redline | 16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe
Size

567KB
MD5

eb68964cc0ca898c559c2fec2ceb7725
SHA1

c0ba871ebc833a59a8818d079e2fe0bf705b08e2
SHA256

16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080
SHA512

befc97e3bebb3b8204138f083d36d69d9ba3aaa2e1b3d2ef8bfe4880717ef008e4799a0f00a6f17dd7ea086618c386351e4d6f20a73f049a813cf57bd2e6f6ce
SSDEEP

12288:UMr8y90opwadFEJy/0SW7TOA83uFT1Z/HNwjVNMTO:QyVpDd5/9IL83yT1ZwVKTO

Score

10^/10

redline ronur discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/8-19-0x0000000004B10000-0x0000000004B56000-memory.dmp	family_redline
behavioral1/memory/8-21-0x0000000005180000-0x00000000051C4000-memory.dmp	family_redline
behavioral1/memory/8-57-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-59-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-85-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-83-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-81-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-79-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-77-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-75-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-73-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-71-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-69-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-67-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-65-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-63-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-61-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-55-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-53-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-51-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-50-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-47-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-45-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-41-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-39-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-37-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-35-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-33-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-31-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-29-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-25-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-22-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-43-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-27-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline
behavioral1/memory/8-23-0x0000000005180000-0x00000000051BE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
740	nYT10QQ62.exe
8	eTl68xn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nYT10QQ62.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nYT10QQ62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eTl68xn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	eTl68xn.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 740	1388	16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe	83
PID 1388 wrote to memory of 740	1388	16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe	83
PID 1388 wrote to memory of 740	1388	16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe	83
PID 740 wrote to memory of 8	740	nYT10QQ62.exe	84
PID 740 wrote to memory of 8	740	nYT10QQ62.exe	84
PID 740 wrote to memory of 8	740	nYT10QQ62.exe	84

C:\Users\Admin\AppData\Local\Temp\16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe
"C:\Users\Admin\AppData\Local\Temp\16f8607579e12a0f42f2a3a7b06dab7d8343e14241ac3ebcde0d2fbc7038b080.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYT10QQ62.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYT10QQ62.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eTl68xn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eTl68xn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYT10QQ62.exe

Filesize
423KB

MD5
a19f8741b2f80d5bf9d7750fe11ecdaf

SHA1
09b55c7e8f96b674c1ccb5ec5a25fe7e4923c556

SHA256
88758ba5b15377532a375df3f704b19ef342b3c3515263595e7ccb64119e5499

SHA512
37a432554511b27fa13068b8026cefc8fccb1b2a44f870cc2e2de72fc008f08fd1b30b5f0d0ede3edb92037868fbb4c7283d9568aa43616a94d7b52f4736b4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eTl68xn.exe

Filesize
272KB

MD5
c113acaa97d1b0c8d5c9cbd18c92f4f1

SHA1
464dc76da869260984e3fb38909c6caad08019a9

SHA256
955e4add7fef760292d37853c801d3682f01b3db7dad1fe2eebddb3d6c80d8d0

SHA512
909e2bd782020682f75b552e47943a57ae0b5f0099d69479633f19e2267daa8226451b392f060d9684fa26c9a63fc31717fc0390bb994c714a2259112f3fff20

Download Submit
memory/8-15-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/8-16-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/8-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/8-18-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/8-19-0x0000000004B10000-0x0000000004B56000-memory.dmp

Filesize
280KB

Download
memory/8-20-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/8-21-0x0000000005180000-0x00000000051C4000-memory.dmp

Filesize
272KB

Download
memory/8-57-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-59-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-85-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-83-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-81-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-79-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-77-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-75-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-73-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-71-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-69-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-67-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-65-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-63-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-61-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-55-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-53-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-51-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-50-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-47-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-45-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-41-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-39-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-37-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-35-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-33-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-31-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-29-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-25-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-22-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-43-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-27-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-23-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/8-928-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/8-929-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/8-931-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/8-930-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/8-932-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/8-933-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/8-934-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/8-935-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads