redline | 682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe
Size

770KB
MD5

76e42f5a56fb31264d7aca7a6902e88e
SHA1

ac865691b6c5a2b3f9e80e40c7d74ec8205a88a5
SHA256

682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e
SHA512

73ec92573179ed5d1438655764c589a743536aacfe60dfce3f9578813c826dd2cae4531eac2bef614a8065b191f558dea585b0bbc13cd475d5c65167d32a379c
SSDEEP

12288:SMrXy90e9o7Cb7eA89MG3YMTNsbDzlQg+8hr9oqN4qv5JkFrODlvnhT5uayG:FyD9oem9M8TybHzGqyk5er0PhThyG

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2596-25-0x0000000004AC0000-0x0000000004B06000-memory.dmp	family_redline
behavioral1/memory/2596-27-0x0000000004B80000-0x0000000004BC4000-memory.dmp	family_redline
behavioral1/memory/2596-28-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-49-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-47-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-45-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-43-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-41-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-39-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-37-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-35-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-33-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-31-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-29-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-77-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-91-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-89-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-87-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-85-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-83-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-81-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-79-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-75-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-73-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-71-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-70-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-67-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-66-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-63-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-62-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-59-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-57-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-56-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-53-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral1/memory/2596-51-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4628	vKH21.exe
2920	vBW04.exe
2596	dXi46.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vKH21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vBW04.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vKH21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vBW04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dXi46.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	dXi46.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4628	2340	682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe	83
PID 2340 wrote to memory of 4628	2340	682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe	83
PID 2340 wrote to memory of 4628	2340	682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe	83
PID 4628 wrote to memory of 2920	4628	vKH21.exe	85
PID 4628 wrote to memory of 2920	4628	vKH21.exe	85
PID 4628 wrote to memory of 2920	4628	vKH21.exe	85
PID 2920 wrote to memory of 2596	2920	vBW04.exe	87
PID 2920 wrote to memory of 2596	2920	vBW04.exe	87
PID 2920 wrote to memory of 2596	2920	vBW04.exe	87

C:\Users\Admin\AppData\Local\Temp\682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe
"C:\Users\Admin\AppData\Local\Temp\682d8b62bc3f2cf6d1e31dd1ca29317ecb4251b2a45812a6c3f792639c3f613e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKH21.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKH21.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBW04.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBW04.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXi46.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXi46.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKH21.exe

Filesize
666KB

MD5
bce0238d13256a3df0d8004de6b97ed0

SHA1
be06e35143a07f5574039a3efd10445496e2736e

SHA256
665c67e88bbb3c22531ec0f9cca680a1aa3401ad93d6529a78cd3aa21c80a974

SHA512
05bc067cfd52050e14b547ba4889a7c30bfb429ee70462d5766668e2ec820492ec3af9bba7fc3b8291b639706a39599f3d372c11fa036f13b93fcf46b5fc1a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBW04.exe

Filesize
520KB

MD5
26e4311a11a6275a58a619720a052a9d

SHA1
c51e7fb7628b7fe4b6a03d9e22c79e2f45ab5c0f

SHA256
4c9fc2e031be89c3138efd0245331aff54877e2b2b7aeef9d45414a7b609b879

SHA512
b4309bbc8c8948b8d42418e03d7db5d5d910f9d36b0b7ce6fbfe9c691ca8b85a6df2745543db800b1d3399e8485f4b338d21c1ed12b1bee19e0531c6079b5f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXi46.exe

Filesize
306KB

MD5
44aee1861e5f2d4f001fcc570dfb4468

SHA1
a8341f8adabde95dc3465b23601052a7e1bd60e8

SHA256
c0acee57b9df5bd9f0cdc471c05d5797c8df24f11b6ac21959781f3fe234a287

SHA512
97a08b33f3ed6ceea8e12cd011bcda6c3316da2e0192e2d7db6464ae1843725e795f1559e05b48cbde32d008b4943c10f5c0957e5cd4dd10a4310ec10bb3fa1c

Download Submit
memory/2596-22-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/2596-23-0x0000000000790000-0x00000000007DB000-memory.dmp

Filesize
300KB

Download
memory/2596-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2596-25-0x0000000004AC0000-0x0000000004B06000-memory.dmp

Filesize
280KB

Download
memory/2596-26-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/2596-27-0x0000000004B80000-0x0000000004BC4000-memory.dmp

Filesize
272KB

Download
memory/2596-28-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-49-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-47-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-45-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-43-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-41-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-39-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-37-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-35-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-33-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-31-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-29-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-77-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-91-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-89-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-87-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-85-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-83-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-81-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-79-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-75-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-73-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-71-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-70-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-67-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-66-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-63-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-62-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-59-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-57-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-56-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-53-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-51-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2596-934-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/2596-935-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/2596-936-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/2596-937-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/2596-938-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/2596-940-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/2596-941-0x0000000000790000-0x00000000007DB000-memory.dmp

Filesize
300KB

Download
memory/2596-942-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads