redline | cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe
Size

782KB
MD5

21c005d055984051cfad5b17fb4c84fc
SHA1

6fa57d7ee8097db287a9432b9c425bf3d40300fc
SHA256

cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3
SHA512

d43ca3ce10a06bcc477d1bcbe82ea0b176d8e0f5faee74bac3f8ffecec94a1663d8f01ce0dd42445be28cfb2f050b3221ce61aabcfb4dae199e54d30eb4b763d
SSDEEP

24576:uysQVQIQpaBrBgnG8gaC5EOqFqQzzwBdkTjS3K/+:9pyfpmlgnXHEEOq0QwBdg4K/

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4504-22-0x0000000002710000-0x0000000002756000-memory.dmp	family_redline
behavioral1/memory/4504-24-0x0000000002970000-0x00000000029B4000-memory.dmp	family_redline
behavioral1/memory/4504-60-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-25-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-74-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-86-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-84-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-83-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-80-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-78-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-77-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-72-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-70-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-69-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-67-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-64-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-62-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-58-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-57-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-54-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-53-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-50-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-49-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-46-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-45-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-42-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-40-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-38-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-36-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-34-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-32-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-30-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-28-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-26-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4504-88-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3564	vcX54.exe
3124	vCV04.exe
4504	dDn07.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vcX54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vCV04.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcX54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vCV04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dDn07.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	dDn07.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 3564	4236	cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe	83
PID 4236 wrote to memory of 3564	4236	cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe	83
PID 4236 wrote to memory of 3564	4236	cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe	83
PID 3564 wrote to memory of 3124	3564	vcX54.exe	84
PID 3564 wrote to memory of 3124	3564	vcX54.exe	84
PID 3564 wrote to memory of 3124	3564	vcX54.exe	84
PID 3124 wrote to memory of 4504	3124	vCV04.exe	85
PID 3124 wrote to memory of 4504	3124	vCV04.exe	85
PID 3124 wrote to memory of 4504	3124	vCV04.exe	85

C:\Users\Admin\AppData\Local\Temp\cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe
"C:\Users\Admin\AppData\Local\Temp\cbd457aa6a6aad2b2bb5aac4fa3a49d50ce0045fa923f6c4ad4723c7145acae3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcX54.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcX54.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vCV04.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vCV04.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDn07.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDn07.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcX54.exe

Filesize
678KB

MD5
b14c3cc9e56b764a8442f16f4accbfa4

SHA1
6eb570c6f1c1f8d6b1fe8b0b234bc7b4c12754b0

SHA256
1ec620f4b89ae2f0d7e52d01538e9222b09e9c7758797ef5ec492c348a7c4c6b

SHA512
51ddd535e084f05b4d30b26a3b5a47b31dbad988f4c0fca6c6766e9ffc12e4db4e7e36d4c4215ca8df42ffc160b41c12d75dfd5ba8018769cc65d288a23cf7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vCV04.exe

Filesize
533KB

MD5
2be3afb346b9718ba72bcd7bf749d008

SHA1
08e37212795d6c26801e39b149466e7086773657

SHA256
de96af4a97ce027371dddbd9454f648825748d8cc765c365d74143976bbe6489

SHA512
56291a024905b0dc75b8e89f245c48e0a9e69215261dc7f89d412203a164e7965f47c5ab44e14cd362038f90161ca9a353e4b80255c6a8f7fd4f9bb4fb4f6832

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDn07.exe

Filesize
339KB

MD5
2a2b8e9e1ac60a07669fb2e605ae5fc0

SHA1
1cc136d374c99c4067348639600c935aa91a856e

SHA256
2252c7be0b9cba4224b74c272e480e979611f00492392011492ceff7c3417848

SHA512
425aafdb8dd0337f7ebd204fca83a625a18e68dc677d6760a2e34b0552c80cb98eb618e0c31c9a3edb560811fcbebb546c0e66116c75dc3b892454252738a7f2

Download Submit
memory/4504-22-0x0000000002710000-0x0000000002756000-memory.dmp

Filesize
280KB

Download
memory/4504-23-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/4504-24-0x0000000002970000-0x00000000029B4000-memory.dmp

Filesize
272KB

Download
memory/4504-60-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-25-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-74-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-86-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-84-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-83-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-80-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-78-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-77-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-72-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-70-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-69-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-67-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-64-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-62-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-58-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-57-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-54-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-53-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-50-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-49-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-46-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-45-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-42-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-40-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-38-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-36-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-34-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-32-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-30-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-28-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-26-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-88-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4504-931-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4504-932-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4504-933-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/4504-934-0x0000000005BF0000-0x0000000005C2C000-memory.dmp

Filesize
240KB

Download
memory/4504-935-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads