redline | 323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe
Size

570KB
MD5

e8400ac9f56429819b61e4c548568a34
SHA1

58e7d4e46ce482afc9bdcabd3f124723a651770b
SHA256

323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4
SHA512

138b3f12d45769119b217b2f411ef6fee846c8bf29f22fa9fcb9902c255efc3cc99dbf8e088c9984298ba013ad2debb77cec86cff629c71c37e43b4a104fd205
SSDEEP

12288:yMruy90En0P4ugXl0d8KTq9YqFYvntUK84V9pg:Ey3n0P4u20Sb9YqFYvnt78r

Score

10^/10

redline ronam discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ronam

193.233.20.17:4139

Attributes

auth_value
125421d19d14dd7fd211bc7f6d4aea6c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1996-19-0x0000000004C80000-0x0000000004CC6000-memory.dmp	family_redline
behavioral1/memory/1996-21-0x0000000004D00000-0x0000000004D44000-memory.dmp	family_redline
behavioral1/memory/1996-25-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-31-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-29-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-27-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-75-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-59-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-22-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-23-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-85-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-83-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-81-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-79-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-77-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-73-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-71-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-69-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-67-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-65-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-63-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-61-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-57-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-56-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-53-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-51-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-49-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-47-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-45-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-43-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-41-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-39-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-37-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-35-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1996-33-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
3664	nKu73Eo80.exe
1996	erj02fJ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nKu73Eo80.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nKu73Eo80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erj02fJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	erj02fJ.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 3664	744	323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe	84
PID 744 wrote to memory of 3664	744	323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe	84
PID 744 wrote to memory of 3664	744	323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe	84
PID 3664 wrote to memory of 1996	3664	nKu73Eo80.exe	86
PID 3664 wrote to memory of 1996	3664	nKu73Eo80.exe	86
PID 3664 wrote to memory of 1996	3664	nKu73Eo80.exe	86

C:\Users\Admin\AppData\Local\Temp\323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe
"C:\Users\Admin\AppData\Local\Temp\323b570de849a00958e3f59a29190d64d3a12a8bef1360e51163d38578a584e4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKu73Eo80.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKu73Eo80.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\erj02fJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\erj02fJ.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nKu73Eo80.exe

Filesize
425KB

MD5
3895e67a07a83a8bcbaafe4f0da92036

SHA1
6bc4c52849d0f93627ef13139375a49985739bea

SHA256
9f90679caa11f3840e4927ebf4d6ea44b08e3d5eee491cd9df358a9a5fcf269d

SHA512
902a2d7545b9e4787255e6989eacf9eb705bfe19fa490c79a0ccd80f57592ff759e7636ed70e655dd96d8c8e6f8de111b18df46eb8a0781ffd786c2c26d67b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\erj02fJ.exe

Filesize
277KB

MD5
934170a7c4bf70edb95b7c1346f303dd

SHA1
ac8225f93ff27d6c3d5c8ac7c6a9aeb28bc977dd

SHA256
9dd359ec644d68951324406d1370db634c477e4ef667712190580a738a695d35

SHA512
3134df339413459a7a144c8448a63382415f26d110e7298584a8a1ded6697935f3111cd09bbcf5a0480c19df73691dc08017a3fc0e967dbca8f21b20251ec334

Download Submit
memory/1996-15-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/1996-16-0x0000000002110000-0x000000000215B000-memory.dmp

Filesize
300KB

Download
memory/1996-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1996-18-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/1996-19-0x0000000004C80000-0x0000000004CC6000-memory.dmp

Filesize
280KB

Download
memory/1996-20-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/1996-21-0x0000000004D00000-0x0000000004D44000-memory.dmp

Filesize
272KB

Download
memory/1996-25-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-31-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-29-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-27-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-75-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-59-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-22-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-23-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-85-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-83-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-81-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-79-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-77-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-73-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-71-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-69-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-67-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-65-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-63-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-61-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-57-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-56-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-53-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-51-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-49-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-47-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-45-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-43-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-41-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-39-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-37-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-35-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-33-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1996-928-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/1996-929-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/1996-930-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/1996-931-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/1996-932-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/1996-933-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/1996-934-0x0000000002110000-0x000000000215B000-memory.dmp

Filesize
300KB

Download
memory/1996-935-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads