redline | 82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998

Analysis

max time kernel
125s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14/02/2023, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe
Size

769KB
MD5

a100bb6fb70396f78ca0a9bab420280f
SHA1

5522a22dd58ee17590d9af1df8fda9bee1c4a23c
SHA256

82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998
SHA512

549ec2adabf76dacf061b63a8a4cb72d8f7dc49840469492d5bbbeea00ee08464068e39e19cf9f32181691108a69355408e14fac534bf26774ec5ef35f1e7496
SSDEEP

24576:oyI0ron5PszbfobhkjgF74VRr+ot8OlT:vz85sbfobWjg168a

Score

10^/10

redline romik infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/4552-324-0x00000000024F0000-0x0000000002536000-memory.dmp	family_redline
behavioral1/memory/4552-330-0x0000000005020000-0x0000000005064000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4544	viw69.exe
1544	vWK41.exe
4552	dIk16.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	viw69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	viw69.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vWK41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vWK41.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	dIk16.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4544	2660	82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe	66
PID 2660 wrote to memory of 4544	2660	82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe	66
PID 2660 wrote to memory of 4544	2660	82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe	66
PID 4544 wrote to memory of 1544	4544	viw69.exe	67
PID 4544 wrote to memory of 1544	4544	viw69.exe	67
PID 4544 wrote to memory of 1544	4544	viw69.exe	67
PID 1544 wrote to memory of 4552	1544	vWK41.exe	68
PID 1544 wrote to memory of 4552	1544	vWK41.exe	68
PID 1544 wrote to memory of 4552	1544	vWK41.exe	68

C:\Users\Admin\AppData\Local\Temp\82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe
"C:\Users\Admin\AppData\Local\Temp\82db0d1edc910ecfffaf7893a6dac122a9b38e277730e5a7b8af5864a78ac998.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viw69.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viw69.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWK41.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWK41.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIk16.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIk16.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viw69.exe

Filesize
665KB

MD5
65cfe024ff4d21259cc110ad45b73344

SHA1
61d7791b3c10a20eecfdac2faf86558781e57491

SHA256
e3005fca17aa276c404eefa40abffee7440b2bc64eb3df8054f3da0303184ee3

SHA512
4ba50d1a597bc7d43ce5ab50d916f5121e2377c3e5af7b4aa22be2fa7dfe9d1fde2d6e3737b7b5b66a9d5fcfbaf45fe7b73ed87d918926900396d88a26d1fc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viw69.exe

Filesize
665KB

MD5
65cfe024ff4d21259cc110ad45b73344

SHA1
61d7791b3c10a20eecfdac2faf86558781e57491

SHA256
e3005fca17aa276c404eefa40abffee7440b2bc64eb3df8054f3da0303184ee3

SHA512
4ba50d1a597bc7d43ce5ab50d916f5121e2377c3e5af7b4aa22be2fa7dfe9d1fde2d6e3737b7b5b66a9d5fcfbaf45fe7b73ed87d918926900396d88a26d1fc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWK41.exe

Filesize
520KB

MD5
6ed4ed260fe9efa440765709e1abca80

SHA1
cfc3696291b1aabf2531fe93e1347b17162f9bbc

SHA256
b9fc973a40df70ec74ca372c20971cdd9a040e669a1a83b6a4c433a792e53238

SHA512
3d285257d22f78b4a9f38a2093b2991787bd498493db04129b41253d5906184565b5c2a9f9a1253be336a6e98197dbc981d2b82ba6302da3242d4c5b7ee614e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWK41.exe

Filesize
520KB

MD5
6ed4ed260fe9efa440765709e1abca80

SHA1
cfc3696291b1aabf2531fe93e1347b17162f9bbc

SHA256
b9fc973a40df70ec74ca372c20971cdd9a040e669a1a83b6a4c433a792e53238

SHA512
3d285257d22f78b4a9f38a2093b2991787bd498493db04129b41253d5906184565b5c2a9f9a1253be336a6e98197dbc981d2b82ba6302da3242d4c5b7ee614e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIk16.exe

Filesize
305KB

MD5
0c9076ec4095c5084780c931b13e72e7

SHA1
55b6e8bdc66a2eea0a733e94d6f30de4f46f8e42

SHA256
59d5940bf01d2f15faae8ff641d5fced786e74ef03cb453d74a4d062e764db63

SHA512
8cc2a68768ee3928c8fbec137a157f5cd48bc3ed0a07cebc6d425491ae7db62af20dac5d249e6a4754d09860c3aacf05f4d0067efdcf492fde0add557b32d99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIk16.exe

Filesize
305KB

MD5
0c9076ec4095c5084780c931b13e72e7

SHA1
55b6e8bdc66a2eea0a733e94d6f30de4f46f8e42

SHA256
59d5940bf01d2f15faae8ff641d5fced786e74ef03cb453d74a4d062e764db63

SHA512
8cc2a68768ee3928c8fbec137a157f5cd48bc3ed0a07cebc6d425491ae7db62af20dac5d249e6a4754d09860c3aacf05f4d0067efdcf492fde0add557b32d99f

Download Submit
memory/2660-157-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-128-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-124-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-125-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-126-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-127-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-162-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-129-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-130-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-131-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-132-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-133-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-134-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-136-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-160-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-137-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-138-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-140-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-141-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-142-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-139-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-143-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-144-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-145-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-146-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-147-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-149-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-150-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-148-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-151-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-152-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-154-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-155-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-153-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-156-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-122-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-158-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-159-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-135-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-120-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-123-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-164-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-165-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-163-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-161-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-121-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-176-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-179-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-171-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-172-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-175-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-173-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-178-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-177-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-186-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-182-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-185-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-184-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-183-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-180-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-169-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-168-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-181-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-170-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4552-348-0x0000000005B40000-0x0000000005B8B000-memory.dmp

Filesize
300KB

Download
memory/4552-319-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/4552-321-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/4552-322-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4552-324-0x00000000024F0000-0x0000000002536000-memory.dmp

Filesize
280KB

Download
memory/4552-341-0x00000000051D0000-0x00000000057D6000-memory.dmp

Filesize
6.0MB

Download
memory/4552-328-0x0000000004AE0000-0x0000000004FDE000-memory.dmp

Filesize
5.0MB

Download
memory/4552-342-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/4552-344-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/4552-346-0x0000000005A00000-0x0000000005A3E000-memory.dmp

Filesize
248KB

Download
memory/4552-330-0x0000000005020000-0x0000000005064000-memory.dmp

Filesize
272KB

Download
memory/4552-352-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download