redline | 1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80

General

Target

1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe
Size

376KB
MD5

ae5976d5f9b72f7051595d62d92398dc
SHA1

43ab360add906bc779d5e91edbaab23475182282
SHA256

1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80
SHA512

3dc417c7918d3f181b3b68d672ad8386e2dd3bf07922cd89023c0fc5850c334060b967f33a6e81085a56b70719d11235385fdd3bde785fa0d2304791dfb4950b
SSDEEP

6144:KBy+bnr+rp0yN90QESM4WbXtTqmrGjc//WzHxrlDiOEl4w8MlwurTc:zMr3y90EMhcmrf/+z3D6lxle

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2136-148-0x00000000076A0000-0x0000000007CB8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4428	x4308908.exe
2136	g9221180.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4308908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4308908.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4428	2148	1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe	84
PID 2148 wrote to memory of 4428	2148	1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe	84
PID 2148 wrote to memory of 4428	2148	1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe	84
PID 4428 wrote to memory of 2136	4428	x4308908.exe	85
PID 4428 wrote to memory of 2136	4428	x4308908.exe	85
PID 4428 wrote to memory of 2136	4428	x4308908.exe	85

C:\Users\Admin\AppData\Local\Temp\1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe
"C:\Users\Admin\AppData\Local\Temp\1a87eb307b59442cc8357e10abe2bc51640c69af18c7c6c1d4271bdd519d4e80.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4308908.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4308908.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9221180.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9221180.exe
    3⤵
    - Executes dropped EXE
    PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4308908.exe

Filesize
204KB

MD5
440b2d8c65e0500f5342e42ad93da66a

SHA1
4f9af29168fa8f12342629a91a2f2ad9110f5d04

SHA256
6ad177b9212114cbdf3931b5f895c979e6cd64d1dd4fde6e1f9dec4f36d8db1d

SHA512
f791932bca1db87a20a6062faa7b7e479343b9e9494da4deb01b5291f986f53b4fe65fd7e316bb062b44b321b7cfed90a406b769e4713b8a0bd7ad6ee86de524

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4308908.exe

Filesize
204KB

MD5
440b2d8c65e0500f5342e42ad93da66a

SHA1
4f9af29168fa8f12342629a91a2f2ad9110f5d04

SHA256
6ad177b9212114cbdf3931b5f895c979e6cd64d1dd4fde6e1f9dec4f36d8db1d

SHA512
f791932bca1db87a20a6062faa7b7e479343b9e9494da4deb01b5291f986f53b4fe65fd7e316bb062b44b321b7cfed90a406b769e4713b8a0bd7ad6ee86de524

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9221180.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9221180.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/2136-147-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/2136-148-0x00000000076A0000-0x0000000007CB8000-memory.dmp

Filesize
6.1MB

Download
memory/2136-149-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/2136-150-0x0000000007250000-0x000000000735A000-memory.dmp

Filesize
1.0MB

Download
memory/2136-151-0x00000000071C0000-0x00000000071FC000-memory.dmp

Filesize
240KB

Download
memory/2136-152-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/2136-153-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing