redline | 1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef

General

Target

1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe
Size

376KB
MD5

6b5435940a9db7a53aa1b005ea2699b4
SHA1

57c0008081904d4eb4e19da176a503d2a055ba9e
SHA256

1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef
SHA512

cf711c74e254757860111043345745ec56304f4dc6b5e1aabe583de60a882a0871ed0d40cf91c8515ab8a2cc381c9535edd1eccce63f5baa094eda2518abc67c
SSDEEP

6144:KFy+bnr++p0yN90QEaIaRfitxqjblnT/qS1u3NJZkOSQteffAyQ:jMriy906RKPAlnTiSiNwbQEAyQ

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4988-148-0x0000000007C50000-0x0000000008268000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4456	x2500785.exe
4988	g4235049.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2500785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2500785.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4456	2228	1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe	82
PID 2228 wrote to memory of 4456	2228	1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe	82
PID 2228 wrote to memory of 4456	2228	1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe	82
PID 4456 wrote to memory of 4988	4456	x2500785.exe	83
PID 4456 wrote to memory of 4988	4456	x2500785.exe	83
PID 4456 wrote to memory of 4988	4456	x2500785.exe	83

C:\Users\Admin\AppData\Local\Temp\1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe
"C:\Users\Admin\AppData\Local\Temp\1233aee5e3d608f415dc0315fcd507e245c676eb927cb6f7c52e96c618a506ef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2500785.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2500785.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4235049.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4235049.exe
    3⤵
    - Executes dropped EXE
    PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2500785.exe

Filesize
204KB

MD5
d4a6904ae8d719086317c061a24247b5

SHA1
bfc05ab68b1411d9cd4591d6c28d7410c8272b2e

SHA256
1db760e115af9d274b875588485cffa3acc3d7030d06a649871ed87ac4b6857d

SHA512
f9702983b3b3a2d65aa1361ade4f1ec6273779e655220b85aeb09e623274a9d597b50cc4fd921239d70057eca4587172280b6b8f6ec3917795885525b9d0ad17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2500785.exe

Filesize
204KB

MD5
d4a6904ae8d719086317c061a24247b5

SHA1
bfc05ab68b1411d9cd4591d6c28d7410c8272b2e

SHA256
1db760e115af9d274b875588485cffa3acc3d7030d06a649871ed87ac4b6857d

SHA512
f9702983b3b3a2d65aa1361ade4f1ec6273779e655220b85aeb09e623274a9d597b50cc4fd921239d70057eca4587172280b6b8f6ec3917795885525b9d0ad17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4235049.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4235049.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/4988-147-0x0000000000990000-0x00000000009B8000-memory.dmp

Filesize
160KB

Download
memory/4988-148-0x0000000007C50000-0x0000000008268000-memory.dmp

Filesize
6.1MB

Download
memory/4988-149-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4988-150-0x00000000077F0000-0x00000000078FA000-memory.dmp

Filesize
1.0MB

Download
memory/4988-151-0x0000000007720000-0x000000000775C000-memory.dmp

Filesize
240KB

Download
memory/4988-152-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/4988-153-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing