redline | 2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9

General

Target

2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
Size

1.2MB
MD5

803632952dd0cb64851af3ffcd92d4df
SHA1

634d6f2ad92fd43f6ec626ef5f20dc30d6eae1b3
SHA256

2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9
SHA512

4976369e4a482ebbb2bf0ca90697f79df71a2f0b94eeb9e47dd4a823a694a16f6894a21e33bc53a7ecd62e1054528fc18f5fec189311e11cff8c6c5a92d82603
SSDEEP

24576:pyqD4zs/8P4pChsEBB/7oOspZddYa9B5Rm3FjN9iQHzIr:cqDYs/8Pygb/7ypZn9B5RQNrHk

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1396-155-0x00000000083A0000-0x00000000089B8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4208	x7245046.exe
3896	x9189549.exe
1396	g8193171.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7245046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7245046.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9189549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9189549.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 4208	2692	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	81
PID 2692 wrote to memory of 4208	2692	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	81
PID 2692 wrote to memory of 4208	2692	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	81
PID 4208 wrote to memory of 3896	4208	x7245046.exe	82
PID 4208 wrote to memory of 3896	4208	x7245046.exe	82
PID 4208 wrote to memory of 3896	4208	x7245046.exe	82
PID 3896 wrote to memory of 1396	3896	x9189549.exe	83
PID 3896 wrote to memory of 1396	3896	x9189549.exe	83
PID 3896 wrote to memory of 1396	3896	x9189549.exe	83

C:\Users\Admin\AppData\Local\Temp\2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
"C:\Users\Admin\AppData\Local\Temp\2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe
      4⤵
      Executes dropped EXE
      PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe

Filesize
914KB

MD5
d29fb5d8dbc08b1e63a6ef5ccf018b5b

SHA1
f53c29a28fb8738f2ec81e87ec28e3c1e22e56cf

SHA256
fd15108238897b1ecc3c0aa53dc0377288f3b38d4a18db006f2b190d84ea8438

SHA512
284b1233a40e0072ed398c1f9fb116d3e994aa5ad47c44afcb5646e03e7354d5a9596910521b182a2f09bcbe90e559f9d00f3757b4454244579596e24c5e45eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe

Filesize
914KB

MD5
d29fb5d8dbc08b1e63a6ef5ccf018b5b

SHA1
f53c29a28fb8738f2ec81e87ec28e3c1e22e56cf

SHA256
fd15108238897b1ecc3c0aa53dc0377288f3b38d4a18db006f2b190d84ea8438

SHA512
284b1233a40e0072ed398c1f9fb116d3e994aa5ad47c44afcb5646e03e7354d5a9596910521b182a2f09bcbe90e559f9d00f3757b4454244579596e24c5e45eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe

Filesize
416KB

MD5
b3ef01c2e281fa6bfe2d85c48448f629

SHA1
e5e87554229eb4b1148bc2ad50697640531d8a25

SHA256
76985092eca6335a32c2a7029233885259d59a672f117d5b4920dae25786e54f

SHA512
b4c1214ff2674e266df869c02d5540ab1014c2ac03d82c4812ba8b002f39feea35ed35f857423e8f4be65a0e68842430c94b1f1e2973ccc50730cfe9495c2540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe

Filesize
416KB

MD5
b3ef01c2e281fa6bfe2d85c48448f629

SHA1
e5e87554229eb4b1148bc2ad50697640531d8a25

SHA256
76985092eca6335a32c2a7029233885259d59a672f117d5b4920dae25786e54f

SHA512
b4c1214ff2674e266df869c02d5540ab1014c2ac03d82c4812ba8b002f39feea35ed35f857423e8f4be65a0e68842430c94b1f1e2973ccc50730cfe9495c2540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe

Filesize
136KB

MD5
ac79af1d38d97d9cb165b104ec1e5cbe

SHA1
c4b57a4b77f7d0551ea758a8284b1327ec05a39b

SHA256
7027de7c8c67a0a1d88fd0241eaa1d2d5bafea7e2c9c968093ce750e564e5894

SHA512
cba01f902ea79acef1f9a8c26be54ea6f0cd2eaf1f558104160df18c3504bf99f37eb3606d7f2397646e18b2a7f592a0a015a5c06d64c93de644dfbf632b844f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe

Filesize
136KB

MD5
ac79af1d38d97d9cb165b104ec1e5cbe

SHA1
c4b57a4b77f7d0551ea758a8284b1327ec05a39b

SHA256
7027de7c8c67a0a1d88fd0241eaa1d2d5bafea7e2c9c968093ce750e564e5894

SHA512
cba01f902ea79acef1f9a8c26be54ea6f0cd2eaf1f558104160df18c3504bf99f37eb3606d7f2397646e18b2a7f592a0a015a5c06d64c93de644dfbf632b844f

Download Submit
memory/1396-154-0x0000000000FF0000-0x0000000001018000-memory.dmp

Filesize
160KB

Download
memory/1396-155-0x00000000083A0000-0x00000000089B8000-memory.dmp

Filesize
6.1MB

Download
memory/1396-156-0x0000000007E40000-0x0000000007E52000-memory.dmp

Filesize
72KB

Download
memory/1396-157-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/1396-158-0x0000000007EA0000-0x0000000007EDC000-memory.dmp

Filesize
240KB

Download
memory/1396-159-0x00000000081F0000-0x0000000008200000-memory.dmp

Filesize
64KB

Download
memory/1396-160-0x00000000081F0000-0x0000000008200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing