redline | 3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe
Size

1.1MB
MD5

a1f5537ee7d22b45953c94c54661a89e
SHA1

9a37dc1abe9a148bf8e14fb15f9ea53210d69411
SHA256

3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d
SHA512

9ec89055912fb9b94a12d29251da1e9e036df30d434bb88741c614decc957082deb72f2ada3efae1e180f96595c1c3d6a28daf3467bd640f1ea978da8d46f3f4
SSDEEP

24576:pyj/VwoiR0HP+ontrgv+jREc9dsE84LzPTAKxvS/Jx:cj/qlR0v+8trgm+cnLjFS

Score

10^/10

redline rodik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

rodik

193.233.20.23:4124

Attributes

auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4816-29-0x0000000004B10000-0x0000000004B56000-memory.dmp	family_redline
behavioral1/memory/4816-31-0x0000000004C60000-0x0000000004CA4000-memory.dmp	family_redline
behavioral1/memory/4816-85-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-95-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-93-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-91-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-89-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-87-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-83-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-81-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-79-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-77-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-75-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-73-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-71-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-67-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-65-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-63-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-61-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-59-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-57-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-55-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-51-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-49-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-47-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-45-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-43-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-41-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-39-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-37-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-33-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-32-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-69-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-53-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/4816-35-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3160	nsX73BB.exe
3416	nYQ29KL.exe
4292	nTD05cP.exe
4816	biq34WS38.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nsX73BB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nYQ29KL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nTD05cP.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsX73BB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nYQ29KL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nTD05cP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biq34WS38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	biq34WS38.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3160	1728	3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe	83
PID 1728 wrote to memory of 3160	1728	3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe	83
PID 1728 wrote to memory of 3160	1728	3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe	83
PID 3160 wrote to memory of 3416	3160	nsX73BB.exe	84
PID 3160 wrote to memory of 3416	3160	nsX73BB.exe	84
PID 3160 wrote to memory of 3416	3160	nsX73BB.exe	84
PID 3416 wrote to memory of 4292	3416	nYQ29KL.exe	86
PID 3416 wrote to memory of 4292	3416	nYQ29KL.exe	86
PID 3416 wrote to memory of 4292	3416	nYQ29KL.exe	86
PID 4292 wrote to memory of 4816	4292	nTD05cP.exe	87
PID 4292 wrote to memory of 4816	4292	nTD05cP.exe	87
PID 4292 wrote to memory of 4816	4292	nTD05cP.exe	87

C:\Users\Admin\AppData\Local\Temp\3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe
"C:\Users\Admin\AppData\Local\Temp\3eafaae3df66361bf01b60fda25327dbe57d6391296f74efeb40bee2b9ff459d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsX73BB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsX73BB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYQ29KL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYQ29KL.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nTD05cP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nTD05cP.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\biq34WS38.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\biq34WS38.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsX73BB.exe

Filesize
939KB

MD5
adaa44d4992869160c7908479e547919

SHA1
6d6992c352b7691604217fd57f0f7c4fa11ad481

SHA256
c20ee06491b974b360028ecabc4f212cb3d25b204e567aa2918dbb2909a31284

SHA512
0781ae9a57abb8a0902bad0b6ea6715a20a867664a9c05e54582b7fc0cb9a9764cbf7610d1243ae3502c4c2925496737ecc1775b066dd99dbbacc06360647f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nYQ29KL.exe

Filesize
669KB

MD5
fc3bd5abed08adb65ce6efae85bdd048

SHA1
071ccdf7014caba4d5993b07b2ac93f028093556

SHA256
a51f29701402adfd1a5e0a4d17a8d082668e54a6eb61fd6620eb2d97a238ef98

SHA512
ff8be801061f052fd7519ab1430d9772677cf5df2fb84db5c245d4952f77f911f3c37d87d350917650de46d0ec8b2612155baf4de734d983ca2eea039c276b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nTD05cP.exe

Filesize
393KB

MD5
7aa10df5720a17346ac3c8dc35306882

SHA1
1f4da61e52181f24ac184fe79c2cb87162025c5c

SHA256
e4a5efcee0acc947cad36043ea8310fb46322ac430939267ba891190883fc794

SHA512
6b6990565307a799d6529e38bfb28109825f3b92d2364d1ecdbc121f30efd863e2ca8baa9c557fa67f60359f752369af3257e6dd90d97b76414aa2e1c7d652e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\biq34WS38.exe

Filesize
316KB

MD5
5a4ff96d0686fbf07f65e4fb559c3142

SHA1
a5605cc33f133613507d0417a24e0849a0a7792a

SHA256
936572d2ce48bdaab44b98e18e0a34caad9fd438f7b5c1a1fb27e658bdb4e8ae

SHA512
2dbde50807b566ec2c0c3ba8f47232e63e1f0dae31c462bc7365f3a0c3681df91b733ffb5ce32bc06cb43e8f9e666a421d59b0481aca07f86e93b8a386775580

Download Submit
memory/4816-29-0x0000000004B10000-0x0000000004B56000-memory.dmp

Filesize
280KB

Download
memory/4816-30-0x00000000074E0000-0x0000000007A84000-memory.dmp

Filesize
5.6MB

Download
memory/4816-31-0x0000000004C60000-0x0000000004CA4000-memory.dmp

Filesize
272KB

Download
memory/4816-85-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-95-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-93-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-91-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-89-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-87-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-83-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-81-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-79-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-77-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-75-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-73-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-71-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-67-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-65-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-63-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-61-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-59-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-57-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-55-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-51-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-49-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-47-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-45-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-43-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-41-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-39-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-37-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-33-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-32-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-69-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-53-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-35-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/4816-938-0x0000000007A90000-0x00000000080A8000-memory.dmp

Filesize
6.1MB

Download
memory/4816-939-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download
memory/4816-940-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4816-941-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

Filesize
240KB

Download
memory/4816-942-0x0000000007480000-0x00000000074CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads