redline | f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
Size

837KB
MD5

bd757df01ad12051ee4bf47fd16becf0
SHA1

7809fed8bb79a099bab0219f2df3cefff2f860c6
SHA256

f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9
SHA512

3434d6dbed017ebedb6908672327ad0a84d5de7d01b43319b05bf788547148bfe95d90fa18ccc25339aafc60ac06ee897d7575e6dedaab0b6f4fabd44dd36c9b
SSDEEP

12288:aMr2y90eSKuds/8wHYasRU+HVEbdsUDeEqxstQJPDQaxx3tNHnerD:AyuKuds/8wHYasRU+H6h30sKhDtV0D

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3456-22-0x00000000026C0000-0x0000000002706000-memory.dmp	family_redline
behavioral1/memory/3456-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp	family_redline
behavioral1/memory/3456-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/3456-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3532	vxq98.exe
100	vow79.exe
3456	dXq48.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vxq98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vow79.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vxq98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vow79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dXq48.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	dXq48.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 3532	1668	f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe	83
PID 1668 wrote to memory of 3532	1668	f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe	83
PID 1668 wrote to memory of 3532	1668	f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe	83
PID 3532 wrote to memory of 100	3532	vxq98.exe	84
PID 3532 wrote to memory of 100	3532	vxq98.exe	84
PID 3532 wrote to memory of 100	3532	vxq98.exe	84
PID 100 wrote to memory of 3456	100	vow79.exe	85
PID 100 wrote to memory of 3456	100	vow79.exe	85
PID 100 wrote to memory of 3456	100	vow79.exe	85

C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
"C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe

Filesize
733KB

MD5
808720598383f6ce34866d1386a7497d

SHA1
50a5d2b6549d59616fb9067ca02ee1fd80ce15f7

SHA256
5d9ee4faeabbe5bd559f7bc0758da46f5375013fc86946ed5e4605fa3383e7ca

SHA512
b571abeb700c7017e697d64ee7fadfbc6030327c05c097cb16476ff4952a259381afb96a413e7132c5d3f04569448e33b9a88ac318e645ed4d936ee7c94fa163

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe

Filesize
588KB

MD5
36f593c113598104f57f4e0cfe958f3c

SHA1
db6379d6c4734045b827fb3d87a11b1aba75d94d

SHA256
da242dce74bdeaaa9429453a2b470dbc5722b13e151aa704e41be744468f2070

SHA512
6b22f3976546f5ffdf4ba1ca487eec3ae0d0c4b3b192f2878bed5c69fdac9cc5d2db477bdb0363687f73f7e9be42dced0d57e24bfafa7e03b3efd0b35a51a665

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe

Filesize
479KB

MD5
285075759e1fdcae6a0deb572b9f2deb

SHA1
8ba0efce7c3edce13cd2cda3c250fe4f7c90ff7b

SHA256
b5bdf2dbf6d46257447f8b9633c4b3c1905171c0ca9e6a8c1954a92accbb00c1

SHA512
54338da73f8e569a9d450ac4092d385488103da32cdfddea13d0a92c847d197584683b26a21c5fa37625ce01220717ea34d8b4da4cd3a026e15b77ef23771f02

Download Submit
memory/3456-22-0x00000000026C0000-0x0000000002706000-memory.dmp

Filesize
280KB

Download
memory/3456-23-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/3456-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp

Filesize
272KB

Download
memory/3456-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/3456-931-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/3456-932-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/3456-933-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/3456-934-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/3456-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads