redline | c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe
Size

839KB
MD5

b304b0fb07f16000438b03c792efef7b
SHA1

243d1d6bd113dd3816d41ffd5498499686cb2ef5
SHA256

c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b
SHA512

a00dcea909f8351f4e217b5d79e6f55ecc111d4f652b577e50b70d076d5a354119fb752b8c06844c561db2d73fc62b344c3916653523dc4d7c580828af4ddfcf
SSDEEP

24576:0ymvHoR0dJqCvkO7wCVMyuJK8MsiCA7PNC:DQIudJVvhTVSJK8W3P

Score

10^/10

redline crypt1 romka discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

crypt1

176.113.115.17:4132

Attributes

auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86

Extracted

Family

redline

Botnet

romka

193.233.20.11:4131

Attributes

auth_value
fcbb3247051f5290e8ac5b1a841af67b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

resource	yara_rule
behavioral1/memory/2076-23-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/3436-37-0x0000000002580000-0x00000000025C6000-memory.dmp	family_redline
behavioral1/memory/3436-39-0x0000000004AF0000-0x0000000004B34000-memory.dmp	family_redline
behavioral1/memory/3436-83-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-63-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-45-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-40-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-97-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-95-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-93-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-91-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-89-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-87-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-85-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-81-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-79-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-78-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-75-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-73-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-71-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-69-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-67-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-65-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-61-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-59-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-57-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-55-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-53-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-51-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-49-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-47-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-43-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline
behavioral1/memory/3436-41-0x0000000004AF0000-0x0000000004B2E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4384	dAe05.exe
4580	dfm67.exe
3612	duh86.exe
3436	lxU94.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dAe05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dfm67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 2076	3612	duh86.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dAe05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfm67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duh86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxU94.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	lxU94.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4384	556	c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe	83
PID 556 wrote to memory of 4384	556	c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe	83
PID 556 wrote to memory of 4384	556	c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe	83
PID 4384 wrote to memory of 4580	4384	dAe05.exe	84
PID 4384 wrote to memory of 4580	4384	dAe05.exe	84
PID 4384 wrote to memory of 4580	4384	dAe05.exe	84
PID 4580 wrote to memory of 3612	4580	dfm67.exe	85
PID 4580 wrote to memory of 3612	4580	dfm67.exe	85
PID 4580 wrote to memory of 3612	4580	dfm67.exe	85
PID 3612 wrote to memory of 2076	3612	duh86.exe	89
PID 3612 wrote to memory of 2076	3612	duh86.exe	89
PID 3612 wrote to memory of 2076	3612	duh86.exe	89
PID 3612 wrote to memory of 2076	3612	duh86.exe	89
PID 3612 wrote to memory of 2076	3612	duh86.exe	89
PID 4580 wrote to memory of 3436	4580	dfm67.exe	90
PID 4580 wrote to memory of 3436	4580	dfm67.exe	90
PID 4580 wrote to memory of 3436	4580	dfm67.exe	90

C:\Users\Admin\AppData\Local\Temp\c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe
"C:\Users\Admin\AppData\Local\Temp\c9598b35e72f346dc69571c0e3595b438086fa3167e02ec12f54626e1138289b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dAe05.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dAe05.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfm67.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfm67.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duh86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duh86.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lxU94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lxU94.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dAe05.exe

Filesize
735KB

MD5
9b893f3431801e28339ffea3cec038fc

SHA1
1d29786287ce6f105c97903465a0af68e481a56c

SHA256
caa44651344f8dc1b15a841444721411f9f5cc012248572ae39f38e64faf5633

SHA512
5d6fc840c473cddde0c32dffcb162acccc7d8e2f9e0d728e9e8bdafff013c537ad1cc1c81f957a1ab0180194b4a0a1ad346db7c7cc488f065a5f18057dc81a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfm67.exe

Filesize
590KB

MD5
44eeb7a2dc3895fdce87bc78f5df4e34

SHA1
f4ffb9559808981927588f4404c8406bf742717f

SHA256
e951350a4707d801d23f4f8381f6ff19731c53cd692e27ff8361ee3bec18c78b

SHA512
35cc7b2b54c4c1e110574e24b0c44dc7f0cfff6f30ca376c87796290dc373fa3db55e9df478f6aa20ede79e6cf12d7b3736d25dd3cb3b0b072371d69926a2798

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duh86.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lxU94.exe

Filesize
484KB

MD5
87250d4bda64461624bd12e37c658068

SHA1
7d21d5071f80500ff4f0ec505df1f4156d54b2ec

SHA256
6abd08ba8c8cd020ec7d2452bf2a746cf4da9c26f06a3aa95b48808ead6a9ff7

SHA512
a8c46a71e02c9f345f69b702ea69bec4441dd68f2fbe6397396eb3717b35893f3f5e190064577dcae7bd236df04da925d55ee19509737f96c128a7620b771989

Download Submit
memory/2076-36-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/2076-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2076-32-0x0000000005990000-0x0000000005FA8000-memory.dmp

Filesize
6.1MB

Download
memory/2076-33-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/2076-34-0x0000000005440000-0x0000000005452000-memory.dmp

Filesize
72KB

Download
memory/2076-35-0x00000000054A0000-0x00000000054DC000-memory.dmp

Filesize
240KB

Download
memory/3436-89-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-78-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-38-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/3436-39-0x0000000004AF0000-0x0000000004B34000-memory.dmp

Filesize
272KB

Download
memory/3436-83-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-63-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-45-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-40-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-97-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-95-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-93-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-91-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-41-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-87-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-85-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-81-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-79-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-37-0x0000000002580000-0x00000000025C6000-memory.dmp

Filesize
280KB

Download
memory/3436-75-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-73-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-71-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-69-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-67-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-65-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-61-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-59-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-57-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-55-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-53-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-51-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-49-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-47-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3436-43-0x0000000004AF0000-0x0000000004B2E000-memory.dmp

Filesize
248KB

Download
memory/3612-22-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads