Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 09:03
Static task
static1
Behavioral task
behavioral1
Sample
fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe
Resource
win10v2004-20241007-en
General
-
Target
fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe
-
Size
1.1MB
-
MD5
0a70815331bfecee9c13d11a968b31dd
-
SHA1
9397bc6d15227410cf06b1ddf7597f7cbdcba87c
-
SHA256
fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035
-
SHA512
f28fcb24a6a4a2fb36f4a3206a0a223eab2cad44c44a5f6115b5645df809fc4d613e711d71530d44c69aa3e5c5a9bce33781142592914f360794108a8713c1a9
-
SSDEEP
12288:1MrXy90nGCFVZIBZO+XDNxK7I4QRJh8g5EBXN85Xv7avojYUcT+xfI5UYevG4IYi:ayy2OABR48laXev7avoGTb5evaNKHpc
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca6-26.dat healer behavioral1/memory/2156-28-0x0000000000EE0000-0x0000000000EEA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bjh80Iq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bjh80Iq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bjh80Iq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bjh80Iq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bjh80Iq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bjh80Iq.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3284-34-0x0000000004AD0000-0x0000000004B16000-memory.dmp family_redline behavioral1/memory/3284-36-0x0000000007770000-0x00000000077B4000-memory.dmp family_redline behavioral1/memory/3284-54-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-52-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-100-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-99-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-96-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-94-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-92-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-90-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-89-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-86-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-85-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-82-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-80-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-79-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-76-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-74-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-72-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-70-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-68-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-66-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-64-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-60-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-58-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-56-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-50-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-46-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-44-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-42-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-62-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-48-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-40-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-38-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3284-37-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4920 nVS74aK.exe 3432 nvA62Ub.exe 3988 nHW56Ho.exe 2156 bjh80Iq.exe 3284 bpv38aO26.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bjh80Iq.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nVS74aK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" nvA62Ub.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nHW56Ho.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nVS74aK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvA62Ub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nHW56Ho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpv38aO26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2156 bjh80Iq.exe 2156 bjh80Iq.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 bjh80Iq.exe Token: SeDebugPrivilege 3284 bpv38aO26.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1432 wrote to memory of 4920 1432 fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe 84 PID 1432 wrote to memory of 4920 1432 fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe 84 PID 1432 wrote to memory of 4920 1432 fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe 84 PID 4920 wrote to memory of 3432 4920 nVS74aK.exe 85 PID 4920 wrote to memory of 3432 4920 nVS74aK.exe 85 PID 4920 wrote to memory of 3432 4920 nVS74aK.exe 85 PID 3432 wrote to memory of 3988 3432 nvA62Ub.exe 86 PID 3432 wrote to memory of 3988 3432 nvA62Ub.exe 86 PID 3432 wrote to memory of 3988 3432 nvA62Ub.exe 86 PID 3988 wrote to memory of 2156 3988 nHW56Ho.exe 87 PID 3988 wrote to memory of 2156 3988 nHW56Ho.exe 87 PID 3988 wrote to memory of 3284 3988 nHW56Ho.exe 97 PID 3988 wrote to memory of 3284 3988 nHW56Ho.exe 97 PID 3988 wrote to memory of 3284 3988 nHW56Ho.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe"C:\Users\Admin\AppData\Local\Temp\fb0e1ca50a06687dfabf55f8b8bd779cc3cb0cf0f8539f44e40eefee6cab9035.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVS74aK.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVS74aK.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nvA62Ub.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nvA62Ub.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nHW56Ho.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nHW56Ho.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bjh80Iq.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bjh80Iq.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bpv38aO26.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bpv38aO26.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD5dc76acb268fae6b33a29d4feb4722c1f
SHA1ea75e8d40b4b96fceb8998f692fc7428a667debc
SHA2562389bd940e9b2064efa6b74f0d2017869753baad913523f280f9bdfe7fe1e61b
SHA512ab6b021e5905cae2da1d7ead787c61769b5d27babeefddf8c83ebc0f5988c61895770e781486ecc76eb7233571d9d509077c9b03a6daad0c1bcef09ae1a3bf99
-
Filesize
668KB
MD5c9352bbcb1ca2071682971947852daff
SHA1a59f7ef033389712cc98f348373e8d2baa82e791
SHA25647c773e147bebefd2a15c0f9398a64e112c340dbea37a850e323d0c227db6643
SHA512138de848fba1aafea1867c4f231e8317a01fcfe690be74b99aec034a48df5715baf5ec9cc83660915e39bb64f6e61cd24421bb0b40c400f3741db4b5d14153de
-
Filesize
392KB
MD5480c1ee383607cfaacea67560ad07dbd
SHA1c9a017baea16e1752a06e8a8edc03e20e0c9487a
SHA2567ab879d117c7467a9fc597eafe58d1f09098c70c4df02b9f6bafb127ae920271
SHA512183e7611d0848890494722d6b22cdef2dceb7140abae0ff7a530a0f915a08b6a706d9afb556e9731ff7b07b8eadc962bb2f5438ad7cf7f702b34c711ce523409
-
Filesize
11KB
MD5d0c7caeaece902b292190c86955f6abd
SHA12624317e55983a353d360bde3c8418f5e313b077
SHA256157122297f8a108eed1e91d27d85c243fd336fb42eaba0d766920e30525a2d48
SHA5121721591b58c3f69745dbb4503bc72d0db5de1953ec7270053cd7c45db994ba719eae8a08ff93799ae8d71e0539b933595d80ca4d29d42d72cbe360432308a3c9
-
Filesize
364KB
MD5b907779ac03be51e3fe55c545e16195d
SHA1d39a6ffa3af1153cb920e4fd1a9bd38b99c1f37b
SHA25649c804cc4ef692834971fe93b96777381c9b247ce2f1d49b34b39e01b05d610c
SHA512c72a9fbaad8653f9f2f065c196a8abf5dcf540dd5f52514df72b9668220849d8921cd6b3c9441386bcfbc27e507b578bcf59b31d802279d5141d1c0bcf3b78b7