redline | 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
Size

767KB
MD5

12be7143c25631d3b4389d1f7a7abe80
SHA1

601722c7cb1a000707fa9bfb98892255de976564
SHA256

2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e
SHA512

92f7e3bc4ccd40b19a2b97bde16d4afa416561122fc377641157900a42a363f7962cebf21e793b7cd9a14e899403ae2d2eef0a57667695a355b1fb710df61fb9
SSDEEP

12288:bMrly90CXgr104DZh5vFbz26fTMLTgWIF3Xv85tiOuEsKd+e4AMaqvChQMFsXY/6:ayhwK49LNDf8CBf8Ne6hQMhth+

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/5036-22-0x00000000025B0000-0x00000000025F6000-memory.dmp	family_redline
behavioral1/memory/5036-24-0x00000000026C0000-0x0000000002704000-memory.dmp	family_redline
behavioral1/memory/5036-74-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-88-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-86-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-84-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-82-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-80-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-78-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-76-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-72-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-70-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-69-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-66-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-64-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-62-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-60-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-58-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-56-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-54-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-52-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-48-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-46-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-44-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-42-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-40-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-38-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-36-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-35-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-33-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-30-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-28-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-26-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-25-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral1/memory/5036-50-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2228	vcP52.exe
1472	vBJ01.exe
5036	dlm77.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vcP52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vBJ01.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlm77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcP52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vBJ01.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	dlm77.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 2228	3712	2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe	84
PID 3712 wrote to memory of 2228	3712	2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe	84
PID 3712 wrote to memory of 2228	3712	2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe	84
PID 2228 wrote to memory of 1472	2228	vcP52.exe	86
PID 2228 wrote to memory of 1472	2228	vcP52.exe	86
PID 2228 wrote to memory of 1472	2228	vcP52.exe	86
PID 1472 wrote to memory of 5036	1472	vBJ01.exe	87
PID 1472 wrote to memory of 5036	1472	vBJ01.exe	87
PID 1472 wrote to memory of 5036	1472	vBJ01.exe	87

C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
"C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe

Filesize
662KB

MD5
d9e739d9ff85a85d4ae6c0707ebef68b

SHA1
2082d945a785a3003b03d3e33a6e26c2f4d5ac24

SHA256
97e68cc6719f514f36fbb806bd5bd017325dbe9b6584c30fa8c6105bb22d1289

SHA512
6849ed07e32b620baadd68324266e12c691269ccd3da4ac24be69847be5536fbf953cd56ef39b072358f2637818ed77fe2045183ae5938d0736298b4b5c2d008

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe

Filesize
517KB

MD5
be3c2a6f36d8411f58580b0b2283046e

SHA1
77ac282e7ac1bd4be9cbf7b0c8dd797774433a72

SHA256
8f1bcb263e5bc70216a07df0fad50357e0dbf77d33417e212142e4d6eced875c

SHA512
17e8339b23db2955db972797d436618f521f3376a58ad1e6c26177c9288c15a21aa5e252199db1a69aba19f43f7ebed8fa35b5a319b7bddf1c9c95a5207011fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe

Filesize
296KB

MD5
96cb25fef251057fd9f24f0c8cb90831

SHA1
dc393dceb9194a4814c42b87eb392ff37fca6c68

SHA256
d78d94ee7f5e64a25f292d51afee7a7a8f383a9a48a7d54135e9fdfc0fe7fdac

SHA512
6ad5d18632523607c9d7ec5bbc0dee2664755740a24b475bfc5f56b2707bef2343e12d3d2c6c0d5c7cf2239e245d6a8c6246ddeaf97ba4eba61a123cccaacaa0

Download Submit
memory/5036-22-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/5036-23-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/5036-24-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/5036-74-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-88-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-86-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-84-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-82-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-80-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-78-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-76-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-72-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-70-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-69-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-66-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-64-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-62-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-60-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-58-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-56-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-54-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-52-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-48-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-46-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-44-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-42-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-40-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-38-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-36-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-35-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-33-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-30-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-28-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-26-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-25-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-50-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/5036-931-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/5036-932-0x0000000005B20000-0x0000000005C2A000-memory.dmp

Filesize
1.0MB

Download
memory/5036-933-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/5036-934-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/5036-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads