redline | 59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe
Size

764KB
MD5

2385f382b484888b865b61b1d58e3321
SHA1

4c9eaa8d566d72c3f2776aaeb844044324bf0e64
SHA256

59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f
SHA512

a09b06d404a40092805b847f687d6f030bcd582abf09d0e24b7c59f31cd91c3b3ea0f014dfdf0c980055db077deda65b11a36afe5ba5ab10732ae1f7cfc986d5
SSDEEP

12288:RMrcy90gYNaqzyDeswnb88+eksriZk957dtYwLO90HepqUnAL6MjOBSuYtKG:5yGNADes6B+k6kVt7O9fpeW281mV

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3832-25-0x0000000002450000-0x0000000002496000-memory.dmp	family_redline
behavioral1/memory/3832-27-0x0000000004B70000-0x0000000004BB4000-memory.dmp	family_redline
behavioral1/memory/3832-29-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-39-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-91-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-89-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-79-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-68-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-61-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-59-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-57-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-53-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-49-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-47-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-45-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-43-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-41-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-37-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-35-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-33-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-31-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-55-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-51-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/3832-28-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2124	vVG41.exe
4164	vRs38.exe
3832	deU53.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vVG41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vRs38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vVG41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vRs38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deU53.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	deU53.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2124	2880	59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe	83
PID 2880 wrote to memory of 2124	2880	59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe	83
PID 2880 wrote to memory of 2124	2880	59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe	83
PID 2124 wrote to memory of 4164	2124	vVG41.exe	84
PID 2124 wrote to memory of 4164	2124	vVG41.exe	84
PID 2124 wrote to memory of 4164	2124	vVG41.exe	84
PID 4164 wrote to memory of 3832	4164	vRs38.exe	85
PID 4164 wrote to memory of 3832	4164	vRs38.exe	85
PID 4164 wrote to memory of 3832	4164	vRs38.exe	85

C:\Users\Admin\AppData\Local\Temp\59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe
"C:\Users\Admin\AppData\Local\Temp\59fde1a1d83914c162a3a60179bc87f5185e1c2729cdfd4ee6679e66497c804f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVG41.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVG41.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRs38.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRs38.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\deU53.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\deU53.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVG41.exe

Filesize
660KB

MD5
283c9acdcfd33a7818074b8de7c2718a

SHA1
0eb372c09c8fb32449a447b816a1d053ffc5ff88

SHA256
0a97aa190f79fb78348a86a962ad9657a5d6bd0fc63f3f37986fe5a04e8a3045

SHA512
634f9b8011ff0530a90701c87691d223fb9a126f795d58d7bae7c28d666dde8ce0c3da9c7a98852c125cadbcc181cc66cf53859bc476fff023ead0c775f46b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRs38.exe

Filesize
515KB

MD5
dcb7c1f27333d45ff1c873573dd80c13

SHA1
d193d5ff857a473fcf0db902a15cada8bca49b8c

SHA256
f4dae0f91714e89e836f8bb5c11e2f48802a4686723aa56ad82f8d7393862cbb

SHA512
4a724b545bd076fb08bff7a07a696b135c214db1e1803a63c0448459e275ec885fec8585769676f417b76a5abee83504c3eb00b14d74d963e9d9edb2dc815bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\deU53.exe

Filesize
292KB

MD5
a1bb8b26787e435b23ee1c4abcf44874

SHA1
2c2f8584b8e6ad3960204effd280dad69f232504

SHA256
796bbf9af20464c9c7040aba5314b3ac383994a2551b27a6fb7837bffb7a3395

SHA512
1148118e64ae5e89b5b2002fa0558890a9dbb7060a4e87883d5f4f3874b9b43282e494016b514d1498f3c73b0f31504d85005056b645fb814cd9e2cbafe8c8b6

Download Submit
memory/3832-22-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/3832-23-0x00000000006A0000-0x00000000006EB000-memory.dmp

Filesize
300KB

Download
memory/3832-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3832-25-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/3832-26-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/3832-27-0x0000000004B70000-0x0000000004BB4000-memory.dmp

Filesize
272KB

Download
memory/3832-29-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-39-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-91-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-89-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-79-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-68-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-61-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-59-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-57-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-53-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-49-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-47-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-45-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-43-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-41-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-37-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-35-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-33-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-31-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-55-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-51-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-28-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/3832-934-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/3832-935-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/3832-936-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3832-937-0x00000000059B0000-0x00000000059EC000-memory.dmp

Filesize
240KB

Download
memory/3832-938-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/3832-940-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/3832-941-0x00000000006A0000-0x00000000006EB000-memory.dmp

Filesize
300KB

Download
memory/3832-942-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads