redline | 25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9

General

Target

25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
Size

588KB
MD5

ed541c1efe2b4b56a7640dab5e08d279
SHA1

dff90d35232bb2d162f870c76cea2c7192889470
SHA256

25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9
SHA512

9b044cb5231a0d968e2e19c0c5cebd28e1eeaabf80b3f9b5c543931a95c0a9c580f58f7ca2cff7cd52df1b60ca678bc5f3ef7ff0a7234ab977d22dfeed5a21f6
SSDEEP

12288:ZMrqy90Bj6d+YHnZ/6fHr4keBUv7VyFoR45XVxw:3yemk6/kH8dBUvAiClxw

Score

10^/10

redline daris infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1856-148-0x000000000B370000-0x000000000B988000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1428	x9175681.exe
1856	g8798750.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9175681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9175681.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1428	648	25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe	82
PID 648 wrote to memory of 1428	648	25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe	82
PID 648 wrote to memory of 1428	648	25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe	82
PID 1428 wrote to memory of 1856	1428	x9175681.exe	83
PID 1428 wrote to memory of 1856	1428	x9175681.exe	83
PID 1428 wrote to memory of 1856	1428	x9175681.exe	83

C:\Users\Admin\AppData\Local\Temp\25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe
"C:\Users\Admin\AppData\Local\Temp\25e69eeedced307d35b11916dcd4cefca08068d4f87fb71c8fb6ab242f8542c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe
    3⤵
    - Executes dropped EXE
    PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe

Filesize
416KB

MD5
36c308570aa115734efc23e27f6c2bb8

SHA1
406c299e2b2c970fbb85244e343ac9fe7a82f766

SHA256
0c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4

SHA512
4fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9175681.exe

Filesize
416KB

MD5
36c308570aa115734efc23e27f6c2bb8

SHA1
406c299e2b2c970fbb85244e343ac9fe7a82f766

SHA256
0c26e9c419aaa5b9d79956b50861f4adf2d13e1b3d55d0aeb11456b4d07400c4

SHA512
4fb7c5c35516eb30b3330f3acb447e90090b23781c2a0224a1fbeace75b66f462fa65d7cd3d685c822d2548004ce7cb9799108e0de8c4f2951ff5912064493b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe

Filesize
168KB

MD5
f356295d38d4b6daf3401b4257c2d075

SHA1
20492b9807aefe5ba93053c6c2545c8b010f370f

SHA256
7f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c

SHA512
fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8798750.exe

Filesize
168KB

MD5
f356295d38d4b6daf3401b4257c2d075

SHA1
20492b9807aefe5ba93053c6c2545c8b010f370f

SHA256
7f9d03faf6ad4e91d3c5ef135643bbada38cb58e15924ac21867d1f2ff594d7c

SHA512
fc073e585c57d480d1ae9ccf298d517a61fd1a2f1a739df21321af6ab221cc4807f94875fc061c13c3a38196224afddaf2a0e099b1c9313050d7d2636cdc2e3c

Download Submit
memory/1856-147-0x0000000000F80000-0x0000000000FAE000-memory.dmp

Filesize
184KB

Download
memory/1856-148-0x000000000B370000-0x000000000B988000-memory.dmp

Filesize
6.1MB

Download
memory/1856-149-0x000000000AE60000-0x000000000AF6A000-memory.dmp

Filesize
1.0MB

Download
memory/1856-150-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/1856-151-0x000000000AD50000-0x000000000AD8C000-memory.dmp

Filesize
240KB

Download
memory/1856-152-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/1856-153-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing