redline | 399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725

General

Target

399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe
Size

376KB
MD5

ee94fc5cc7de14385f4a7ab654990020
SHA1

fbeb5f0263a1b68c9172e6f74b23d5c89c76af95
SHA256

399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725
SHA512

d2986c3e8fcefb81129131c35aae593ace9303fbd507f61aa832afdfa84f076094e3760da42853f492c49a0f5a04eb21023420acbbb6bdc5dc6100afaa62b38b
SSDEEP

6144:Kdy+bnr+Hp0yN90QEH3ilc5H+X5VKQLkj2OoqMBOTs716VYz+Lhed:rMr/y90J3iidQynoOTs7oaiNed

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2316-148-0x0000000007310000-0x0000000007928000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2324	x8194485.exe
2316	g8398904.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8194485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8194485.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 2324	4092	399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe	81
PID 4092 wrote to memory of 2324	4092	399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe	81
PID 4092 wrote to memory of 2324	4092	399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe	81
PID 2324 wrote to memory of 2316	2324	x8194485.exe	82
PID 2324 wrote to memory of 2316	2324	x8194485.exe	82
PID 2324 wrote to memory of 2316	2324	x8194485.exe	82

C:\Users\Admin\AppData\Local\Temp\399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe
"C:\Users\Admin\AppData\Local\Temp\399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8194485.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8194485.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8398904.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8398904.exe
    3⤵
    - Executes dropped EXE
    PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8194485.exe

Filesize
204KB

MD5
47f978dafeda927083137d749241a5cb

SHA1
6c97b19fcd82b00ab2fb376edf899936c1a50767

SHA256
4d72136d289f0f955553a0610fa8beeccd4e453ed9b9829c94b5de023cf70d46

SHA512
759db6d77e9b52f0c783d0d75adc993cdb6011dd5658f0465bea68125bd2d5bc4ed5ef916c55d7280c7287ff1bf5cccf396cbde5dbefc74701cf729728467c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8194485.exe

Filesize
204KB

MD5
47f978dafeda927083137d749241a5cb

SHA1
6c97b19fcd82b00ab2fb376edf899936c1a50767

SHA256
4d72136d289f0f955553a0610fa8beeccd4e453ed9b9829c94b5de023cf70d46

SHA512
759db6d77e9b52f0c783d0d75adc993cdb6011dd5658f0465bea68125bd2d5bc4ed5ef916c55d7280c7287ff1bf5cccf396cbde5dbefc74701cf729728467c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8398904.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8398904.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/2316-147-0x00000000000A0000-0x00000000000C8000-memory.dmp

Filesize
160KB

Download
memory/2316-148-0x0000000007310000-0x0000000007928000-memory.dmp

Filesize
6.1MB

Download
memory/2316-149-0x0000000006DB0000-0x0000000006DC2000-memory.dmp

Filesize
72KB

Download
memory/2316-150-0x0000000006EE0000-0x0000000006FEA000-memory.dmp

Filesize
1.0MB

Download
memory/2316-151-0x0000000006E10000-0x0000000006E4C000-memory.dmp

Filesize
240KB

Download
memory/2316-152-0x0000000006EB0000-0x0000000006EC0000-memory.dmp

Filesize
64KB

Download
memory/2316-153-0x0000000006EB0000-0x0000000006EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing