redline | 25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5

General

Target

25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe
Size

708KB
MD5

c001455b5f15fa986bce6720ab365936
SHA1

45fe7b025df83e5ef3be5c078fa8a69d5aee60cc
SHA256

25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5
SHA512

af6bfa9a08986a7bb32844f3d4e0e1fced70c4eb3b703e17e5d29426c60754516c89e58f035928c71ce1c10de02d705c1ed3d6b62ebf03ef8876485813f83414
SSDEEP

12288:fMrby90+NYzzM2dLbs4yAVSggEUSqhg00EJ+oZQAYK4HUtgeDIkaX7T1Mu:Uyi/M2B0AVx5USqhDFZ7YbcDI/X75Mu

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/5100-148-0x00000000076A0000-0x0000000007CB8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1452	x5132221.exe
5100	g9196368.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5132221.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5132221.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1452	4248	25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe	82
PID 4248 wrote to memory of 1452	4248	25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe	82
PID 4248 wrote to memory of 1452	4248	25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe	82
PID 1452 wrote to memory of 5100	1452	x5132221.exe	83
PID 1452 wrote to memory of 5100	1452	x5132221.exe	83
PID 1452 wrote to memory of 5100	1452	x5132221.exe	83

C:\Users\Admin\AppData\Local\Temp\25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe
"C:\Users\Admin\AppData\Local\Temp\25070e5f071bd838bd5c95d172baa2653cb28bec50ad39209529a4c58775eef5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5132221.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5132221.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9196368.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9196368.exe
    3⤵
    - Executes dropped EXE
    PID:5100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5132221.exe

Filesize
416KB

MD5
9f67a98e76dc11f36dd11fdbde51cc4f

SHA1
93d28afc85c9868c857429b8f023f7f757a68c08

SHA256
64e7151e1982fea3a78da17477c766c013502a8a685737dfc62b9bea71f9f220

SHA512
ef8aadd205ea000fe4f4f4e5617eed7b36f8f4df31e63d2143972a8d5f6f80c8b24ea565866d7bfddfab218812da4a7db3596a35fe61e744a1f63431fa624697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5132221.exe

Filesize
416KB

MD5
9f67a98e76dc11f36dd11fdbde51cc4f

SHA1
93d28afc85c9868c857429b8f023f7f757a68c08

SHA256
64e7151e1982fea3a78da17477c766c013502a8a685737dfc62b9bea71f9f220

SHA512
ef8aadd205ea000fe4f4f4e5617eed7b36f8f4df31e63d2143972a8d5f6f80c8b24ea565866d7bfddfab218812da4a7db3596a35fe61e744a1f63431fa624697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9196368.exe

Filesize
136KB

MD5
6206c64ec5a5af999f80fc24be7614fd

SHA1
225446f51a722fd24eaaf7dd8257d45e404657db

SHA256
5d7eceac2066ad4dc7d32a1b3a311d9b7e0a6f02df049adbe39fdf1d11b8ebde

SHA512
dc8d1898016c19e66949c6abb8b029fd5f9c025441aaf45b89d652580f954d3da5d0b6e3ad9c06c4319f8bc4c6659e21270016beb2328b666bd280b7a0f7893f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9196368.exe

Filesize
136KB

MD5
6206c64ec5a5af999f80fc24be7614fd

SHA1
225446f51a722fd24eaaf7dd8257d45e404657db

SHA256
5d7eceac2066ad4dc7d32a1b3a311d9b7e0a6f02df049adbe39fdf1d11b8ebde

SHA512
dc8d1898016c19e66949c6abb8b029fd5f9c025441aaf45b89d652580f954d3da5d0b6e3ad9c06c4319f8bc4c6659e21270016beb2328b666bd280b7a0f7893f

Download Submit
memory/5100-147-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/5100-148-0x00000000076A0000-0x0000000007CB8000-memory.dmp

Filesize
6.1MB

Download
memory/5100-149-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/5100-150-0x0000000007250000-0x000000000735A000-memory.dmp

Filesize
1.0MB

Download
memory/5100-151-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/5100-152-0x00000000071C0000-0x00000000071FC000-memory.dmp

Filesize
240KB

Download
memory/5100-153-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing