Post

Memory Forensics Report: RedLine — Extracting Stealer Artifacts from RAM

Posted
By El OMARI Zakaria
6 min read
Memory Forensics Report: RedLine — Extracting Stealer Artifacts from RAM

Platform: CyberDefenders
Challenge: RedLine
Category: Memory Forensics
Difficulty: Easy
Tools: Volatility, Memory Forensics
Achievement: Proof of Completion

1. Executive Summary

Incident Type: Malware Infection / Information Stealer

Malware Family: RedLine Stealer

A memory dump was captured from a compromised endpoint suspected of data exfiltration. Forensic analysis of the RAM image confirmed the presence of the RedLine infostealer. The malware executed from a temporary directory under the guise of oneetx.exe and employed process injection techniques—spawning a rundll32.exe child process with PAGE_EXECUTE_READWRITE memory protections—to evade detection. Network artifacts extracted from memory revealed the attacker’s C2 infrastructure IP and the specific PHP endpoint used to stage or exfiltrate data, alongside evidence of a VPN application (outline.exe) potentially used by the attacker or victim.

Indicators of Compromise (IOCs)

TypeIndicatorDescription
Malicious Processoneetx.exePrimary RedLine stealer executable.
Injected Processrundll32.exeChild process spawned for malicious execution.
File PathC:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exeExecution path of the malware.
Attacker IP77.91.124.20C2 server IP address.
C2 URLhttp://77.91.124.20/store/games/index.phpSpecific endpoint used for C2 communication.

MITRE ATT&CK Mapping Overview

TacticTechniqueID
ExecutionUser Execution: Malicious FileT1204.002
Defense EvasionProcess InjectionT1055
Command & ControlApplication Layer ProtocolT1071
ExfiltrationExfiltration Over C2 ChannelT1041

2. Background: Memory Protections and Process Injection

Before diving into the analysis, it’s crucial to understand how malware manipulates memory to evade detection. Legitimate Windows processes are carefully structured with specific memory protections (e.g., Read-Only, Read/Execute). Malware, however, often needs to write its malicious code into memory and then execute it, requiring a specific, highly suspicious memory protection state.

Memory ProtectionDescriptionForensic Significance
PAGE_READONLYMemory can only be read.Normal for data segments.
PAGE_EXECUTE_READMemory can be read and executed.Normal for legitimate executable code (.text sections).
PAGE_EXECUTE_READWRITEMemory can be read, written to, and executed.Highly Suspicious. Rarely used legitimately. Indicates dynamic code injection, unpacking, or JIT compilation.

Why This Matters: When conducting memory forensics, searching for memory segments marked as PAGE_EXECUTE_READWRITE (often referred to as RWX) is one of the most effective ways to hunt for process injection. It highlights areas where malware has hollowed out a legitimate process or injected a malicious payload to run stealthily in RAM.

3. Phase 1: Process Triage & Anomaly Detection (Questions 1, 2, & 7)

Objective: Identify the malicious processes running in memory and trace their origin on the filesystem.

The initial step in any memory forensic investigation is to survey the running processes (typically using a tool or plugin like Volatility’s pslist or pstree). During this triage, a highly suspicious process named oneetx.exe was identified running from a user’s temporary directory.

Process list showing the suspicious oneetx.exe process running.

Looking at the full path of the executable confirms its malicious nature. Legitimate applications rarely execute directly from deeply nested, randomly named subfolders within the Temp directory.

Full path analysis revealing C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe.

Further examination of the process tree revealed that oneetx.exe spawned a child process: rundll32.exe. While rundll32.exe is a legitimate Windows binary used to execute DLLs, malware frequently abuses it (Living off the Land) to execute malicious code under a trusted process name.

Process tree showing rundll32.exe running as a child process of oneetx.exe.

Why this matters: The sequence of a randomly named executable in AppData\Local\Temp spawning rundll32.exe is a classic indicator of malware unpacking itself or performing process injection.

Answer Q1

What is the name of the suspicious process?

oneetx.exe

Answer Q7

What is the full path of the malicious executable?

C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe

Answer Q2

What is the child process name of the suspicious process?

rundll32.exe

4. Phase 2: Memory Injection Analysis (Question 3)

Objective: Analyze the memory protections of the suspicious processes to confirm injection techniques.

To confirm the hypothesis that rundll32.exe was being abused via process injection, we examined the memory segments associated with it using memory protection analysis tools (like Volatility’s malfind plugin).

The analysis revealed memory regions allocated with PAGE_EXECUTE_READWRITE (RWX) permissions. As discussed in the Background section, this is the hallmark of injected code. The malware (oneetx.exe) allocated memory inside the rundll32.exe process, wrote its unpacked RedLine payload into that space, and then executed it.

Memory protection analysis showing PAGE_EXECUTE_READWRITE flags on a memory segment.

Analyst Note: Finding RWX memory in a generic host process like rundll32.exe, svchost.exe, or explorer.exe is a definitive finding. The next forensic step is usually to dump that specific memory segment to disk for reverse engineering.

Answer Q3

What is the memory protection applied to the suspicious process memory region?

PAGE_EXECUTE_READWRITE

5. Phase 3: Network Artifacts & Threat Actor Infrastructure (Questions 4, 5, & 6)

Objective: Extract network connections from memory to identify the C2 server and any other relevant network tools.

Memory dumps retain artifacts of active and recently closed network connections. Analyzing the network data structures (e.g., using netscan) revealed an active connection to an external IP address: 77.91.124.20. This is the attacker’s Command and Control (C2) server.

Network connection artifacts from memory identifying the attacker IP 77.91.124.20.

Memory forensics also involves carving strings from the memory space of the malicious processes. Searching through the strings associated with the oneetx.exe or rundll32.exe processes yielded a full HTTP URL pointing to a PHP script on the attacker’s server: http://77.91.124.20/store/games/index.php.

String analysis extracting the full malicious URL http://77.91.124.20/store/games/index.php.

Attackers use these PHP endpoints as “gateways” to receive exfiltrated data (like stolen passwords, cookies, and crypto wallets) from the RedLine stealer. The path /store/games/ is likely a weak attempt to masquerade the C2 traffic as legitimate web browsing.

Finally, during the process triage, another notable application was found running: outline.exe. Outline is an open-source VPN tool. While not inherently malicious, its presence during an active incident is noteworthy. It could indicate the victim was using a VPN, or more maliciously, that the attacker deployed it to tunnel their traffic or bypass geo-restrictions.

Process list identifying outline.exe, a known VPN client.

Answer Q5

What is the attacker’s IP address?

77.91.124.20

Answer Q6

What is the full URL of the PHP file that the attacker visited?

http://77.91.124.20/store/games/index.php

Answer Q4

What is the name of the process responsible for the VPN connection?

outline.exe

6. Reconstructed Incident Timeline

Based on the memory artifacts, we can reconstruct the local execution flow of the RedLine infection:

StepKill Chain PhaseActionEvidence Source
1DeliveryMalware dropped to C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exeMemory Process Path (dlllist / cmdline)
2Executiononeetx.exe is executed by the userMemory Process List (pslist)
3Defense Evasiononeetx.exe spawns a suspended rundll32.exe child processProcess Tree (pstree)
4Defense EvasionMalware allocates PAGE_EXECUTE_READWRITE memory and injects code into rundll32.exeMemory Protections (malfind)
5C2 / ExfiltrationInjected process beacons to http://77.91.124.20/store/games/index.phpMemory Strings / Network Scan (netscan)

Key Observation: The attacker utilized a classic process injection technique to hide the actual data theft operations inside the legitimate rundll32.exe process. If a defender only looked at the process names, they might miss the malicious activity. The presence of RWX memory is the smoking gun that exposes the injection.

7. Conclusion

The RedLine memory forensics investigation successfully identified a stealthy information stealer operating from RAM. Key findings:

  1. Execution: The malware executed from a temporary directory under the name oneetx.exe.
  2. Evasion: It performed process injection into rundll32.exe, creating highly suspicious PAGE_EXECUTE_READWRITE memory segments.
  3. Infrastructure: The malware communicated with a C2 server at 77.91.124.20, specifically targeting the /store/games/index.php endpoint to likely exfiltrate stolen credentials.
  4. Environment: The VPN tool outline.exe was active on the system during the infection.

Key Takeaways for the SOC:

  1. Memory Hunting: Implement EDR rules to detect PAGE_EXECUTE_READWRITE memory allocations within standard Windows binaries (like rundll32.exe, svchost.exe).
  2. Network Blocking: Block all inbound and outbound traffic to 77.91.124.20 at the perimeter firewall.
  3. Web Filtering: Add http://77.91.124.20/store/games/index.php to web proxy blocklists.
  4. Execution Rules: Create detection alerts for any executable launching from AppData\Local\Temp\* that subsequently spawns Windows system binaries.

Analysis Date: June 15, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Memory Forensics, Incident Response
cyberdefenders redline volatility malware process-injection c2
This post is licensed under CC BY 4.0 by the author.