redline | 1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18

General

Target

1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe
Size

707KB
MD5

5b452a762496a7568094816a77030fda
SHA1

d8bb2990967680a4014880eaf30f23c288dcb57d
SHA256

1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18
SHA512

65c47eab5324b18bad19d0f2d17f2ba0116b444d0f9cb6ef31f64d9f3ff390ee67d544d2d288ba02c230fa228872e8fb7d04d54b5fe7c9531d8e699acb99c3da
SSDEEP

12288:lMrRy90ACRrWuYt9WNmeXAi++I3xndXIiiZgfU4xlwV6t5HdAT4BeURs07D3ub:0ybCRrKCNm0/mn6iMqaE5Hm4f+

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1428-148-0x0000000007E20000-0x0000000008438000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1084	x6152728.exe
1428	g8675640.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6152728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6152728.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1084	3528	1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe	82
PID 3528 wrote to memory of 1084	3528	1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe	82
PID 3528 wrote to memory of 1084	3528	1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe	82
PID 1084 wrote to memory of 1428	1084	x6152728.exe	83
PID 1084 wrote to memory of 1428	1084	x6152728.exe	83
PID 1084 wrote to memory of 1428	1084	x6152728.exe	83

C:\Users\Admin\AppData\Local\Temp\1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe
"C:\Users\Admin\AppData\Local\Temp\1c8355bc6de45bd2cbd791fb0b5100e2763ad1c9f03b9efce4b6f0ecee20ff18.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152728.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152728.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8675640.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8675640.exe
    3⤵
    - Executes dropped EXE
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152728.exe

Filesize
416KB

MD5
ec48fa75c2c8e7d6b0e602e0077e7e8d

SHA1
77b8ea53584d71104b8877f8e74a05d860eaa105

SHA256
bec2c1cb8222ca8992c82c5e9e9951399d3f83622eca9263bff388c6d955a755

SHA512
16b78abe6c49a8970cde929bd5333cd1737ce1013e81df7060f2f010b9e829898a72fb60dd7d1542d7eea4aad071433758576220c57f39a0b088a19ef93994e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6152728.exe

Filesize
416KB

MD5
ec48fa75c2c8e7d6b0e602e0077e7e8d

SHA1
77b8ea53584d71104b8877f8e74a05d860eaa105

SHA256
bec2c1cb8222ca8992c82c5e9e9951399d3f83622eca9263bff388c6d955a755

SHA512
16b78abe6c49a8970cde929bd5333cd1737ce1013e81df7060f2f010b9e829898a72fb60dd7d1542d7eea4aad071433758576220c57f39a0b088a19ef93994e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8675640.exe

Filesize
136KB

MD5
f6d2724857ff93fdbe6887a1c56f5242

SHA1
d0ac744ec376dc00ebfafa8a08e2759ebaaf634a

SHA256
919fb943dac9320527e80c53efb3bc0b21199963977b0a1e3c47a0247b580ece

SHA512
07fe3b97bc799995f829be01b36417da5dacdd9f867ddf60ad5380435bf8edc850279e5eca5e26e7f706325052601ff039caaad2bdd0cbec57e5254c97ca6e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8675640.exe

Filesize
136KB

MD5
f6d2724857ff93fdbe6887a1c56f5242

SHA1
d0ac744ec376dc00ebfafa8a08e2759ebaaf634a

SHA256
919fb943dac9320527e80c53efb3bc0b21199963977b0a1e3c47a0247b580ece

SHA512
07fe3b97bc799995f829be01b36417da5dacdd9f867ddf60ad5380435bf8edc850279e5eca5e26e7f706325052601ff039caaad2bdd0cbec57e5254c97ca6e68

Download Submit
memory/1428-147-0x0000000000BA0000-0x0000000000BC8000-memory.dmp

Filesize
160KB

Download
memory/1428-148-0x0000000007E20000-0x0000000008438000-memory.dmp

Filesize
6.1MB

Download
memory/1428-149-0x00000000078B0000-0x00000000078C2000-memory.dmp

Filesize
72KB

Download
memory/1428-150-0x00000000079E0000-0x0000000007AEA000-memory.dmp

Filesize
1.0MB

Download
memory/1428-151-0x0000000007910000-0x000000000794C000-memory.dmp

Filesize
240KB

Download
memory/1428-152-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/1428-153-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing