Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:52
Static task
static1
Behavioral task
behavioral1
Sample
b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe
Resource
win10v2004-20241007-en
General
-
Target
b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe
-
Size
1.1MB
-
MD5
2954d8c1b4f6def3c38d1366261eac0a
-
SHA1
465ed2eebc71c083d670a00b611126652fedb470
-
SHA256
b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d
-
SHA512
21ebc5d98f80a8d2cb32ae315d93099920c4e1dbe758bc8a54f3e9e39b384ed1405c065af4760d95d6e2eb3c75185fb12fe07aaa460d7d5c5ed7a07031ee432e
-
SSDEEP
24576:PyaC2gdbg7gpww9b07kJa6RZpI5P+guOhAOfWORKifoD:ahhq7Iwt7kLRBPkWORK+o
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cad-32.dat healer behavioral1/memory/4992-35-0x0000000000600000-0x000000000060A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection burb05ow48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" burb05ow48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" burb05ow48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" burb05ow48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" burb05ow48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" burb05ow48.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/936-41-0x0000000002580000-0x00000000025C6000-memory.dmp family_redline behavioral1/memory/936-43-0x0000000004BA0000-0x0000000004BE4000-memory.dmp family_redline behavioral1/memory/936-55-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-61-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-107-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-105-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-103-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-101-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-99-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-97-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-93-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-91-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-89-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-87-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-85-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-83-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-81-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-79-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-77-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-75-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-71-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-69-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-67-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-65-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-63-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-59-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-57-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-53-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-51-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-49-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-47-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-95-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-73-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-45-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/936-44-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4688 pltk78KY92.exe 3592 plLp40Et24.exe 3332 plri63Pl01.exe 4692 plzd01yK88.exe 4992 burb05ow48.exe 936 cazU71UZ39.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" burb05ow48.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pltk78KY92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plLp40Et24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plri63Pl01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plzd01yK88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pltk78KY92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plLp40Et24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plri63Pl01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plzd01yK88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cazU71UZ39.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4992 burb05ow48.exe 4992 burb05ow48.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4992 burb05ow48.exe Token: SeDebugPrivilege 936 cazU71UZ39.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2460 wrote to memory of 4688 2460 b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe 84 PID 2460 wrote to memory of 4688 2460 b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe 84 PID 2460 wrote to memory of 4688 2460 b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe 84 PID 4688 wrote to memory of 3592 4688 pltk78KY92.exe 85 PID 4688 wrote to memory of 3592 4688 pltk78KY92.exe 85 PID 4688 wrote to memory of 3592 4688 pltk78KY92.exe 85 PID 3592 wrote to memory of 3332 3592 plLp40Et24.exe 86 PID 3592 wrote to memory of 3332 3592 plLp40Et24.exe 86 PID 3592 wrote to memory of 3332 3592 plLp40Et24.exe 86 PID 3332 wrote to memory of 4692 3332 plri63Pl01.exe 87 PID 3332 wrote to memory of 4692 3332 plri63Pl01.exe 87 PID 3332 wrote to memory of 4692 3332 plri63Pl01.exe 87 PID 4692 wrote to memory of 4992 4692 plzd01yK88.exe 89 PID 4692 wrote to memory of 4992 4692 plzd01yK88.exe 89 PID 4692 wrote to memory of 936 4692 plzd01yK88.exe 94 PID 4692 wrote to memory of 936 4692 plzd01yK88.exe 94 PID 4692 wrote to memory of 936 4692 plzd01yK88.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe"C:\Users\Admin\AppData\Local\Temp\b03ed36ef5a90fbff1d1db8fb5ceafc2d142c7173621209460b5740512a3cb2d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltk78KY92.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltk78KY92.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLp40Et24.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLp40Et24.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plri63Pl01.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plri63Pl01.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plzd01yK88.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plzd01yK88.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\burb05ow48.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\burb05ow48.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cazU71UZ39.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cazU71UZ39.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
997KB
MD5566ea140412a26e59f2b527fc398123f
SHA13cc37e2b07ac89ce5948756462436b68e1dc1b28
SHA2567335d00b4a88369cb5f7fc7763f2d80e87ba15d7bd581939a678615316b4300a
SHA51258a3e05996d53fbbce2fd5a78546ff866711b18feac150245e57dead8c3e03f3dd9b129c347d61a836f3618b877a8b1fe63e75a9b34c7382b13b47485aa29d84
-
Filesize
893KB
MD5a511ed70957b9e939ef4ff9eb224c090
SHA1b6cf6254fbfcba440cf5af1c78b7ff4cecaf72ae
SHA256047a07f7ffc304762f79fe68f4b8c0dec6361ec778960730a479ce5c888251db
SHA51268c5ff002d2aceb19af6e87461e74b17f02bb630622291bdf192e07e10f5d99e2c49b004df00212553b60d935cf705881afb456a0a032927d4b7e689dc35172c
-
Filesize
667KB
MD5f435c12c0ba119129f412159a8a342c3
SHA16f6f9be3467d8a184093101844792c9be9e288a9
SHA256ee4592bfdf85da8b00354b22fc2a7ca6eff082017993967d647afd07ce69f69d
SHA5124e13c1f4d25bee9d9bc09ac5c6fdd78c0f82f6bb93648fcc37f55d6e5a80dace81963aa54574ec9f0dae508f8b7713303c8d218c962df4d9e0de282ff25b1ff8
-
Filesize
391KB
MD59c4dc3ca1a69997f1929713bce0167e1
SHA110f8c0f7269b7afb6b19cbaccc0684db1a6f7b95
SHA256f834f53c552a87156975c562a6663316d5e068d754cd3fae69dd58167a4c01cc
SHA512a14a4a0a58f77751affc1689c8f56488599a6ff5408b08bda190e5454e4e639d685fd16cfc54ea96366aac732e89b8a2ab70aa9bcb9cde6d9a85c3f65da2930c
-
Filesize
17KB
MD5ec64b3204b21fdfb532782f7bf107db0
SHA1282a94d6a782d3aa382cfff415d2ab0787bf7b7d
SHA256102cb8650c0331a7113705a537ab8991c555538761b1c3347c29df668741fd96
SHA5121c0e8aee1e148044f8aebdd1edcff30562e058e0a1b7b310214835723714ffb3fa9770c8ba164de3288cf4c7083ee7ee5b169181e5f4609b8f722404afa01b2b
-
Filesize
303KB
MD512a07204bf4c65efdd968689ed260c4e
SHA18430e5110448dc962c4191a1a06b05c4e3c1a140
SHA256e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b
SHA51261dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a