Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 21:49
Static task
static1
Behavioral task
behavioral1
Sample
23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe
Resource
win10v2004-20241007-en
General
-
Target
23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe
-
Size
529KB
-
MD5
68a39e44973249672b4bd0329e82e82c
-
SHA1
d00599880e166d0a2dc6b526b4288e49c4327303
-
SHA256
23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1
-
SHA512
c8a68ce4ce905ed248a593f5ef7ac565da2cd8d1e50110f8aaebc55b6230e00374f8c058fec604b4050f62b02ee414707899c2ab51cd23268bac9cf874efd1f3
-
SSDEEP
12288:aMrBy90tnc0RyoT8FlXc9hbTJlAWyeCOz1cwnjJWf:nyuMtCTJOb/Oz1hwf
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9d-12.dat healer behavioral1/memory/5016-15-0x0000000000260000-0x000000000026A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr555512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr555512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr555512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr555512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr555512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr555512.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4632-22-0x0000000000B30000-0x0000000000B76000-memory.dmp family_redline behavioral1/memory/4632-24-0x00000000053E0000-0x0000000005424000-memory.dmp family_redline behavioral1/memory/4632-28-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-40-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-88-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-86-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-84-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-82-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-78-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-76-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-74-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-72-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-70-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-68-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-66-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-62-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-60-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-58-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-56-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-54-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-52-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-50-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-48-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-46-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-42-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-39-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-36-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-34-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-32-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-30-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-80-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-64-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-44-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-26-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline behavioral1/memory/4632-25-0x00000000053E0000-0x000000000541F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2180 ziLb0378.exe 5016 jr555512.exe 4632 ku150331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr555512.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziLb0378.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziLb0378.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku150331.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 jr555512.exe 5016 jr555512.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5016 jr555512.exe Token: SeDebugPrivilege 4632 ku150331.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4824 wrote to memory of 2180 4824 23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe 84 PID 4824 wrote to memory of 2180 4824 23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe 84 PID 4824 wrote to memory of 2180 4824 23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe 84 PID 2180 wrote to memory of 5016 2180 ziLb0378.exe 85 PID 2180 wrote to memory of 5016 2180 ziLb0378.exe 85 PID 2180 wrote to memory of 4632 2180 ziLb0378.exe 90 PID 2180 wrote to memory of 4632 2180 ziLb0378.exe 90 PID 2180 wrote to memory of 4632 2180 ziLb0378.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe"C:\Users\Admin\AppData\Local\Temp\23e80d088bbf7828699c2cff3ec35722ea27cc5b05731d5b2198379285df36f1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLb0378.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLb0378.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr555512.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr555512.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku150331.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku150331.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD50e9e4a199a1ecb4c6ed9f718d35fc650
SHA1c82c8b8527837c79ccacbcc23eeea7b9a44fb698
SHA2566cfe516e82e52db095881e0b923a5b5acac9423f92eb4ca59109bfe14ea49614
SHA51268610d9bc1b067ff6b32e71219262d470fc8cdca186873f1c17b123c282d48d4777e24d039cab202c694c38407bf17a035ec8f6adff096326da0d7dd20a4f030
-
Filesize
12KB
MD5003b42752525a642feae12a67fac9184
SHA152acabb321dcd509f3079211769d9ae6f55a6716
SHA2569849f807a2a23a27f8eda7fc5b3610cb50b9162606fa78ec9728285d89e40f94
SHA51250f5fb53f8de929f8bdab105352aa353f60641e6a2459711fe471c3a7ffb69cc1ceabfea1697b2941b6ceeedb5aad9e88956718a9d0be1d52a4e972d106d54b2
-
Filesize
353KB
MD5a2fc347d3f29132f2478f631627e6c2f
SHA100304c1aab2f05557858e603254f64ae349f5eff
SHA256e207d0a7ad8b690244fd1a73adf5da840f838ffe3610f0d713f18d95fecd033a
SHA5124eef3e6a3e77fcee52789b87aed0db0fbbd2d3568b046143de5398dfe433422e9ff59978ad7e39f38889f4fe2cec0a2ff986d39b1aa8a3b6b397decf92c2c783