redline | 035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe
Size

836KB
MD5

51fb4da3668fe02eee63b050dc363b65
SHA1

5fa940c5d29ac74bf5db9a7806983360472dfea4
SHA256

035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc
SHA512

ace1a4c919144f58589da9c85de8194ea8d6836bdb5a69e0dde08af708fdb721d4fa0338cebf67d745ec2a5628b6c84c504ea9b3b03d63e77f680b0d788aab89
SSDEEP

12288:ZMroy90xBBMUu+Byp61FDO21Qb4h1+2+QV4bRyBblvoxetQwPDQbuvo/SjF9Y98Y:JyJdP01Fj1V+2+QWl0aeK22/SjF9o5

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4608-22-0x00000000025F0000-0x0000000002636000-memory.dmp	family_redline
behavioral1/memory/4608-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp	family_redline
behavioral1/memory/4608-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/4608-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4400	vOq28.exe
5000	vRo37.exe
4608	dWB40.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vOq28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vRo37.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vOq28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vRo37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dWB40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	dWB40.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4400	1116	035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe	83
PID 1116 wrote to memory of 4400	1116	035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe	83
PID 1116 wrote to memory of 4400	1116	035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe	83
PID 4400 wrote to memory of 5000	4400	vOq28.exe	85
PID 4400 wrote to memory of 5000	4400	vOq28.exe	85
PID 4400 wrote to memory of 5000	4400	vOq28.exe	85
PID 5000 wrote to memory of 4608	5000	vRo37.exe	87
PID 5000 wrote to memory of 4608	5000	vRo37.exe	87
PID 5000 wrote to memory of 4608	5000	vRo37.exe	87

C:\Users\Admin\AppData\Local\Temp\035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe
"C:\Users\Admin\AppData\Local\Temp\035c7affa9bb3c58d37eb99129dcb70cdf37e1d77731b57ef3bfe30c01eb71fc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOq28.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOq28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRo37.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRo37.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWB40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWB40.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOq28.exe

Filesize
732KB

MD5
5f4fe8abf621dd67f321f8fa92a1862f

SHA1
899ec15e84d0e47aa1013dda775ad3c4baf1b8e8

SHA256
694f7303a14f116babe76061e36b613f792c36f43f906c58dce5243836b52d42

SHA512
263f280e50a4797ed77f4fbc430882add8d40d51d59f8dd1174189471357c6d936e70e02b19212acec011dba3427c0540a9697f98c332cf31a3783ee004502f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vRo37.exe

Filesize
588KB

MD5
2599cbb69aacf9ab17772707ce9ec480

SHA1
9e16c4648857e63cdeb8458f2cea984a412fa4ca

SHA256
9140d27c6134bf374f9ef6242ad2a3f9c18c7bd98eb6418bf4f02426e3354176

SHA512
4cd6df855b000503f85d89ee6736db17414504f3b07579f7ef228469eea61c2d81ad4428ca4a6af7ab5728f2a521b320f479c329239e78c23c922a06ae3bc155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWB40.exe

Filesize
479KB

MD5
285075759e1fdcae6a0deb572b9f2deb

SHA1
8ba0efce7c3edce13cd2cda3c250fe4f7c90ff7b

SHA256
b5bdf2dbf6d46257447f8b9633c4b3c1905171c0ca9e6a8c1954a92accbb00c1

SHA512
54338da73f8e569a9d450ac4092d385488103da32cdfddea13d0a92c847d197584683b26a21c5fa37625ce01220717ea34d8b4da4cd3a026e15b77ef23771f02

Download Submit
memory/4608-22-0x00000000025F0000-0x0000000002636000-memory.dmp

Filesize
280KB

Download
memory/4608-23-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/4608-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp

Filesize
272KB

Download
memory/4608-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/4608-931-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/4608-932-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/4608-933-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/4608-934-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/4608-935-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads