redline | 22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e

General

Target

22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe
Size

480KB
MD5

0c563632acf95e508e5e3d1d8b794651
SHA1

c84f566c8411d6fd4060baee5d9c09538db118ff
SHA256

22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e
SHA512

f8f2d07ee70c2f1a97c9e938d9706f06b8b75c32dbe0c2a79db94685233a1945530722626b89f54cbbf178013935a2231f314bca80eb969223f45c5850177cb4
SSDEEP

12288:sMrCy90JnFbZR1dRFWLF2a0n9DTUEgesINhGm:myQvR1oYaC9T1NDx

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1212-148-0x0000000007AE0000-0x00000000080F8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1032	x2217450.exe
1212	g1695658.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2217450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2217450.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1032	1528	22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe	82
PID 1528 wrote to memory of 1032	1528	22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe	82
PID 1528 wrote to memory of 1032	1528	22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe	82
PID 1032 wrote to memory of 1212	1032	x2217450.exe	83
PID 1032 wrote to memory of 1212	1032	x2217450.exe	83
PID 1032 wrote to memory of 1212	1032	x2217450.exe	83

C:\Users\Admin\AppData\Local\Temp\22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe
"C:\Users\Admin\AppData\Local\Temp\22150f5402af0bf9e5499fbabb29204f15ae325defcb622efab648e4e9075f4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2217450.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2217450.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1695658.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1695658.exe
    3⤵
    - Executes dropped EXE
    PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2217450.exe

Filesize
307KB

MD5
aa00641033643b6cb18d747ffa68945a

SHA1
30f81bf2bd3dd9355b058d804bf44af1e83f5312

SHA256
f037c87db582b53d683e6ad8be27f02e72fd280c35e78104de0e6d54af69e273

SHA512
051399368ac7e5d1b72ab57d9febd04ced342c7479febf8671e61e6e82f04814eb7a08853f3afab274133bfd2a5b1daa3a70ee5d32fba87d6876cdf65399cf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2217450.exe

Filesize
307KB

MD5
aa00641033643b6cb18d747ffa68945a

SHA1
30f81bf2bd3dd9355b058d804bf44af1e83f5312

SHA256
f037c87db582b53d683e6ad8be27f02e72fd280c35e78104de0e6d54af69e273

SHA512
051399368ac7e5d1b72ab57d9febd04ced342c7479febf8671e61e6e82f04814eb7a08853f3afab274133bfd2a5b1daa3a70ee5d32fba87d6876cdf65399cf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1695658.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1695658.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/1212-147-0x00000000006F0000-0x0000000000718000-memory.dmp

Filesize
160KB

Download
memory/1212-148-0x0000000007AE0000-0x00000000080F8000-memory.dmp

Filesize
6.1MB

Download
memory/1212-149-0x0000000007560000-0x0000000007572000-memory.dmp

Filesize
72KB

Download
memory/1212-150-0x0000000007690000-0x000000000779A000-memory.dmp

Filesize
1.0MB

Download
memory/1212-151-0x0000000005040000-0x000000000507C000-memory.dmp

Filesize
240KB

Download
memory/1212-152-0x0000000007940000-0x0000000007950000-memory.dmp

Filesize
64KB

Download
memory/1212-153-0x0000000007940000-0x0000000007950000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing