redline | 0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8

General

Target

0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Size

643KB
MD5

23693d58857ce79fbb62ad6e1590dabd
SHA1

d31d7b29330c0b864f908604eb73824d23642dc6
SHA256

0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8
SHA512

5d07c656f8de2fc0aaeaadfc01d3b38ef724fecf2dc9dd5427ab6a28d13f45dbd4adb0c30cd508f29ced700e3b3eda54540849ef2b63c6a288726e3914f98979
SSDEEP

12288:vMr3y90nmZ4qQIcn+o5JachYZ3R8keACR966IFyOVMLlzL1fS:UyhXc+o5scEh8X66uyO0L1q

Score

10^/10

redline darm infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3904-148-0x00000000054A0000-0x0000000005AB8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4560	x2020685.exe
3904	g7895368.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2020685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2020685.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4560	4124	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	84
PID 4124 wrote to memory of 4560	4124	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	84
PID 4124 wrote to memory of 4560	4124	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	84
PID 4560 wrote to memory of 3904	4560	x2020685.exe	85
PID 4560 wrote to memory of 3904	4560	x2020685.exe	85
PID 4560 wrote to memory of 3904	4560	x2020685.exe	85

C:\Users\Admin\AppData\Local\Temp\0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
"C:\Users\Admin\AppData\Local\Temp\0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe
    3⤵
    - Executes dropped EXE
    PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
memory/3904-147-0x0000000000410000-0x0000000000440000-memory.dmp

Filesize
192KB

Download
memory/3904-148-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/3904-149-0x0000000004F90000-0x000000000509A000-memory.dmp

Filesize
1.0MB

Download
memory/3904-150-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/3904-151-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/3904-152-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3904-153-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing