Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe
Resource
win10v2004-20241007-en
General
-
Target
ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe
-
Size
1.2MB
-
MD5
87004da68d7aaf7fcc599923aa6fc90b
-
SHA1
6187e9d99b4d8e3d2d37a5acc0f0860a6d0c9e32
-
SHA256
ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa
-
SHA512
d1ec6dd517468634f20d292c31cb95b8cc228e1bb71ebd015815b1617366c61f1db6e6d3d118d6a858b6dd59e9665ba36564516984bdc5e438606d97ea3b8373
-
SSDEEP
24576:WyxhuBi2Us9mzywx5vyozYi5GyqsngKzhw00aAc:lGCsEzR6ozYi5Gyf80a
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b96-32.dat healer behavioral1/memory/2964-35-0x00000000009A0000-0x00000000009AA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buOX02aD75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buOX02aD75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buOX02aD75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buOX02aD75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buOX02aD75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buOX02aD75.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4444-41-0x0000000002460000-0x00000000024A6000-memory.dmp family_redline behavioral1/memory/4444-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp family_redline behavioral1/memory/4444-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-103-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-98-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-74-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4444-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4940 plkE09YZ28.exe 2216 plNM24jf61.exe 3608 pllr83yu17.exe 3196 plOf35mo83.exe 2964 buOX02aD75.exe 4444 cauA06Zk63.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buOX02aD75.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plNM24jf61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" pllr83yu17.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plOf35mo83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plkE09YZ28.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plkE09YZ28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plNM24jf61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pllr83yu17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plOf35mo83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cauA06Zk63.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2964 buOX02aD75.exe 2964 buOX02aD75.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2964 buOX02aD75.exe Token: SeDebugPrivilege 4444 cauA06Zk63.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2796 wrote to memory of 4940 2796 ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe 84 PID 2796 wrote to memory of 4940 2796 ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe 84 PID 2796 wrote to memory of 4940 2796 ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe 84 PID 4940 wrote to memory of 2216 4940 plkE09YZ28.exe 85 PID 4940 wrote to memory of 2216 4940 plkE09YZ28.exe 85 PID 4940 wrote to memory of 2216 4940 plkE09YZ28.exe 85 PID 2216 wrote to memory of 3608 2216 plNM24jf61.exe 86 PID 2216 wrote to memory of 3608 2216 plNM24jf61.exe 86 PID 2216 wrote to memory of 3608 2216 plNM24jf61.exe 86 PID 3608 wrote to memory of 3196 3608 pllr83yu17.exe 88 PID 3608 wrote to memory of 3196 3608 pllr83yu17.exe 88 PID 3608 wrote to memory of 3196 3608 pllr83yu17.exe 88 PID 3196 wrote to memory of 2964 3196 plOf35mo83.exe 89 PID 3196 wrote to memory of 2964 3196 plOf35mo83.exe 89 PID 3196 wrote to memory of 4444 3196 plOf35mo83.exe 93 PID 3196 wrote to memory of 4444 3196 plOf35mo83.exe 93 PID 3196 wrote to memory of 4444 3196 plOf35mo83.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe"C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5650bcd0d8fb9043864586e4a0de07263
SHA13d80875342b9c1a9d8c3e0c2edc572b4387473a5
SHA2561c25f73635ecc9719b5c3277697056db1d34d5272c56e0df574b9b6fd6c78d08
SHA512445ebd1be2d10a5eb02a938752b7a358b88d0f68a8f6533596c044230a826ee670b99d3a212a9268365fa772bece5c236773f8d0c43234b7b6f549ae0778fb3c
-
Filesize
936KB
MD50abddb8f1d5f487dfe24cbebd9d68745
SHA10a57f6132c73b67d9f8bab0ede687e528d33b5be
SHA25692f3de7aad46c4cd5d5ad5e2ed79414fc2d4ed87b68be0c1d640496ced2196ba
SHA51245bbd59cde3734cae3819edc0d468c234b5e1ca0db6e17a57fb2135cc7b629f0fa89c1019c59150f36c4583048bd12bd5eb3df66eb871ef1d05b14bd8ba86f00
-
Filesize
667KB
MD50964ae7c0e17409bcc12b890f62bfbc8
SHA1e4e6493155cd09369ef74ed568ca968ddcc10fbe
SHA256489a34febca86e024b5dbb50aac3dd4a17171bef1363be4b8e88f47953cb285f
SHA512b5b21c99e922f44d31a2b6fb63dadc55885b4476a38c11a4021165f1bb367b2d883d7cc7204a7512953d1eb569a8a9d0472855e9c62cb1150aaa882f5f05b9af
-
Filesize
391KB
MD5c20375ce850eb00354f2ab32c9e4af65
SHA14ece534d9a5b87a646d587e1c120ba3b6b02048d
SHA256a8ab4314ef38d248de070aed98526ee80a0392a97f970dbac1888c2d5c82892f
SHA512d6fdf1c59b050f8ca5eb488d47c841c35f1e0595c2f31091d84db788f179f7550c698da4bc87e4d660c298d86cbce7c2a055bd34970b2d9121b33f8988cf419a
-
Filesize
16KB
MD59179f02d7eac3d42bcc20ee9577ec01f
SHA186f95654183c964d4d0dff1687db50ce1eaa2cb5
SHA256dd80b6597b9dec7a6b794b745b96e5ca4c9e17a22afdb2c6870c362f15079422
SHA512a1f316764154644444acbb63f29c276e8f717a6ac3ab1f86189479e5d208c78a903d7638a15ab568d4087881aa23a844b1e0f5d791981be5c35054b164ff77f7
-
Filesize
302KB
MD55b4052ee747278a02dac44898f59aaee
SHA16b59810f74916a6921ea2276b57b6f5f61c79654
SHA256baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80
SHA5129d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23