redline | 942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9

Analysis

max time kernel
111s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe
Size

839KB
MD5

aa7b70e87daab61c7ea9fb29c3efe580
SHA1

4d540aaba407c53830e3742ca01581023d04c539
SHA256

942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9
SHA512

0d3303910f6e489e34138fd6d846e509de676bcd72839ec3e8f0961359155ceb9df33b79541b5f23b147d8de73416e6025acd99d51519bbb352282252c3f5e26
SSDEEP

12288:LMr9y90XvVXqdFlfGwvVnfrD1hYqx54DW10TrwfTxZn/U3hZGsOL2Q9+RDCab:2y+VopZhfrjZOc9Z/ShYB+RDCab

Score

10^/10

redline romik discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

romik

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4844-22-0x0000000004B70000-0x0000000004BB6000-memory.dmp	family_redline
behavioral1/memory/4844-24-0x0000000004BF0000-0x0000000004C34000-memory.dmp	family_redline
behavioral1/memory/4844-70-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-88-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-86-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-84-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-82-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-80-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-78-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-76-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-74-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-72-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-68-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-66-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-65-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-62-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-60-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-58-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-56-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-54-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-52-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-48-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-46-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-44-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-42-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-40-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-38-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-36-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-34-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-32-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-26-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-50-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-30-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-28-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4844-25-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3256	vds58.exe
852	vmV74.exe
4844	dWw49.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vds58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vmV74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vds58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmV74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dWw49.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	dWw49.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 3256	1668	942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe	83
PID 1668 wrote to memory of 3256	1668	942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe	83
PID 1668 wrote to memory of 3256	1668	942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe	83
PID 3256 wrote to memory of 852	3256	vds58.exe	84
PID 3256 wrote to memory of 852	3256	vds58.exe	84
PID 3256 wrote to memory of 852	3256	vds58.exe	84
PID 852 wrote to memory of 4844	852	vmV74.exe	85
PID 852 wrote to memory of 4844	852	vmV74.exe	85
PID 852 wrote to memory of 4844	852	vmV74.exe	85

C:\Users\Admin\AppData\Local\Temp\942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe
"C:\Users\Admin\AppData\Local\Temp\942685baa59a3b5a00559c73b47442e771ee6f035614c955a2a3aa5c484dacf9N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vds58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vds58.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmV74.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmV74.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWw49.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWw49.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vds58.exe

Filesize
735KB

MD5
dd544a0c9127a28ebd06b73ec158fdf7

SHA1
03672a1e0f179633cc7d4198cc601ad59e034c9c

SHA256
851a85ff1cd2cb969b3ef122df17f5e3c87a6f7360869857ac03feae668a60df

SHA512
65de438d0404ef53929636bc03e8ff972f34be9d7cb2e39b2ed9864ed5d3d3ffc4b9b2073e5c24b12aa0302d5540980d7958b381bc023e0c22356d18757f64de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmV74.exe

Filesize
589KB

MD5
ec856571b016951c12e6871ea93ea181

SHA1
e2b723955d9bf0e00ef01d08ca7dba5909a2e8cb

SHA256
09d037b091b6e82b0a05f079eac45b3fc9360f1ecddb46850e6e944834f92008

SHA512
8d95b5a3e55c002d8a17611e1fdba912a438f256f9eb5dea61b779f6973abbde5543f7390d1c37482e895d855dd609080a3ff2c78d6c58b97c593a71a69ad9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWw49.exe

Filesize
481KB

MD5
cad110ca2f60ecd3c9c16e973b59d3f1

SHA1
93c455fbd0f645c6cf56208eb34489f889866913

SHA256
4e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5

SHA512
3bf5bd8c9ce7f45d8c517e28df9bee44a4521d942ccfe44153ff8b4b1e55137e76c229a0a04c5b77a93ee13b397fd59883fec06ac81d93bb82645af6ee6af983

Download Submit
memory/4844-22-0x0000000004B70000-0x0000000004BB6000-memory.dmp

Filesize
280KB

Download
memory/4844-23-0x0000000004CE0000-0x0000000005284000-memory.dmp

Filesize
5.6MB

Download
memory/4844-24-0x0000000004BF0000-0x0000000004C34000-memory.dmp

Filesize
272KB

Download
memory/4844-70-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-88-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-86-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-84-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-82-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-80-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-78-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-76-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-74-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-72-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-68-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-66-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-65-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-62-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-60-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-58-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-56-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-54-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-52-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-48-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-46-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-44-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-42-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-40-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-38-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-36-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-34-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-32-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-26-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-50-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-30-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-28-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-25-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4844-931-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/4844-932-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/4844-933-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/4844-934-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/4844-935-0x0000000005B50000-0x0000000005B9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads