redline | 2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d

General

Target

2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe
Size

566KB
MD5

a9488b7cba13ca1cb06b9dd207d49abd
SHA1

7b37b225d46db8edd606eeec38e769bbf5ceefa3
SHA256

2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d
SHA512

c8c88b0929f129162d4fb84ae2453b8333594ca7b21fbe61623b08e70ccb02298ac962d471a7e3d8186bfa3dc676de1ae6449b1913d4af9dc92905d9f857b2b4
SSDEEP

12288:UMrRy90Y3zdweL2bmcEoaZJcPua9FZwmMYTsL6auz7895Z0ODm:lyv3JPBFQ1TZXTZau09o2m

Score

10^/10

redline darm infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1068-148-0x000000000A800000-0x000000000AE18000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3196	y8007042.exe
1068	k8748157.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8007042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8007042.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 3196	1376	2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe	83
PID 1376 wrote to memory of 3196	1376	2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe	83
PID 1376 wrote to memory of 3196	1376	2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe	83
PID 3196 wrote to memory of 1068	3196	y8007042.exe	84
PID 3196 wrote to memory of 1068	3196	y8007042.exe	84
PID 3196 wrote to memory of 1068	3196	y8007042.exe	84

C:\Users\Admin\AppData\Local\Temp\2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe
"C:\Users\Admin\AppData\Local\Temp\2be841abb5bed075610bd834943cd416be724e9407aa024101cb83181535247d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8007042.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8007042.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8748157.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8748157.exe
    3⤵
    - Executes dropped EXE
    PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8007042.exe

Filesize
307KB

MD5
c28144ccb51486d51d83270a789648b6

SHA1
5d68a07c0a4c4b064b14df343741d1f645e3e19b

SHA256
11c3480c3c6ad7132bce795d23d64307f3c99010728b40ff3b2bcd243b210157

SHA512
066702222ca420c0f003dcb376d1e6dfcce6629a06cccc52fcd282fe1338f43355b6149227b7153a950129142d289ffa92bbdd2fcec4a5ebea8bdddf8d59e695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8007042.exe

Filesize
307KB

MD5
c28144ccb51486d51d83270a789648b6

SHA1
5d68a07c0a4c4b064b14df343741d1f645e3e19b

SHA256
11c3480c3c6ad7132bce795d23d64307f3c99010728b40ff3b2bcd243b210157

SHA512
066702222ca420c0f003dcb376d1e6dfcce6629a06cccc52fcd282fe1338f43355b6149227b7153a950129142d289ffa92bbdd2fcec4a5ebea8bdddf8d59e695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8748157.exe

Filesize
169KB

MD5
651fc450d20d00e5ad6b3f8a89a3ef10

SHA1
fd255f2aea6284d8e87f42f90ba0e664aee1097f

SHA256
b5a6f06385d499879aa0902abacaf06e2754f152f2fe0d658ae0d8eefbca4853

SHA512
098f75fb23cf784f97962f10cf66e4f2bf91b3e21c1b515b4da6dd9af9109d4b69b282c2ca90e1dae10f057a5d5c095b42bddd6a94d36b3149c5b4d9b096b1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8748157.exe

Filesize
169KB

MD5
651fc450d20d00e5ad6b3f8a89a3ef10

SHA1
fd255f2aea6284d8e87f42f90ba0e664aee1097f

SHA256
b5a6f06385d499879aa0902abacaf06e2754f152f2fe0d658ae0d8eefbca4853

SHA512
098f75fb23cf784f97962f10cf66e4f2bf91b3e21c1b515b4da6dd9af9109d4b69b282c2ca90e1dae10f057a5d5c095b42bddd6a94d36b3149c5b4d9b096b1ce

Download Submit
memory/1068-147-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/1068-148-0x000000000A800000-0x000000000AE18000-memory.dmp

Filesize
6.1MB

Download
memory/1068-149-0x000000000A2F0000-0x000000000A3FA000-memory.dmp

Filesize
1.0MB

Download
memory/1068-150-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/1068-151-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/1068-152-0x000000000A260000-0x000000000A29C000-memory.dmp

Filesize
240KB

Download
memory/1068-153-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing