redline | 42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe
Size

769KB
MD5

f7dd5aac5c26446bd98e1f0fbed4500a
SHA1

d874414c1e54589814bf05510ab364c355678f4d
SHA256

42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8
SHA512

6a0964b00960b1ee78d4bd7ae33ed8895b05c51ae9fe8360e963998576a27dfb3ccf745d6d5e846cf9d42e6d6a919da74122cad2777d1b34634e694dfedc78e8
SSDEEP

12288:yMrQy907pHtPNg4hdDwiIOjog5qbhnWtdxhYselL8Pc+u9:SygpNq6BwiI9gY9nkheB6u9

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/968-25-0x0000000004AA0000-0x0000000004AE6000-memory.dmp	family_redline
behavioral1/memory/968-27-0x0000000005130000-0x0000000005174000-memory.dmp	family_redline
behavioral1/memory/968-37-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-43-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-91-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-89-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-87-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-85-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-83-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-81-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-79-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-75-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-73-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-71-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-70-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-67-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-65-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-63-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-61-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-59-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-57-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-55-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-51-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-49-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-47-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-45-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-41-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-39-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-35-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-33-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-77-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-53-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-31-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-29-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline
behavioral1/memory/968-28-0x0000000005130000-0x000000000516E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
632	vqV84.exe
1340	viL62.exe
968	dDN02.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	viL62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vqV84.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viL62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dDN02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqV84.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	dDN02.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 632	1652	42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe	83
PID 1652 wrote to memory of 632	1652	42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe	83
PID 1652 wrote to memory of 632	1652	42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe	83
PID 632 wrote to memory of 1340	632	vqV84.exe	84
PID 632 wrote to memory of 1340	632	vqV84.exe	84
PID 632 wrote to memory of 1340	632	vqV84.exe	84
PID 1340 wrote to memory of 968	1340	viL62.exe	85
PID 1340 wrote to memory of 968	1340	viL62.exe	85
PID 1340 wrote to memory of 968	1340	viL62.exe	85

C:\Users\Admin\AppData\Local\Temp\42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe
"C:\Users\Admin\AppData\Local\Temp\42abed12bbc0d477c14ad84d40d0ff584c2d48c8f5c902d8ace0aa0be5c7efb8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqV84.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqV84.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\viL62.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\viL62.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN02.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN02.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vqV84.exe

Filesize
665KB

MD5
0e669d897d6e2fab91bdf4e905a71dc2

SHA1
79908d1ce0a4099cd1e9fcb3271c0f1a182a1190

SHA256
d590f520bad01600cad362cb60fecbaf9a5d184c7047cf6f83801d1995c11bef

SHA512
163ffdf4dcb3c1b2256aa04c1d2a9c5483d0d8166ce9aa3a471e3b5c7a542284be86c4dfa38d15bb77c3a640e133f9e6cfb152000f108491683fcc7577c7b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\viL62.exe

Filesize
520KB

MD5
85981e0ba7c6074f36e62f2c9f6ded72

SHA1
cd02b804787df99b842de593b4d975a076bf1494

SHA256
993ccf68de5e9d141242a51936c9dc14dd99c83b6cd7503d1fd138224f735523

SHA512
f25cafa4baa784fcb22acd382bccea3ce9ea838e59cfca2982eb6461b90af5861279b941091d43d22d18c6c1e28c1a76d601793a253c476157b579db9e04ee4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDN02.exe

Filesize
305KB

MD5
2912e4ea81ea3271b0533d672791b1ad

SHA1
b5ef6b062c57da9614baf0faa3270eb6778a940c

SHA256
171384e592b4da9bac78fbcb0feb4d46de8e302c960ed3464a399bb3c023253c

SHA512
65be335994bb6bb1bb636001afcefd0d3a1052ef4e863f0613a0ba352e6af62dc469d09cdfc3a559e8e6a2cbebf92cc74cc11b5f39c1cb19cec82f6c77b859a2

Download Submit
memory/968-22-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/968-23-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/968-24-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/968-25-0x0000000004AA0000-0x0000000004AE6000-memory.dmp

Filesize
280KB

Download
memory/968-26-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/968-27-0x0000000005130000-0x0000000005174000-memory.dmp

Filesize
272KB

Download
memory/968-37-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-43-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-91-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-89-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-87-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-85-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-83-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-81-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-79-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-75-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-73-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-71-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-70-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-67-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-65-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-63-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-61-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-59-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-57-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-55-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-51-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-49-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-47-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-45-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-41-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-39-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-35-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-33-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-77-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-53-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-31-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-29-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-28-0x0000000005130000-0x000000000516E000-memory.dmp

Filesize
248KB

Download
memory/968-934-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/968-935-0x0000000005990000-0x0000000005A9A000-memory.dmp

Filesize
1.0MB

Download
memory/968-936-0x0000000005AD0000-0x0000000005AE2000-memory.dmp

Filesize
72KB

Download
memory/968-937-0x0000000005AF0000-0x0000000005B2C000-memory.dmp

Filesize
240KB

Download
memory/968-938-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/968-940-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/968-941-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/968-942-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads