redline | 18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72

General

Target

18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
Size

480KB
MD5

4d91be6f3eddafadb1db23c080a37e27
SHA1

66503ff75a31b7c642342bb8801ba7d94202de9a
SHA256

18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72
SHA512

f78dadb950b7c2424b9a75216e87ac7dccb341203a63a90c44afe6a433b7f0e2eca2c372158196754fb96fe43b5586de84d75b6bf73908f012654eb7056404ff
SSDEEP

12288:/Mrjy90iOT7wS/gn499YZXDKrJyw+T/U53SBe9n:Uy4d/gn49zf+453Dn

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2712-148-0x0000000005D80000-0x0000000006398000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2076	y0469988.exe
2712	k3623346.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0469988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0469988.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2076	448	18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe	85
PID 448 wrote to memory of 2076	448	18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe	85
PID 448 wrote to memory of 2076	448	18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe	85
PID 2076 wrote to memory of 2712	2076	y0469988.exe	86
PID 2076 wrote to memory of 2712	2076	y0469988.exe	86
PID 2076 wrote to memory of 2712	2076	y0469988.exe	86

C:\Users\Admin\AppData\Local\Temp\18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
"C:\Users\Admin\AppData\Local\Temp\18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0469988.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0469988.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3623346.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3623346.exe
    3⤵
    - Executes dropped EXE
    PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0469988.exe

Filesize
308KB

MD5
315c260d34d0ab8035ce78e94b4759ce

SHA1
9acf11e4193ddf7f33a0abaeb1f13559be9edc15

SHA256
60b0c6b8999a7134e3ae06e2239ccfcf189a93e7a7c8bc7dfb5e79f59dff1686

SHA512
807cb2522821dacc7e5539047e55f24f7ad346b4458ae75c7b3228a95dcf9aaec266b4f6a22692f6d6572157d0cf4ba19660403ef72cfc166d54df42064019e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0469988.exe

Filesize
308KB

MD5
315c260d34d0ab8035ce78e94b4759ce

SHA1
9acf11e4193ddf7f33a0abaeb1f13559be9edc15

SHA256
60b0c6b8999a7134e3ae06e2239ccfcf189a93e7a7c8bc7dfb5e79f59dff1686

SHA512
807cb2522821dacc7e5539047e55f24f7ad346b4458ae75c7b3228a95dcf9aaec266b4f6a22692f6d6572157d0cf4ba19660403ef72cfc166d54df42064019e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3623346.exe

Filesize
168KB

MD5
d452015d400894e78add7879356a931a

SHA1
baada8b9c86c8d780865b9e2e89ee21cb6b23dca

SHA256
d323ff8cc40530853d8a9b06caf6ac44d0d1cac155dcf2112d27c4b951998552

SHA512
f79556d22061e1362683b7a9cb0a447f144c998f477d363a7695ab9f13709b9a0a32ff88a3607507631231f0723a57bc842a8eecb6dfcd91d48c2c724c3ac130

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3623346.exe

Filesize
168KB

MD5
d452015d400894e78add7879356a931a

SHA1
baada8b9c86c8d780865b9e2e89ee21cb6b23dca

SHA256
d323ff8cc40530853d8a9b06caf6ac44d0d1cac155dcf2112d27c4b951998552

SHA512
f79556d22061e1362683b7a9cb0a447f144c998f477d363a7695ab9f13709b9a0a32ff88a3607507631231f0723a57bc842a8eecb6dfcd91d48c2c724c3ac130

Download Submit
memory/2712-147-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

Filesize
184KB

Download
memory/2712-148-0x0000000005D80000-0x0000000006398000-memory.dmp

Filesize
6.1MB

Download
memory/2712-149-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/2712-150-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/2712-152-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/2712-151-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2712-153-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing