Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe
Resource
win10v2004-20241007-en
General
-
Target
eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe
-
Size
561KB
-
MD5
8f51bfa09372660c4245fb56e03d69e4
-
SHA1
97ea3fcd075c8210137856abf5fe02820e3dc5ae
-
SHA256
eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137
-
SHA512
bcb82162c82f5f1835c0079c9db02a686bc737752086113c47980ff94232a35c6f84881b4245e9864f3c431f93f5d438cfe33e33652721f619bc6438788963aa
-
SSDEEP
12288:BMrMy90Jpo/EWFwuuwbELzTm5HLxeXPMDhUdqE+NGCp:FySehK1/TmZLx+ES0NGCp
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c80-12.dat healer behavioral1/memory/912-15-0x0000000000290000-0x000000000029A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr054536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr054536.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr054536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr054536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr054536.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr054536.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2184-22-0x00000000027C0000-0x0000000002806000-memory.dmp family_redline behavioral1/memory/2184-24-0x00000000053B0000-0x00000000053F4000-memory.dmp family_redline behavioral1/memory/2184-28-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-36-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-88-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-86-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-82-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-80-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-78-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-76-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-74-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-72-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-70-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-68-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-66-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-64-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-62-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-58-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-56-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-54-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-52-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-50-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-48-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-46-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-42-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-40-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-38-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-34-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-32-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-30-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-84-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-60-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-44-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-26-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2184-25-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1728 zilr1226.exe 912 jr054536.exe 2184 ku709415.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr054536.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zilr1226.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zilr1226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku709415.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 912 jr054536.exe 912 jr054536.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 912 jr054536.exe Token: SeDebugPrivilege 2184 ku709415.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3996 wrote to memory of 1728 3996 eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe 84 PID 3996 wrote to memory of 1728 3996 eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe 84 PID 3996 wrote to memory of 1728 3996 eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe 84 PID 1728 wrote to memory of 912 1728 zilr1226.exe 85 PID 1728 wrote to memory of 912 1728 zilr1226.exe 85 PID 1728 wrote to memory of 2184 1728 zilr1226.exe 93 PID 1728 wrote to memory of 2184 1728 zilr1226.exe 93 PID 1728 wrote to memory of 2184 1728 zilr1226.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe"C:\Users\Admin\AppData\Local\Temp\eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilr1226.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilr1226.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr054536.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr054536.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709415.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709415.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD5c6d932a1380d6bf75e6a9cbde1765b50
SHA1439dc397c9e6e028d2183449746c18c096a14c2b
SHA25612e6dc1687f79f6a34e728abb8e836501f435b784afc44677190c2ea6cb3364a
SHA512b815036936ca30b0efc94f3e7c2ace2b6c7b642689be54d6a2a2cad43a3f42ed7b40ece135f1c8222b9f25941c1717eb5a6d522d39ac24029c7ece63db29d869
-
Filesize
12KB
MD569ae814bd0f2f5c008c8c2e086c3e81c
SHA131a5ca19b25094ed72b287f709e75de8e2d984ea
SHA256254045ce880196020992a144f5f638c2b3367e0def65a90b771db13e37135ed8
SHA512d4253e3520c019b25a0bde87f1aa3af6205e1f63182dc89cf767847a7c8131d2382a907bc8da8c531450348ea0535cbd9ac37f89cd37cd61f6462c83f77459e3
-
Filesize
372KB
MD5c0e740b20f74d285eb0f581e59c92483
SHA18938c8deb4d6fa6e27e844f03e88b9fdb1c29494
SHA256b012c391d0272e4cf5e49f2272e65ffcb5f69a3cc6e6780a9f6c9cfb545297de
SHA5122ebe0be5335b801ec274845f7045702339571aa5b08718bc39b1978829951ceca67128cefb655b94e1d2c639c953d0102997ca7127281423ecc47d58331576d6