redline | 2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed

General

Target

2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
Size

566KB
MD5

a5b6eddb60e381c69421ee60b28b68f2
SHA1

996a54f8833c380082d0af5667dfedc256e66248
SHA256

2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed
SHA512

fbdc26ea54b91dbf419e5330e2dc97b376ac11dd219f80910ab3284a77dab8d497a7b41cbc1e083918834eb5b72b4e82303e02df595bd0aa59755b882194f6e9
SSDEEP

12288:uMrty90Tkg9FqMeMk0cxSRfgToTHRm6oLtQ9MchnG:rye1ob0QSKTUF6RchG

Score

10^/10

redline darm infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1116-148-0x000000000AF10000-0x000000000B528000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3468	y5620419.exe
1116	k0416647.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5620419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5620419.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3468	4092	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	83
PID 4092 wrote to memory of 3468	4092	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	83
PID 4092 wrote to memory of 3468	4092	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	83
PID 3468 wrote to memory of 1116	3468	y5620419.exe	84
PID 3468 wrote to memory of 1116	3468	y5620419.exe	84
PID 3468 wrote to memory of 1116	3468	y5620419.exe	84

C:\Users\Admin\AppData\Local\Temp\2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
"C:\Users\Admin\AppData\Local\Temp\2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe
    3⤵
    - Executes dropped EXE
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe

Filesize
307KB

MD5
0611e33493dd493a696042fa98ee2264

SHA1
424e1c5611609b0f4a21791824dbc57c56c4cf36

SHA256
35bf5bf55b720ce17865617c61d4a6f93714f8d5c0cede6112a65aadd4d9a99c

SHA512
1c55b22a6cec4784d44d702e0d81a6ef1d2fea99be3d4605499c4bdf0de6cc765229e5807c80e50b547d44977ce375280fcfff3a955021762a7dc47349f971a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe

Filesize
307KB

MD5
0611e33493dd493a696042fa98ee2264

SHA1
424e1c5611609b0f4a21791824dbc57c56c4cf36

SHA256
35bf5bf55b720ce17865617c61d4a6f93714f8d5c0cede6112a65aadd4d9a99c

SHA512
1c55b22a6cec4784d44d702e0d81a6ef1d2fea99be3d4605499c4bdf0de6cc765229e5807c80e50b547d44977ce375280fcfff3a955021762a7dc47349f971a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe

Filesize
168KB

MD5
812e59d43de4456c4c99d1f829a36888

SHA1
268810deb1d4b32a751c64a15653588355309486

SHA256
d6879b2db708483bbbdb9aedb3fa8d4ec0f586dadd33610a10b4e2449a5b777d

SHA512
819482a28efb00c94ccb5b7e92a7a32602f25213886319759bafed60ab56734885c2396bfd823302790996caf284c487198a6942b2e9de34c452c8ea200f9188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe

Filesize
168KB

MD5
812e59d43de4456c4c99d1f829a36888

SHA1
268810deb1d4b32a751c64a15653588355309486

SHA256
d6879b2db708483bbbdb9aedb3fa8d4ec0f586dadd33610a10b4e2449a5b777d

SHA512
819482a28efb00c94ccb5b7e92a7a32602f25213886319759bafed60ab56734885c2396bfd823302790996caf284c487198a6942b2e9de34c452c8ea200f9188

Download Submit
memory/1116-147-0x0000000000BE0000-0x0000000000C10000-memory.dmp

Filesize
192KB

Download
memory/1116-148-0x000000000AF10000-0x000000000B528000-memory.dmp

Filesize
6.1MB

Download
memory/1116-149-0x000000000AA20000-0x000000000AB2A000-memory.dmp

Filesize
1.0MB

Download
memory/1116-150-0x000000000A950000-0x000000000A962000-memory.dmp

Filesize
72KB

Download
memory/1116-151-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/1116-152-0x000000000A9B0000-0x000000000A9EC000-memory.dmp

Filesize
240KB

Download
memory/1116-153-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing