redline | bb6472593d0116059f976a544317be720ce932e16a7a6f5244017aeb091f3e90

Analysis

max time kernel
111s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
Size

764KB
MD5

92af0a5b9b2347ef6727a4afdc1b3411
SHA1

605672f554084e18f54182fd6417ab55a4917e76
SHA256

bb6472593d0116059f976a544317be720ce932e16a7a6f5244017aeb091f3e90
SHA512

15714eddf58713c03c1ac25aeb3951a16f0eda93b7dcf707fada1d63bd4000e3c0d1f5185c7622d91de2d99cb50700e0d15b1ea40c05839f8049d07dc159c679
SSDEEP

12288:RMr1y90eBOZx9EADWO06D4TnL83mYJN7O1JyAtzFTLz6olmjBAG0rtsZsPd:cywZx9j6O0kYnL8BfoUAlN/ulA/1Pd

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3232-22-0x0000000002660000-0x00000000026A6000-memory.dmp	family_redline
behavioral1/memory/3232-24-0x0000000002920000-0x0000000002964000-memory.dmp	family_redline
behavioral1/memory/3232-25-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-40-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-88-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-86-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-84-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-80-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-78-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-77-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-74-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-72-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-70-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-68-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-66-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-64-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-60-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-58-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-56-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-54-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-52-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-50-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-46-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-44-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-42-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-38-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-36-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-34-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-32-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-30-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-28-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-26-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-82-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-62-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline
behavioral1/memory/3232-48-0x0000000002920000-0x000000000295E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1352	vHP13.exe
1336	vaK52.exe
3232	dVU43.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vHP13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vaK52.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vaK52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dVU43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vHP13.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	dVU43.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1352	3920	06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe	83
PID 3920 wrote to memory of 1352	3920	06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe	83
PID 3920 wrote to memory of 1352	3920	06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe	83
PID 1352 wrote to memory of 1336	1352	vHP13.exe	84
PID 1352 wrote to memory of 1336	1352	vHP13.exe	84
PID 1352 wrote to memory of 1336	1352	vHP13.exe	84
PID 1336 wrote to memory of 3232	1336	vaK52.exe	85
PID 1336 wrote to memory of 3232	1336	vaK52.exe	85
PID 1336 wrote to memory of 3232	1336	vaK52.exe	85

C:\Users\Admin\AppData\Local\Temp\06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
"C:\Users\Admin\AppData\Local\Temp\06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe

Filesize
660KB

MD5
93860c2c2672eacddfc695b8312650b1

SHA1
34cf958777cbfe1668475dded84c535c452979cf

SHA256
2cd7da4c69d1511e1113be693474eff0eca51706bccee5ee68fa1a362c7b6b8b

SHA512
4c8d1811d355990e4a7ddcf6f4a6cd0e03534a6ebeecc86e31549c7e8cf5fa23de896014cf25c0b730385bd41473c7a15533e763f05d5dad16f1c23c6433038b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe

Filesize
515KB

MD5
7ec5066b38d5b604c7fc69b4a631bf4f

SHA1
ab662c22af32755be901e08ef023113011167767

SHA256
763697e0615cd208407ca80dd06aee987f65280ab2a89c2d700ae7cd022f5fa5

SHA512
1ce1ddc0eb4b117765ff8909fbf4dd6048a3734c06c2281feb29ee441cb9d4024f0e66154184cd150555534c093482c33890f4e6694db015fcd4ae87814a1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe

Filesize
296KB

MD5
b8c8132fcf9800ed3598f7cb2e9a5057

SHA1
93f3d94687f59a038d407dae0d80e6a573be1874

SHA256
d8e83015464713166e2a7580cf8c04d346c72624affc3839ae204093548fd9b4

SHA512
3688bcf4cb99717716e34cf6c2607f974e6662ad8c1a980da3bad66b8ae6f7cfa957ea58937f3a1927ccd5844c10fb9566e715869d766b70dbc16dc8c0bec6e6

Download Submit
memory/3232-22-0x0000000002660000-0x00000000026A6000-memory.dmp

Filesize
280KB

Download
memory/3232-23-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/3232-24-0x0000000002920000-0x0000000002964000-memory.dmp

Filesize
272KB

Download
memory/3232-25-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-40-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-88-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-86-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-84-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-80-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-78-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-77-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-74-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-72-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-70-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-68-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-66-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-64-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-60-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-58-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-56-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-54-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-52-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-50-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-46-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-44-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-42-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-38-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-36-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-34-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-32-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-30-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-28-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-26-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-82-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-62-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-48-0x0000000002920000-0x000000000295E000-memory.dmp

Filesize
248KB

Download
memory/3232-931-0x00000000055F0000-0x0000000005C08000-memory.dmp

Filesize
6.1MB

Download
memory/3232-932-0x0000000004EA0000-0x0000000004FAA000-memory.dmp

Filesize
1.0MB

Download
memory/3232-933-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/3232-934-0x0000000005C10000-0x0000000005C4C000-memory.dmp

Filesize
240KB

Download
memory/3232-935-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads