redline | 2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157

General

Target

2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
Size

599KB
MD5

579ba1c8fe2dafba83ffe2aba5f6a07d
SHA1

35ef464b64c6e0c2bc97d619fd9a1e54dde2c33e
SHA256

2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157
SHA512

5ac8a105b59d188a6b33402782595a47df3f1a17385abaa9f3e5bd8c2f64751663609980625184a7e333522dbe1a0c9ba551c0262709882aa634699097c5086d
SSDEEP

12288:xMrey906Emu9BKLLbroX1IDDToyXIi6a9YEGeSduYyz:fydoBaga9XJx+/eSduYa

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3364-151-0x00000000074A0000-0x0000000007AB8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4456	y0052950.exe
3364	k8932178.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0052950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0052950.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4456	4736	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	82
PID 4736 wrote to memory of 4456	4736	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	82
PID 4736 wrote to memory of 4456	4736	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	82
PID 4456 wrote to memory of 3364	4456	y0052950.exe	83
PID 4456 wrote to memory of 3364	4456	y0052950.exe	83
PID 4456 wrote to memory of 3364	4456	y0052950.exe	83

C:\Users\Admin\AppData\Local\Temp\2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
"C:\Users\Admin\AppData\Local\Temp\2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe
    3⤵
    - Executes dropped EXE
    PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe

Filesize
307KB

MD5
10f05a531c697fd3fc57c14fbcdca498

SHA1
30ef526e424157a6bead127b5c3eda60ce7683d0

SHA256
6f0525e710b1ae50ecbbe11e07efc75586ba6c3599faca401b6b43d8ebbedac9

SHA512
d03dece36bc0021ed76ba6c53c199006f634ad0b84c695b56e55856f1e0912f7391c7f8e2c2b205a1585ff69075b42f8ebd8723a3a57497523ed534cdd3a2d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe

Filesize
307KB

MD5
10f05a531c697fd3fc57c14fbcdca498

SHA1
30ef526e424157a6bead127b5c3eda60ce7683d0

SHA256
6f0525e710b1ae50ecbbe11e07efc75586ba6c3599faca401b6b43d8ebbedac9

SHA512
d03dece36bc0021ed76ba6c53c199006f634ad0b84c695b56e55856f1e0912f7391c7f8e2c2b205a1585ff69075b42f8ebd8723a3a57497523ed534cdd3a2d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe

Filesize
136KB

MD5
1dd5f288f46e1dc1964b5b595c31d6b3

SHA1
5fa9eda2c2eed89dd7edb694cf298cdde03f5984

SHA256
3aa79ff6bc819242ae7eadbcfcce9c276c4b8cfb7c64d579b21dac86ec51d62d

SHA512
4f939bf8f82120b584da7ee4dc8d515d4f5c7748d5daf542a6e62c1274b517aeca0e80e14039209501c08e26bd37f2a26fedaf10a4502ef3321d020023ad28df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe

Filesize
136KB

MD5
1dd5f288f46e1dc1964b5b595c31d6b3

SHA1
5fa9eda2c2eed89dd7edb694cf298cdde03f5984

SHA256
3aa79ff6bc819242ae7eadbcfcce9c276c4b8cfb7c64d579b21dac86ec51d62d

SHA512
4f939bf8f82120b584da7ee4dc8d515d4f5c7748d5daf542a6e62c1274b517aeca0e80e14039209501c08e26bd37f2a26fedaf10a4502ef3321d020023ad28df

Download Submit
memory/3364-150-0x0000000000230000-0x0000000000258000-memory.dmp

Filesize
160KB

Download
memory/3364-151-0x00000000074A0000-0x0000000007AB8000-memory.dmp

Filesize
6.1MB

Download
memory/3364-152-0x0000000006F40000-0x0000000006F52000-memory.dmp

Filesize
72KB

Download
memory/3364-153-0x0000000007070000-0x000000000717A000-memory.dmp

Filesize
1.0MB

Download
memory/3364-154-0x0000000006FE0000-0x000000000701C000-memory.dmp

Filesize
240KB

Download
memory/3364-155-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download
memory/3364-156-0x0000000006F90000-0x0000000006FA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing