redline | 8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe
Size

780KB
MD5

56e5fd7e255dc7bb88bff655503e6341
SHA1

dd85cc70c874e3bd5b54fdeb691094a48d5f3728
SHA256

8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab
SHA512

576a551aab259774f704995b80d49b3106519c6ee67ad095022642a7adc114df4b68bc979213fb6cc4044f443d8c25fd9f8ebc0124c94cb8d8dfc0975c468f32
SSDEEP

12288:qMrJy90mDwBbpRAdu2vv3ZCRd5pwqyz+8XtUmxneZ:LyHDId2tjBC89USneZ

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2680-22-0x0000000004D20000-0x0000000004D66000-memory.dmp	family_redline
behavioral1/memory/2680-24-0x0000000005350000-0x0000000005394000-memory.dmp	family_redline
behavioral1/memory/2680-34-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-88-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-86-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-84-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-82-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-80-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-78-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-76-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-74-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-72-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-68-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-66-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-64-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-62-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-60-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-58-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-56-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-54-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-52-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-50-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-48-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-46-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-44-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-42-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-40-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-38-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-36-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-32-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-30-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-28-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-70-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-26-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline
behavioral1/memory/2680-25-0x0000000005350000-0x000000000538E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2404	vaX54.exe
2012	vQe35.exe
2680	dor78.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vaX54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vQe35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vaX54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vQe35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dor78.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	dor78.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2404	4232	8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe	83
PID 4232 wrote to memory of 2404	4232	8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe	83
PID 4232 wrote to memory of 2404	4232	8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe	83
PID 2404 wrote to memory of 2012	2404	vaX54.exe	84
PID 2404 wrote to memory of 2012	2404	vaX54.exe	84
PID 2404 wrote to memory of 2012	2404	vaX54.exe	84
PID 2012 wrote to memory of 2680	2012	vQe35.exe	85
PID 2012 wrote to memory of 2680	2012	vQe35.exe	85
PID 2012 wrote to memory of 2680	2012	vQe35.exe	85

C:\Users\Admin\AppData\Local\Temp\8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe
"C:\Users\Admin\AppData\Local\Temp\8d8319e30247dd21d3a97207e2b9193f9329f97aa147dee9e2f4dfa9e304d2ab.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vaX54.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vaX54.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQe35.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQe35.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dor78.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dor78.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vaX54.exe

Filesize
677KB

MD5
0fe557f831089f1b4a244f74901e665b

SHA1
92d4a1b9f4b74e2bc3aacf0814c31ddccd89da28

SHA256
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d

SHA512
2d34b7c4f2b1c501914e4d221db27c0a350934486112481a9c0146c1d8b78cb1f5c76f1bec9ff655f14b6435500901f2cd29781a957375bb373dd8c910a710ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQe35.exe

Filesize
532KB

MD5
902ad6d46dbf9f919371d0f48762fd36

SHA1
47a00953fdc6c48beda44dbc29a703bf5f6cf043

SHA256
2ac5a41a155a6181c713b92362c3346ace5693b4ff726c67a658c7cdd7cdc9b9

SHA512
2d6c1c84fc455b8c8a08572936a5eb67f7719f173f6f4ecf89a38c32d3733349fe077e7bd987588b639c3632e0ae4d5379f0138c52536120954ea7476a50d948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dor78.exe

Filesize
338KB

MD5
cb2d93db92499f0d807e5de936216415

SHA1
6599f128b4914dfa7085a114f765f28ab2383366

SHA256
8b784da006ef6549b3db738ed63352e81be6cf5941330388e02b72ec188c41f6

SHA512
af7c64d82e6d728cbbaf73e39f3f5203a6a575e06dd8e847f937460df83aeadc1599d45e6edc1af35bef60ac899e369f96b181932e25bce850fe179a05e6ba66

Download Submit
memory/2680-22-0x0000000004D20000-0x0000000004D66000-memory.dmp

Filesize
280KB

Download
memory/2680-23-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/2680-24-0x0000000005350000-0x0000000005394000-memory.dmp

Filesize
272KB

Download
memory/2680-34-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-88-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-86-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-84-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-82-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-80-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-78-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-76-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-74-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-72-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-68-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-66-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-64-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-62-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-60-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-58-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-56-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-54-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-52-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-50-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-48-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-46-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-44-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-42-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-40-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-38-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-36-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-32-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-30-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-28-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-70-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-26-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-25-0x0000000005350000-0x000000000538E000-memory.dmp

Filesize
248KB

Download
memory/2680-931-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/2680-932-0x0000000005A90000-0x0000000005B9A000-memory.dmp

Filesize
1.0MB

Download
memory/2680-933-0x0000000005BD0000-0x0000000005BE2000-memory.dmp

Filesize
72KB

Download
memory/2680-934-0x0000000005BF0000-0x0000000005C2C000-memory.dmp

Filesize
240KB

Download
memory/2680-935-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads