redline | 176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176

Analysis

max time kernel
110s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe
Size

733KB
MD5

543e695a6c46702e5d0edef1ec797230
SHA1

a9352c1779066038fc5143d498eba0ecc0598fcf
SHA256

176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176
SHA512

7c59100c9f7d8b2151ea460ebcc2ac83ef6852c53d91cbe97f60d4543598f1c4bce07bdab24e15fbf351f5e9e9f8c6f0d01f7e2d32b188e0c1ba592d88e2ac73
SSDEEP

12288:NMrKy90WGUha0TiyFqnaUW8DSV6VRVs7Nq9Xgyf6vZ7gtVjCH1TSNGDF0g/6M0rz:jyxa0TtqnHXDSV6xsI9Xgb9gfCVTSUnW

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4592-19-0x00000000023F0000-0x0000000002436000-memory.dmp	family_redline
behavioral1/memory/4592-21-0x0000000005150000-0x0000000005194000-memory.dmp	family_redline
behavioral1/memory/4592-25-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-85-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-81-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-79-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-77-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-75-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-73-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-69-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-67-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-65-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-63-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-61-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-59-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-57-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-55-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-53-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-51-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-49-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-47-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-45-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-43-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-39-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-37-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-36-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-33-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-29-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-23-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-22-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-83-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-71-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-41-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-31-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline
behavioral1/memory/4592-27-0x0000000005150000-0x000000000518E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1272	vSO32.exe
4592	dKp28.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vSO32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vSO32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dKp28.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	dKp28.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1272	852	176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe	84
PID 852 wrote to memory of 1272	852	176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe	84
PID 852 wrote to memory of 1272	852	176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe	84
PID 1272 wrote to memory of 4592	1272	vSO32.exe	86
PID 1272 wrote to memory of 4592	1272	vSO32.exe	86
PID 1272 wrote to memory of 4592	1272	vSO32.exe	86

C:\Users\Admin\AppData\Local\Temp\176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe
"C:\Users\Admin\AppData\Local\Temp\176fe315f0a20bf029b56934e5f7bef9c0f93f37a46f6db369fe9d56d0b32176N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSO32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSO32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKp28.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKp28.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSO32.exe

Filesize
588KB

MD5
845059f2de1914f6714e4556b13a9bc8

SHA1
bddef6e6feb852ce3fb2fdc46d58cb1242a074a2

SHA256
05bb1f2daf53a35f345d08436307293133373e124524a69cc817dd1261551683

SHA512
ea88e0c2dcddbd52500a5621bc0b8e37bf9d021bc063d6b4a3efb4272f7204fbb45fe68fc1560fa31ef3420ec667fbc109148f658eca88de9973b0b3d113c232

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKp28.exe

Filesize
473KB

MD5
4935a1c3f7b324d4181b56458d1d2e07

SHA1
f7773acb609d2865fd852f29d05f7ee698c1a4c3

SHA256
da5ee96b2a068b7258c34264c5f8f545f982b34dcafc4ae7c209eceb53f80607

SHA512
2a7845cc02ff8cc0f6659a6a13c0051c15bb6153b4189004ed5c996b5b1efd3a6bf00f62d729a8af8be1b4925b9f835c01027d1ea5937876752e451cd91c268c

Download Submit
memory/4592-15-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/4592-16-0x00000000005F0000-0x000000000063B000-memory.dmp

Filesize
300KB

Download
memory/4592-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4592-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4592-19-0x00000000023F0000-0x0000000002436000-memory.dmp

Filesize
280KB

Download
memory/4592-20-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/4592-21-0x0000000005150000-0x0000000005194000-memory.dmp

Filesize
272KB

Download
memory/4592-25-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-85-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-81-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-79-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-77-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-75-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-73-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-69-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-67-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-65-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-63-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-61-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-59-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-57-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-55-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-53-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-51-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-49-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-47-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-45-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-43-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-39-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-37-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-36-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-33-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-29-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-23-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-22-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-83-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-71-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-41-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-31-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-27-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4592-928-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/4592-929-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/4592-930-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/4592-931-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/4592-932-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/4592-933-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/4592-934-0x00000000005F0000-0x000000000063B000-memory.dmp

Filesize
300KB

Download
memory/4592-935-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads