redline | fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe
Size

760KB
MD5

26efdbbd82d0ad67cbe71b3a9435150d
SHA1

c4e050db1dd0cbbdb8c708c75961ccf80cebf626
SHA256

fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083
SHA512

4c7ca07ab63bccb23350332f41153a398b68cc7dd928edaa79d97fbf6fb9d834bbdf1fc124ea05808e8bbf15919a1235437cad8e7a6ee74a15dd4d13389e3f45
SSDEEP

12288:XMr5y90CxiTVr7t4WFgPvM7LrmyynfFOmEAEDRi+IXKONsWl8ldsH/adJafDXwyn:iyhqVnt+P07LC1fsikb/ON/alMKRerWQ

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2436-22-0x00000000027B0000-0x00000000027F6000-memory.dmp	family_redline
behavioral1/memory/2436-24-0x0000000002960000-0x00000000029A4000-memory.dmp	family_redline
behavioral1/memory/2436-34-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-88-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-86-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-84-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-80-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-78-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-76-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-74-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-72-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-68-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-66-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-64-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-62-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-60-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-56-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-54-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-52-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-50-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-48-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-46-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-44-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-42-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-40-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-38-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-36-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-32-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-30-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-82-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-28-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-70-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-58-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-26-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline
behavioral1/memory/2436-25-0x0000000002960000-0x000000000299E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4288	viu68.exe
4316	vWi46.exe
2436	dmn77.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	viu68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vWi46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viu68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vWi46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmn77.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	dmn77.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4288	2148	fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe	83
PID 2148 wrote to memory of 4288	2148	fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe	83
PID 2148 wrote to memory of 4288	2148	fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe	83
PID 4288 wrote to memory of 4316	4288	viu68.exe	85
PID 4288 wrote to memory of 4316	4288	viu68.exe	85
PID 4288 wrote to memory of 4316	4288	viu68.exe	85
PID 4316 wrote to memory of 2436	4316	vWi46.exe	86
PID 4316 wrote to memory of 2436	4316	vWi46.exe	86
PID 4316 wrote to memory of 2436	4316	vWi46.exe	86

C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe
"C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe

Filesize
656KB

MD5
7b8e71bed0c5ce06d440cfdc382c14f0

SHA1
692985b9a2667122646f36baa3ba7e692244068f

SHA256
54e78bb7f9554a00751b7b4676eee607fe5018da8953318bc21af63a624c14ba

SHA512
345e6ac18dbbb01f05b2f5955d8673efefaf3d9260469f4c622d3d1848a7bdfe33eafa510541746dad4fd0ba01e369de287d1dae2499198842a5b3b67bb967a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe

Filesize
510KB

MD5
2c19365d8e36305798c141ba721b79c5

SHA1
66b18f8d4cc6456c69a15e6fd65021441b0b726a

SHA256
4084464a01c9471f4bea05e6e6e25a00c1114ee96dcec82c99f06ade6d1891c9

SHA512
263269aa3f5dcae6c00eac45378d38b9b68e19cd30b96f47e6e092d64417811638755761ad41096ca13b936fbf659eb03c61642c7342883a7df2399cdd0767b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe

Filesize
287KB

MD5
5679820c359decb6148df7d1f99dbf24

SHA1
afc2c0c251e62bdcfa1b53ae4f228ba8d734ee9f

SHA256
6187b858630a3b80420ea4e8643056877eb2c528f9f366e4b41d4d31443e5938

SHA512
71d465a2e6accb08a50dc8545792df0c0dd2ea67c06be3462448ce4d76166c12214a8e8b99d994a7303d8b9b7c6f8974b01aa5af206f3f2eed4e59b503731aa9

Download Submit
memory/2436-22-0x00000000027B0000-0x00000000027F6000-memory.dmp

Filesize
280KB

Download
memory/2436-23-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/2436-24-0x0000000002960000-0x00000000029A4000-memory.dmp

Filesize
272KB

Download
memory/2436-34-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-88-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-86-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-84-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-80-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-78-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-76-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-74-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-72-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-68-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-66-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-64-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-62-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-60-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-56-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-54-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-52-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-50-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-48-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-46-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-44-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-42-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-40-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-38-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-36-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-32-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-30-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-82-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-28-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-70-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-58-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-26-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-25-0x0000000002960000-0x000000000299E000-memory.dmp

Filesize
248KB

Download
memory/2436-931-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/2436-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp

Filesize
1.0MB

Download
memory/2436-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/2436-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

Filesize
240KB

Download
memory/2436-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads