Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 21:01
Static task
static1
Behavioral task
behavioral1
Sample
26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe
Resource
win10v2004-20241007-en
General
-
Target
26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe
-
Size
533KB
-
MD5
52c8b4599d5035e4ad577f8276d2e835
-
SHA1
34360100387be5b8900576c5024b9948d9166068
-
SHA256
26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340
-
SHA512
085035774dc6428f8bf5e564df127e28d153b27d4fa250b9db3744811e32fda0cd86a0fd420d9e8c0e15de1d4bd4199e01506873c25bb07d79d793d571d88ccc
-
SSDEEP
12288:sMrAy90K07oFjcrpdvRIadVrEqO3LqCh+1pJu:UyK8RAXEqO3GRU
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000c000000023bb0-12.dat healer behavioral1/memory/2500-15-0x0000000000060000-0x000000000006A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr515865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr515865.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr515865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr515865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr515865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr515865.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1084-22-0x0000000006050000-0x0000000006096000-memory.dmp family_redline behavioral1/memory/1084-24-0x00000000060D0000-0x0000000006114000-memory.dmp family_redline behavioral1/memory/1084-30-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-36-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-88-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-84-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-82-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-80-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-78-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-76-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-74-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-72-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-70-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-68-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-64-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-62-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-60-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-58-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-56-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-54-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-52-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-50-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-48-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-44-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-42-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-40-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-38-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-34-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-32-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-86-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-66-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-46-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-28-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-26-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline behavioral1/memory/1084-25-0x00000000060D0000-0x000000000610F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4524 ziNj0450.exe 2500 jr515865.exe 1084 ku323686.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr515865.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziNj0450.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziNj0450.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku323686.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2500 jr515865.exe 2500 jr515865.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2500 jr515865.exe Token: SeDebugPrivilege 1084 ku323686.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4524 5072 26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe 84 PID 5072 wrote to memory of 4524 5072 26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe 84 PID 5072 wrote to memory of 4524 5072 26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe 84 PID 4524 wrote to memory of 2500 4524 ziNj0450.exe 85 PID 4524 wrote to memory of 2500 4524 ziNj0450.exe 85 PID 4524 wrote to memory of 1084 4524 ziNj0450.exe 93 PID 4524 wrote to memory of 1084 4524 ziNj0450.exe 93 PID 4524 wrote to memory of 1084 4524 ziNj0450.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe"C:\Users\Admin\AppData\Local\Temp\26eba4f8b78335ec524bf72299bbb462cc688e7276ff8aea133bff80e22bc340.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNj0450.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNj0450.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr515865.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr515865.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku323686.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku323686.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD5e609d0f2651b75efe32480ecbbace6bf
SHA1eab443bec1cc0a92c6891f98c5f8c9bc0d5732c6
SHA256d8b597649ff3d432c6c154b64fdcf1903705e82b91ec70ef245f5d4118c4565c
SHA51232403d1eb6c7fddce55b4cbe994f395d29ed8e6f336ed76ae03aed6afcee6e53483b3bbac619bfe5c035e02c4aae91557035fe9a0b3b52150f5f485482987f7e
-
Filesize
11KB
MD5ec79ce9f927cf61d4610ae4cc520e578
SHA1b5e068fa33f5a92038c1208f507ff7bba2bdd75c
SHA256062961affa282282b0178a277342fb669c099e22e89f585c221e8cebfdc08df6
SHA51254351113b29a706d7f6f80ffba43c93ea2bd2abfd2ef295f4d267101cce374b3090567780da856c5b46c66accf5dbadb937bece0866d335f1e3ec84e69b1d4b5
-
Filesize
359KB
MD5f5797cdb469963196bfbfe67f5e33bc6
SHA1054c0c6eba6794da00ecfae1cd0c60de8167945f
SHA256ce745a13ea5e77b76c57551e482543028c7c27abb83ed4f2a4591f86dd3a99a3
SHA512638440ebb73c082cb7ff025cd21f2bb2b5479202f9d97ed29b0fd6f439a3dd6cfcdd94bc304a86e607ee74117d02412565d73663b2dca436fce38176a4393aee