Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe
Resource
win10v2004-20241007-en
General
-
Target
6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe
-
Size
1.0MB
-
MD5
29db78995f19db2519553217e1c9fd36
-
SHA1
2d75b5cd2f68948ea13ddd7333090d772bb66c8e
-
SHA256
6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3
-
SHA512
9ac7fcdda7fcabfac67e7a645cb089d3f61491220a578ba9446b73e442d27b90597e3d33d0f817db3869549cd9cff17b02ab4beb66d43d38834bf6e1a8c15535
-
SSDEEP
24576:IynzkqxXWVw1/rtl07izluGXLn2xYNL8PFnmmy4crUmrNdk:PnlmVMrtl0Gu+26L8PFnml4Jm3
Malware Config
Extracted
redline
ramon
193.233.20.23:4123
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7d-26.dat healer behavioral1/memory/1692-28-0x0000000000DC0000-0x0000000000DCA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection igw69br58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" igw69br58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" igw69br58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" igw69br58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" igw69br58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" igw69br58.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4932-34-0x0000000004C60000-0x0000000004CA6000-memory.dmp family_redline behavioral1/memory/4932-36-0x0000000004D20000-0x0000000004D64000-memory.dmp family_redline behavioral1/memory/4932-42-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-52-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-50-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-48-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-46-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-45-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-90-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-70-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-40-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-38-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-37-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-100-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-98-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-96-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-94-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-92-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-88-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-87-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-84-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-83-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-80-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-78-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-76-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-74-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-72-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-68-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-66-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-64-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-63-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-60-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-59-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-56-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline behavioral1/memory/4932-54-0x0000000004D20000-0x0000000004D5E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 5092 sty89kO72.exe 4872 skl67xB90.exe 5088 sJT13bc55.exe 1692 igw69br58.exe 4932 kHd15MB20.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" igw69br58.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sty89kO72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" skl67xB90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sJT13bc55.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kHd15MB20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sty89kO72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skl67xB90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sJT13bc55.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1692 igw69br58.exe 1692 igw69br58.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1692 igw69br58.exe Token: SeDebugPrivilege 4932 kHd15MB20.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4456 wrote to memory of 5092 4456 6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe 84 PID 4456 wrote to memory of 5092 4456 6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe 84 PID 4456 wrote to memory of 5092 4456 6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe 84 PID 5092 wrote to memory of 4872 5092 sty89kO72.exe 85 PID 5092 wrote to memory of 4872 5092 sty89kO72.exe 85 PID 5092 wrote to memory of 4872 5092 sty89kO72.exe 85 PID 4872 wrote to memory of 5088 4872 skl67xB90.exe 86 PID 4872 wrote to memory of 5088 4872 skl67xB90.exe 86 PID 4872 wrote to memory of 5088 4872 skl67xB90.exe 86 PID 5088 wrote to memory of 1692 5088 sJT13bc55.exe 87 PID 5088 wrote to memory of 1692 5088 sJT13bc55.exe 87 PID 5088 wrote to memory of 4932 5088 sJT13bc55.exe 96 PID 5088 wrote to memory of 4932 5088 sJT13bc55.exe 96 PID 5088 wrote to memory of 4932 5088 sJT13bc55.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe"C:\Users\Admin\AppData\Local\Temp\6f6bbcc03bc05696801cbe339531f2277e2e26d347341ed71713555cb36375f3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sty89kO72.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sty89kO72.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skl67xB90.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skl67xB90.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sJT13bc55.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sJT13bc55.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\igw69br58.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\igw69br58.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kHd15MB20.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kHd15MB20.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
888KB
MD5effc08b23b380e4b825d09d41023f968
SHA1d7cf5af29f1ce5d6dbf57ec55c815ed9448c6bb3
SHA2566854ce3593abf9106e6722bb1a425f1f4473e0ef57f9f714029866c4711d272a
SHA51232f4e742d2b79106ccb0bd7bcf1d64e8a2e951a2b27deaff5831a6dc075f7b0b0fd92cabad9ca068ea6d4515abc42d810562f61cc72822c816f5764f6407c198
-
Filesize
664KB
MD5ced4038db5a92d95a7badb0b2f5636b9
SHA1e7e30364b6dec851b9e8a03dba1b1fccea9c00b4
SHA2567c3f7a6752509e7c1c85bba9f03ba24a535efbd4afee796fa1529df9946cb0e6
SHA5126d1b2ce603400256a47e24759b15bf616057f2fe99ff44a10e2d573ca5aab88c90a62c1619aab06cbd14c525679b9976aa783c3d57ad2f1f909171689cbdff8c
-
Filesize
390KB
MD553018025e22df82e6f38c8e9c04a385b
SHA1007d9b40b0cae8e88cafd7ef2fc28fbe0f190285
SHA256602721aaf7e34afc8f7514f8aad959fc495f6b73f22f76b45f7e30deba7c5b80
SHA5129d36c2a55884d88f4fb337bee5a57c10fc4471a0d738d10c20ae007956ccefa6cf9d3fa5e0f8acaa3d815bd808396e8da436cea2f8a0f7629099cbba904411cb
-
Filesize
11KB
MD51cdbf941ccc9de4b1f14c24e1cfaff47
SHA1f63e35492fa97f4b9728546932366314e79b624f
SHA25628379a18f1fefd2841c051f8a3b6da73ef4d8bb2861d0f211ea83c21cad6a56e
SHA5125078a541e90e2addda10dace672170769caf0b25190b4c11d82ae8c0f858d6c0b98e0017087a0d9e206777805c499bb903d858594754952602b9e2fa14e494c5
-
Filesize
309KB
MD5d93c8ec64c1b9a271154d619050f47f7
SHA1b3dc784177eb84ba50e61c561cc44050f8cc29c0
SHA256f442fb793aa7699ebf9efb1b38f0cf2fb7a1ef6629e5ccfb37486792572c353d
SHA512bc0a7e0bf84c1d95e9f9a38f6275f693323df5c9926830acc8c030561800a641b83edfa25afe427dd1c74d6f7a9e98002d88bef5642347bba154795c82da7a2f