redline | 623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0.exe
Size

272KB
MD5

8890cb1c1c75a14f2d93450e1237a81d
SHA1

0922f13ce951828b4a056972f9b5ea2c1b1e9c19
SHA256

623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0
SHA512

3e0313aaab94d5a70d5f8869929d3c9484576d28af94e98ea7dcdab25a1e5f6a67331e570e6b9ee9baedeafaee0286272b3aad6a1a5ef6a104a3923b05ae0f1c
SSDEEP

3072:p6j4ELH6Vt7CENpmh6sLKR+utY/edHbpiWo40mTJghm0nlQoYKgQmExNn2pU9f2O:p6jgppZsLKwuAexbpZghdnlQH5Q

Score

10^/10

redline romik discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1664-1-0x00000000009D0000-0x0000000000A14000-memory.dmp	family_redline

Redline family
redline

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0.exe

C:\Users\Admin\AppData\Local\Temp\623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0.exe
"C:\Users\Admin\AppData\Local\Temp\623e683832d20f42a4062ed2b444de5f7b0ab6d23586229207eb083c9ff5d2d0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/1664-1-0x00000000009D0000-0x0000000000A14000-memory.dmp

Filesize
272KB

Download