redline | 3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c

General

Target

3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe
Size

566KB
MD5

5bea3d01474e5e8cd7222f54972dbbd7
SHA1

f1e4941abae4017a5bbc8c969eaf83f3b7910feb
SHA256

3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c
SHA512

a5ee2c78b121ec114b3b2ebd81f10416ab9f1ac862ddbf54798f0814a804ae23d85cd33131ff6778738552d67b1db69fd15ce1f019d66db27ec9be7aa173a9f6
SSDEEP

12288:uMrdy90a53UFQM1HUg1eEu8+Z8bUkLAjpMfHm:jyhEFRJUP8+bAqcHm

Score

10^/10

redline darm infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2944-148-0x000000000A5B0000-0x000000000ABC8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1716	y6550192.exe
2944	k3726718.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6550192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6550192.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1716	412	3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe	82
PID 412 wrote to memory of 1716	412	3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe	82
PID 412 wrote to memory of 1716	412	3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe	82
PID 1716 wrote to memory of 2944	1716	y6550192.exe	83
PID 1716 wrote to memory of 2944	1716	y6550192.exe	83
PID 1716 wrote to memory of 2944	1716	y6550192.exe	83

C:\Users\Admin\AppData\Local\Temp\3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe
"C:\Users\Admin\AppData\Local\Temp\3b07b9c752b1da9234cadd0f6bbcf9a03a03e518605632e3d2991f9f4f6cee5c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6550192.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6550192.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3726718.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3726718.exe
    3⤵
    - Executes dropped EXE
    PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6550192.exe

Filesize
308KB

MD5
e5f6290d6806a9ccaf91d7290a99e605

SHA1
4ad107020f44bb04a347cfcad42a1d016b764ccc

SHA256
36af389aea4ef725895527072c8f096050193d87f28f013ed7478d033283b6a1

SHA512
efa30e828c70ec442fb5b25a0096541d91fcf80eafc041276aa35349f475d9897dd77963657ef3a76597681ecf77ca0a0bf1725355a2310bb2b4353abab0896b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6550192.exe

Filesize
308KB

MD5
e5f6290d6806a9ccaf91d7290a99e605

SHA1
4ad107020f44bb04a347cfcad42a1d016b764ccc

SHA256
36af389aea4ef725895527072c8f096050193d87f28f013ed7478d033283b6a1

SHA512
efa30e828c70ec442fb5b25a0096541d91fcf80eafc041276aa35349f475d9897dd77963657ef3a76597681ecf77ca0a0bf1725355a2310bb2b4353abab0896b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3726718.exe

Filesize
169KB

MD5
020f0bd03aef9d8550489bf3cc8f2594

SHA1
f58b3f0ec292b287c8a58bcfd21bc3d152c36c19

SHA256
16b6342c9604e9437cdf4406e0ce0f104b2c728ec316ffc3cca263709c990a0c

SHA512
ea2d5c122daf90877d4cef88d541d0adafebf6aa338409fce682913105ef3a22a7d3c0fe74cf5d12fd7867363c6468a3fdb68985ab8fd3cc302403d1d70b1c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3726718.exe

Filesize
169KB

MD5
020f0bd03aef9d8550489bf3cc8f2594

SHA1
f58b3f0ec292b287c8a58bcfd21bc3d152c36c19

SHA256
16b6342c9604e9437cdf4406e0ce0f104b2c728ec316ffc3cca263709c990a0c

SHA512
ea2d5c122daf90877d4cef88d541d0adafebf6aa338409fce682913105ef3a22a7d3c0fe74cf5d12fd7867363c6468a3fdb68985ab8fd3cc302403d1d70b1c71

Download Submit
memory/2944-147-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-148-0x000000000A5B0000-0x000000000ABC8000-memory.dmp

Filesize
6.1MB

Download
memory/2944-149-0x000000000A0A0000-0x000000000A1AA000-memory.dmp

Filesize
1.0MB

Download
memory/2944-150-0x0000000009F90000-0x0000000009FA2000-memory.dmp

Filesize
72KB

Download
memory/2944-151-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2944-152-0x0000000009FF0000-0x000000000A02C000-memory.dmp

Filesize
240KB

Download
memory/2944-153-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing