redline | 9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc

Analysis

max time kernel
111s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe
Size

764KB
MD5

ad92dc1ed912b6d203438b1b033da987
SHA1

a68edb9a4e93c79ac3c99649ac91471c781ef17e
SHA256

9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc
SHA512

4e9b12e41abc150e88e242cf7294950611f01e3b8f75808def12f826d6e8bb57fda87bd9d995ab94d11d46463fadd9662c2046b8ff63c47895a907713c05b998
SSDEEP

12288:RMr1y90eBOZx9EADWO06D4TnL83mYJN7O1JyAtzFTLz6olmjBAG0rtsZsPg:cywZx9j6O0kYnL8BfoUAlN/ulA/1Pg

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3504-22-0x00000000027A0000-0x00000000027E6000-memory.dmp	family_redline
behavioral1/memory/3504-24-0x0000000002950000-0x0000000002994000-memory.dmp	family_redline
behavioral1/memory/3504-84-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-88-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-86-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-82-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-80-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-78-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-76-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-74-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-73-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-68-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-66-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-64-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-62-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-60-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-58-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-56-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-54-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-52-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-50-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-46-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-44-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-42-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-40-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-38-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-36-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-34-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-32-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-30-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-28-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-26-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-25-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-70-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline
behavioral1/memory/3504-48-0x0000000002950000-0x000000000298E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3172	vHP13.exe
3528	vaK52.exe
3504	dVU43.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vHP13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vaK52.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vHP13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vaK52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dVU43.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	dVU43.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3172	636	9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe	83
PID 636 wrote to memory of 3172	636	9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe	83
PID 636 wrote to memory of 3172	636	9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe	83
PID 3172 wrote to memory of 3528	3172	vHP13.exe	85
PID 3172 wrote to memory of 3528	3172	vHP13.exe	85
PID 3172 wrote to memory of 3528	3172	vHP13.exe	85
PID 3528 wrote to memory of 3504	3528	vaK52.exe	87
PID 3528 wrote to memory of 3504	3528	vaK52.exe	87
PID 3528 wrote to memory of 3504	3528	vaK52.exe	87

C:\Users\Admin\AppData\Local\Temp\9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe
"C:\Users\Admin\AppData\Local\Temp\9193d951a0901cda90a698f00dfcccedeba8ee207e73f3629f8cdfb1ac4921cc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe

Filesize
660KB

MD5
93860c2c2672eacddfc695b8312650b1

SHA1
34cf958777cbfe1668475dded84c535c452979cf

SHA256
2cd7da4c69d1511e1113be693474eff0eca51706bccee5ee68fa1a362c7b6b8b

SHA512
4c8d1811d355990e4a7ddcf6f4a6cd0e03534a6ebeecc86e31549c7e8cf5fa23de896014cf25c0b730385bd41473c7a15533e763f05d5dad16f1c23c6433038b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe

Filesize
515KB

MD5
7ec5066b38d5b604c7fc69b4a631bf4f

SHA1
ab662c22af32755be901e08ef023113011167767

SHA256
763697e0615cd208407ca80dd06aee987f65280ab2a89c2d700ae7cd022f5fa5

SHA512
1ce1ddc0eb4b117765ff8909fbf4dd6048a3734c06c2281feb29ee441cb9d4024f0e66154184cd150555534c093482c33890f4e6694db015fcd4ae87814a1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe

Filesize
296KB

MD5
b8c8132fcf9800ed3598f7cb2e9a5057

SHA1
93f3d94687f59a038d407dae0d80e6a573be1874

SHA256
d8e83015464713166e2a7580cf8c04d346c72624affc3839ae204093548fd9b4

SHA512
3688bcf4cb99717716e34cf6c2607f974e6662ad8c1a980da3bad66b8ae6f7cfa957ea58937f3a1927ccd5844c10fb9566e715869d766b70dbc16dc8c0bec6e6

Download Submit
memory/3504-22-0x00000000027A0000-0x00000000027E6000-memory.dmp

Filesize
280KB

Download
memory/3504-23-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/3504-24-0x0000000002950000-0x0000000002994000-memory.dmp

Filesize
272KB

Download
memory/3504-84-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-88-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-86-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-82-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-80-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-78-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-76-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-74-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-73-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-68-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-66-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-64-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-62-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-60-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-58-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-56-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-54-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-52-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-50-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-46-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-44-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-42-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-40-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-38-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-36-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-34-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-32-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-30-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-28-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-26-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-25-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-70-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-48-0x0000000002950000-0x000000000298E000-memory.dmp

Filesize
248KB

Download
memory/3504-931-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/3504-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp

Filesize
1.0MB

Download
memory/3504-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/3504-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

Filesize
240KB

Download
memory/3504-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads