redline | 4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe
Size

584KB
MD5

d7d8756b7bd08097914841f44eea9a9f
SHA1

69dd78d513ad3e5dc38ae25c73709f790dc3a260
SHA256

4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644
SHA512

a0b7d5586988833b9e120e589c0b96e4e28d6010897d3bab91046334f8c37fb5baf0d9dcae8c0549c7c31e504c6f81076d9594057782081b87b96751551dee6d
SSDEEP

12288:8MrZy90rspV35Ub4sjcA9RTza2bxwpYTgcTEkYISbZDQv:dyVVKHfa2qcTA3VDQv

Score

10^/10

redline ronur discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4924-19-0x00000000025B0000-0x00000000025F6000-memory.dmp	family_redline
behavioral1/memory/4924-21-0x0000000005160000-0x00000000051A4000-memory.dmp	family_redline
behavioral1/memory/4924-22-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-33-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-85-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-83-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-81-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-77-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-75-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-73-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-71-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-69-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-67-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-63-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-61-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-59-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-57-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-55-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-51-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-49-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-47-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-45-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-43-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-41-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-39-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-37-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-35-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-31-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-29-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-27-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-25-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-23-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-79-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-65-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline
behavioral1/memory/4924-53-0x0000000005160000-0x000000000519E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2216	ssH9418.exe
4924	nJq10PA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ssH9418.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssH9418.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nJq10PA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	nJq10PA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2216	2732	4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe	84
PID 2732 wrote to memory of 2216	2732	4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe	84
PID 2732 wrote to memory of 2216	2732	4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe	84
PID 2216 wrote to memory of 4924	2216	ssH9418.exe	85
PID 2216 wrote to memory of 4924	2216	ssH9418.exe	85
PID 2216 wrote to memory of 4924	2216	ssH9418.exe	85

C:\Users\Admin\AppData\Local\Temp\4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe
"C:\Users\Admin\AppData\Local\Temp\4c3f2b95d928efa12ad341d4c3daf6bb18c4c20f7aa00352d623c9bafab66644.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ssH9418.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ssH9418.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nJq10PA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nJq10PA.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ssH9418.exe

Filesize
439KB

MD5
84ea3feae654efce38cb7c320106ce20

SHA1
62e68e5ec4735dfd9f2c8b854ed40319d53ecfb4

SHA256
9564914b42d18d18dfa921b468af8f9ab5b9e533a9aafc61f772af9cca7aa34c

SHA512
f9b4c6c223b817d9659dd250508bb2fd06959a5e9a11390cdc8a407b5f5a688472becf9d140c8ff8a08e955ecbac9090d8b70ecbb34de617dee21cae1e6fd3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nJq10PA.exe

Filesize
314KB

MD5
423d5ae442d535a6f6c7231bb25d6fa1

SHA1
58dac37e0eb779229ea3e3e0023cee7d29d4c312

SHA256
08fdd7a5dfca7199af1ce03436a876b725522f3afdd1fbcd1bb4d1be527efb62

SHA512
1faede84543c33dbaf19308870a18aa853dafb2d1561a309fdc0bcf8301eb8dc6665f9eaf4a8cfaf6a41583f35533e68e3d4fd259bdd307087772802afbfd7ab

Download Submit
memory/4924-15-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4924-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4924-18-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4924-17-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4924-19-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/4924-20-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/4924-21-0x0000000005160000-0x00000000051A4000-memory.dmp

Filesize
272KB

Download
memory/4924-22-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-33-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-85-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-83-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-81-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-77-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-75-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-73-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-71-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-69-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-67-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-63-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-61-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-59-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-57-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-55-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-51-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-49-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-47-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-45-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-43-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-41-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-39-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-37-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-35-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-31-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-29-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-27-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-25-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-23-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-79-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-65-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-53-0x0000000005160000-0x000000000519E000-memory.dmp

Filesize
248KB

Download
memory/4924-928-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/4924-929-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/4924-930-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/4924-931-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/4924-932-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/4924-933-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4924-934-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads