ff877d81222

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6553588.exe

Filesize
136KB

MD5
7d7bf850d6751741f0ad5c68dbf2a479

SHA1
866af70b6bfa408ef0753f189e5804ca8ac51200

SHA256
f36dbf5d68a63a203685cc2ac6946d85cb80f92b9d93d6cebd30bf42afd5bff5

SHA512
cbad66cfc28955f92f5488b519e24b42b076958e1ba79e4e3201e6e7f35fdb9465fce14f4c9feaf558da51234634d3aa35be46c1512ffca603258ff877d81222

Download Submit
memory/3748-147-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download
memory/3748-148-0x0000000007440000-0x0000000007A58000-memory.dmp

Filesize
6.1MB

Download
memory/3748-149-0x0000000006EA0000-0x0000000006EB2000-memory.dmp

Filesize
72KB

Download
memory/3748-150-0x0000000006FD0000-0x00000000070DA000-memory.dmp

Filesize
1.0MB

Download
memory/3748-151-0x0000000006F80000-0x0000000006F90000-memory.dmp

Filesize
64KB

Download
memory/3748-152-0x0000000006F00000-0x0000000006F3C000-memory.dmp

Filesize
240KB

Download
memory/3748-153-0x0000000006F80000-0x0000000006F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing