redline | 03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe
Size

837KB
MD5

e108c7371cfe04657fcb738090641276
SHA1

6342c43b2f4d897c0b996993a7408828d62751be
SHA256

03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610
SHA512

3db6847d1fb2abc08279edd5dda707dba02ef9daa1269f5364e980337bbddc5cf4a7170d017aa9801a750de42c62c43022d75600b1e848591c0e8995ec20045f
SSDEEP

24576:nydB6xvwrX7Idmv4M1+1EjNxTr05iUpH:ydB6xEXywI5

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1216-22-0x0000000004C90000-0x0000000004CD6000-memory.dmp	family_redline
behavioral1/memory/1216-24-0x0000000004D10000-0x0000000004D54000-memory.dmp	family_redline
behavioral1/memory/1216-40-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-38-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-36-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-34-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-32-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-80-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-56-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-30-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-28-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-26-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-88-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-86-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-84-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-82-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-78-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-76-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-74-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-73-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-70-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-68-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-66-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-64-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-62-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-60-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-58-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-54-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-52-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-50-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-48-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-46-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-44-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-42-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/1216-25-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4120	vja65.exe
3256	vSL32.exe
1216	dSx39.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vja65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vSL32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vja65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vSL32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dSx39.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	dSx39.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 4120	2356	03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe	84
PID 2356 wrote to memory of 4120	2356	03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe	84
PID 2356 wrote to memory of 4120	2356	03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe	84
PID 4120 wrote to memory of 3256	4120	vja65.exe	86
PID 4120 wrote to memory of 3256	4120	vja65.exe	86
PID 4120 wrote to memory of 3256	4120	vja65.exe	86
PID 3256 wrote to memory of 1216	3256	vSL32.exe	87
PID 3256 wrote to memory of 1216	3256	vSL32.exe	87
PID 3256 wrote to memory of 1216	3256	vSL32.exe	87

C:\Users\Admin\AppData\Local\Temp\03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe
"C:\Users\Admin\AppData\Local\Temp\03ca77490b522f0c03c4138fb86b0ea6661fcab64720dc51e6f0dfabb40f6610.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vja65.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vja65.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vSL32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vSL32.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSx39.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSx39.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vja65.exe

Filesize
733KB

MD5
38ff3901153d68807b79123c5f47be77

SHA1
a77511a65a92c9935d0914159217bd8feaadb52b

SHA256
607d711afc3019a9afce38dbaad0937f545a6085dfa86b34b5688b92cc59d189

SHA512
62e10d76747f7422ea28d63421894c97483b70df66199f2dae8c6b0c56b8ab1f5caca0d2f5c61ae5a1425b0a52acee72ed5021438e7844e77db948348b60c9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vSL32.exe

Filesize
588KB

MD5
ec5c6820621301691aea9bbb2dc49cd1

SHA1
63f97387814dea49af311d1d1137e158994bc820

SHA256
5ad6f20a77bf4db2d8fe0fdbc4c0f6922cf62cb9cdf5679b6f6211a3f556c173

SHA512
105a70793866be0212a2727651b7df0fc5b33fdf405ed81b92a8b07633cbedca62758cdc8bca86df8557965efaaf811e9e0764e39c257cb5e1da6136eae5a99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSx39.exe

Filesize
479KB

MD5
025cb38b9df5a2aad5c56de55d8d5e91

SHA1
3e208fb7cd6c718268a272e349daa206d7af8989

SHA256
f1aff3dc1d39ee6806207754202fc9694115dcf9cd0a2423c8413195d9907804

SHA512
f2b72666ac2d098c280a34238eb07d3dc363dcd12225ceddecb2a8626ae2e556883259c6623f92b9b613d16c764c38485155c846eabe48fd150a0e70e5dc944f

Download Submit
memory/1216-22-0x0000000004C90000-0x0000000004CD6000-memory.dmp

Filesize
280KB

Download
memory/1216-23-0x0000000004DD0000-0x0000000005374000-memory.dmp

Filesize
5.6MB

Download
memory/1216-24-0x0000000004D10000-0x0000000004D54000-memory.dmp

Filesize
272KB

Download
memory/1216-40-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-38-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-36-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-34-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-32-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-80-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-56-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-30-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-28-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-26-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-88-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-86-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-84-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-82-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-78-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-76-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-74-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-73-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-70-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-68-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-66-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-64-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-62-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-60-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-58-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-54-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-52-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-50-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-48-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-46-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-44-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-42-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-25-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/1216-931-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/1216-932-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/1216-933-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/1216-934-0x0000000005B10000-0x0000000005B4C000-memory.dmp

Filesize
240KB

Download
memory/1216-935-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads