Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:35
Static task
static1
Behavioral task
behavioral1
Sample
95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe
Resource
win10v2004-20241007-en
General
-
Target
95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe
-
Size
537KB
-
MD5
880bd6a0e961c176c890113fe98a3107
-
SHA1
e844ca6be56c8947d1f35e63ae62533fbc0f62cc
-
SHA256
95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048
-
SHA512
d857e33d0ba2b1c7acb0870a73c58875002a95c003143f74b2bcca053e31ed61e92919cfe8202979d8cc60e483ef87dbc4acff458613b8efd51dc3e52bbeec90
-
SSDEEP
12288:4MrOy90zp1aFfgs1wh3xJ/UHnHcwbm5ePofr5:2yRdgs1whBJ/48wbmIP45
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc6-12.dat healer behavioral1/memory/2136-15-0x00000000002B0000-0x00000000002BA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr085943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr085943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr085943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr085943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr085943.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr085943.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2720-21-0x0000000002680000-0x00000000026C6000-memory.dmp family_redline behavioral1/memory/2720-23-0x0000000002770000-0x00000000027B4000-memory.dmp family_redline behavioral1/memory/2720-33-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-39-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-87-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-85-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-83-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-81-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-79-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-77-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-75-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-71-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-69-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-68-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-65-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-63-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-59-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-57-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-55-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-53-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-51-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-47-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-45-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-43-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-41-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-37-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-35-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-31-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-29-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-73-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-61-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-49-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-27-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-25-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline behavioral1/memory/2720-24-0x0000000002770000-0x00000000027AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4768 zibB1386.exe 2136 jr085943.exe 2720 ku750082.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr085943.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zibB1386.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zibB1386.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku750082.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2136 jr085943.exe 2136 jr085943.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2136 jr085943.exe Token: SeDebugPrivilege 2720 ku750082.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2968 wrote to memory of 4768 2968 95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe 84 PID 2968 wrote to memory of 4768 2968 95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe 84 PID 2968 wrote to memory of 4768 2968 95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe 84 PID 4768 wrote to memory of 2136 4768 zibB1386.exe 85 PID 4768 wrote to memory of 2136 4768 zibB1386.exe 85 PID 4768 wrote to memory of 2720 4768 zibB1386.exe 96 PID 4768 wrote to memory of 2720 4768 zibB1386.exe 96 PID 4768 wrote to memory of 2720 4768 zibB1386.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe"C:\Users\Admin\AppData\Local\Temp\95ecfc19962afc152ba14fbd662c1564e6050e44dc673a1791d11697c9ab8048.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibB1386.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibB1386.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr085943.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr085943.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku750082.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku750082.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5327cac6981764ab2e108eb094928a36b
SHA1797698d2a85b1d07b12bbc6bb99893fba2ecda94
SHA25618cdec35a9bc9aa9f0056b28bdff87de83f2831d3a86bf892fb71570203dac6b
SHA51272d33b96ef79371d0e21ba583b93d442be9089d256ebe335bf24207efaa5127da2d4d840016ba43f0c956d9ae7e6083bd56d2007b9988ffb06c6ca94307c22f6
-
Filesize
14KB
MD54f4a4f495a4023bd010d20b36602c53d
SHA14bf774e85190a52495a197af0e161535fac931a3
SHA2560a485b319dba0ac3e624fe0145df38f42319b793b76bc98d36b80cc93f82b1ab
SHA51252cc7fa9694ed5208f147fc7bb6d73b2a2eb7db1a711723638d44f8fdeec7b3cf258e8721916bfbfd913cbd621f245c2e44df306b1fdad5129b100a54274034b
-
Filesize
352KB
MD57df740b83b84a8a9a88ef3f428347d49
SHA17fa0cdff0684361d9f6b1a3dd804a5b363777339
SHA256cea8b92b0c56083711533888db14ce08d8f984d595e1d7ae8daf8ae1cefdd589
SHA512317d8bd44d3964a9373174171feb1586b7611bc00ef40a462cc669cf2d96947b606a0b2144ce1e1a1b8874ab1a065a706a8bcf9e51fd6c143ad696bd9fedc27c