redline | 22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe
Size

770KB
MD5

08e8eec9d15a07a52716e6bb6cdca10a
SHA1

c3d50ceb23a04c0d9ff86003ab6419a29487ea1c
SHA256

22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88
SHA512

dae940e7f76086df608df3db950f025f4b67a224b618f0c0eadf94be06e7cc00c4bd5b4eae38fe233c8fd00a0064e9e583639f3cd55e21c40a97f2faaf1f1dfa
SSDEEP

12288:oMrHy90/c+Cd7zpfWMG9beaB3a6mV8v4M+H8PC6dUAB4Lebplah3TuCOB:vyIYRxWMajwV3tH8PTiLRtTGB

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3000-25-0x0000000002260000-0x00000000022A6000-memory.dmp	family_redline
behavioral1/memory/3000-27-0x0000000004B50000-0x0000000004B94000-memory.dmp	family_redline
behavioral1/memory/3000-29-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-67-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-91-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-89-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-88-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-85-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-83-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-81-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-79-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-77-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-75-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-73-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-71-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-69-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-65-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-63-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-62-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-59-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-57-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-55-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-51-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-49-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-47-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-45-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-43-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-41-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-39-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-37-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-35-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-31-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-53-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-33-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline
behavioral1/memory/3000-28-0x0000000004B50000-0x0000000004B8E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1692	vJM12.exe
2588	vSB30.exe
3000	dHj16.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vJM12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vSB30.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vSB30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dHj16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vJM12.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	dHj16.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1692	3984	22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe	85
PID 3984 wrote to memory of 1692	3984	22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe	85
PID 3984 wrote to memory of 1692	3984	22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe	85
PID 1692 wrote to memory of 2588	1692	vJM12.exe	86
PID 1692 wrote to memory of 2588	1692	vJM12.exe	86
PID 1692 wrote to memory of 2588	1692	vJM12.exe	86
PID 2588 wrote to memory of 3000	2588	vSB30.exe	88
PID 2588 wrote to memory of 3000	2588	vSB30.exe	88
PID 2588 wrote to memory of 3000	2588	vSB30.exe	88

C:\Users\Admin\AppData\Local\Temp\22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe
"C:\Users\Admin\AppData\Local\Temp\22c1a63a7205d1da40b89afd71679c06d8d0ba66649afe47278e84a1380f8f88.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJM12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJM12.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vSB30.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vSB30.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj16.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj16.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vJM12.exe

Filesize
666KB

MD5
926b103575301f2845bf10a52573df4c

SHA1
d287cada71637511c7f1909c38fbd5012122b382

SHA256
63ea3f7582ce3938814f0f8d32d107bec23a59e02d3b3094f2ab11ce74858099

SHA512
a93cb342fdc158e6dad2f67eb6f20c024c5389d20b7b57d45ca2c158cebc634fd366fd964aff15b97a25cb74871872933f75469f26c2bfa2f0e8346a832ff03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vSB30.exe

Filesize
521KB

MD5
8b2cef09e4a0a9e6096c7164e9bedf5d

SHA1
f40e1016b15afaab49c109a80545b28ad0620eb2

SHA256
e8e9f3539ac23af78b2aafefc85d6bfd2f3410584d6debda08fff846f1b85da4

SHA512
fc7382860bad8d7a0635e60b8629e5a3ccc70e7465aca5c234d7b0262629fd386a28d05467cf2ae2a7f61d6b26904910c2e37f1cc60774a557ddea367129acef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj16.exe

Filesize
306KB

MD5
45f8bfc8d5eb5084fd616df3f7e055af

SHA1
bed0d63374a425e922b18f243c699239ba0f6bfb

SHA256
e36e5a2972ffa26a5453108e0385fbe371045fafb60ca0fafd0a7fe1e557a0c9

SHA512
0e4ae78d96fe6e89929806a7716770563cab588ce1f724abffd046b6671f8f46e78007a8d6b74c0c034f6ddaebc646359810075e2e6fdf3fa66c8e343cbba1e4

Download Submit
memory/3000-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3000-23-0x0000000000670000-0x00000000006BB000-memory.dmp

Filesize
300KB

Download
memory/3000-22-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/3000-25-0x0000000002260000-0x00000000022A6000-memory.dmp

Filesize
280KB

Download
memory/3000-26-0x0000000004CE0000-0x0000000005284000-memory.dmp

Filesize
5.6MB

Download
memory/3000-27-0x0000000004B50000-0x0000000004B94000-memory.dmp

Filesize
272KB

Download
memory/3000-29-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-67-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-91-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-89-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-88-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-85-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-83-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-81-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-79-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-77-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-75-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-73-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-71-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-69-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-65-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-63-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-62-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-59-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-57-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-55-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-51-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-49-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-47-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-45-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-43-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-41-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-39-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-37-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-35-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-31-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-53-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-33-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-28-0x0000000004B50000-0x0000000004B8E000-memory.dmp

Filesize
248KB

Download
memory/3000-934-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/3000-935-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/3000-936-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3000-937-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/3000-938-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/3000-940-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/3000-941-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads