redline | af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe
Size

766KB
MD5

22bc3c6821e99e9cdc6bc634494e1ab9
SHA1

b20de3020ba722e96e44dae5cbf5e7e6efef2bd4
SHA256

af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029
SHA512

0788ae33469c45bb7c8a303ec49cbba682d1d96b4999b73f2c227bac81de6e959ee8dd2362b8401d82dbffb2779b6077d090c7d544bd24ca1fe6037597c28d1b
SSDEEP

12288:VMrty90GCUi+nkulCzpaU5rr9EBPYyf8sdtixRXBo3hllM3laQcL5ftSneeb54iF:oyhZlcpaU5rZkYyrdWxmdWkQcFftSnXX

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3516-22-0x0000000002780000-0x00000000027C6000-memory.dmp	family_redline
behavioral1/memory/3516-24-0x0000000002820000-0x0000000002864000-memory.dmp	family_redline
behavioral1/memory/3516-30-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-40-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-88-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-86-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-84-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-82-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-80-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-76-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-74-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-72-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-71-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-68-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-66-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-65-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-62-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-61-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-58-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-56-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-55-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-52-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-50-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-48-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-46-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-44-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-38-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-36-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-34-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-32-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-78-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-42-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-28-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-26-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/3516-25-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4316	vXY44.exe
1748	vRj36.exe
3516	daA50.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vXY44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vRj36.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vXY44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vRj36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daA50.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	daA50.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4316	1712	af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe	85
PID 1712 wrote to memory of 4316	1712	af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe	85
PID 1712 wrote to memory of 4316	1712	af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe	85
PID 4316 wrote to memory of 1748	4316	vXY44.exe	86
PID 4316 wrote to memory of 1748	4316	vXY44.exe	86
PID 4316 wrote to memory of 1748	4316	vXY44.exe	86
PID 1748 wrote to memory of 3516	1748	vRj36.exe	87
PID 1748 wrote to memory of 3516	1748	vRj36.exe	87
PID 1748 wrote to memory of 3516	1748	vRj36.exe	87

C:\Users\Admin\AppData\Local\Temp\af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe
"C:\Users\Admin\AppData\Local\Temp\af46abdee9656773c0b451c99c580c13abb88197dd19e4a7332fa822efa5b029.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXY44.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXY44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRj36.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRj36.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daA50.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daA50.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXY44.exe

Filesize
662KB

MD5
de7cb7e83000288ccb920f46ff18877b

SHA1
22c4121a6b1236ab9000ab0be522225a7c4aef9a

SHA256
ec95c11fbddc9107bd5d15680ae795288524c32f2a3dba2aaf8671bb3a8ff192

SHA512
6698ae376c1a1b7a60d7f8e074e0135564d776d6e8512ac991ad74f63b493694bdff04a68689a76b0db0b5c97115fc1efda848fc1870fbbab9fa0a1c71ab152f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRj36.exe

Filesize
517KB

MD5
a899af48c24b651c35e80f1a09123fb1

SHA1
23a9bab3206ea07e6d35ce31ad48950f36c52082

SHA256
9cecf0143a2257c75a2b12241894fb75d8be75ab29e5d9b1ec3e170230724b95

SHA512
c35ab2454635ab948e9d0df84756aa5373dcb14997f479a98ca9574cd3614d866860f8779259e7d94c9a44130556e5b6f2acc4d3a4d90903c6a494d03433cee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daA50.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
memory/3516-22-0x0000000002780000-0x00000000027C6000-memory.dmp

Filesize
280KB

Download
memory/3516-23-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/3516-24-0x0000000002820000-0x0000000002864000-memory.dmp

Filesize
272KB

Download
memory/3516-30-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-40-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-88-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-86-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-84-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-82-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-80-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-76-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-74-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-72-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-71-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-68-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-66-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-65-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-62-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-61-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-58-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-56-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-55-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-52-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-50-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-48-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-46-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-44-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-38-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-36-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-34-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-32-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-78-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-42-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-28-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-26-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-25-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/3516-931-0x00000000053E0000-0x00000000059F8000-memory.dmp

Filesize
6.1MB

Download
memory/3516-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp

Filesize
1.0MB

Download
memory/3516-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/3516-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

Filesize
240KB

Download
memory/3516-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads