Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe
Resource
win10v2004-20241007-en
General
-
Target
8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe
-
Size
1.1MB
-
MD5
3d7c47cc2aee4b5ddc4ba017595db6a6
-
SHA1
55636344ab48c703ea6bf04e95b33e0df95c8d2d
-
SHA256
8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5
-
SHA512
68782f358a7392f2eb4580bd940d40fbb856d642abed4a7a8b8fff407c69403b268d5fa379b5366c2439613381a8594f96f29b65e748eb1bb4e3919d568412cd
-
SSDEEP
24576:oyh47aVxGauglsVkVZdjQTrf6lq+J43qoK9SKzA:vhcaPGauEsV2HQbsq+CVK
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9e-26.dat healer behavioral1/memory/3008-28-0x0000000000560000-0x000000000056A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iNj79MS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iNj79MS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iNj79MS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iNj79MS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iNj79MS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iNj79MS.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4140-34-0x0000000004BF0000-0x0000000004C36000-memory.dmp family_redline behavioral1/memory/4140-36-0x0000000007770000-0x00000000077B4000-memory.dmp family_redline behavioral1/memory/4140-44-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-50-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-100-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-98-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-96-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-94-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-92-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-90-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-88-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-86-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-84-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-82-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-80-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-78-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-74-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-72-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-70-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-68-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-67-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-64-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-62-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-58-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-56-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-54-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-52-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-48-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-46-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-42-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-40-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-76-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-60-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-38-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4140-37-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1820 sVY03EP16.exe 1008 saE37fq29.exe 4392 smU32lB60.exe 3008 iNj79MS.exe 4140 koJ02HY.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iNj79MS.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sVY03EP16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" saE37fq29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" smU32lB60.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sVY03EP16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language saE37fq29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smU32lB60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language koJ02HY.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3008 iNj79MS.exe 3008 iNj79MS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3008 iNj79MS.exe Token: SeDebugPrivilege 4140 koJ02HY.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3112 wrote to memory of 1820 3112 8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe 83 PID 3112 wrote to memory of 1820 3112 8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe 83 PID 3112 wrote to memory of 1820 3112 8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe 83 PID 1820 wrote to memory of 1008 1820 sVY03EP16.exe 84 PID 1820 wrote to memory of 1008 1820 sVY03EP16.exe 84 PID 1820 wrote to memory of 1008 1820 sVY03EP16.exe 84 PID 1008 wrote to memory of 4392 1008 saE37fq29.exe 86 PID 1008 wrote to memory of 4392 1008 saE37fq29.exe 86 PID 1008 wrote to memory of 4392 1008 saE37fq29.exe 86 PID 4392 wrote to memory of 3008 4392 smU32lB60.exe 87 PID 4392 wrote to memory of 3008 4392 smU32lB60.exe 87 PID 4392 wrote to memory of 4140 4392 smU32lB60.exe 97 PID 4392 wrote to memory of 4140 4392 smU32lB60.exe 97 PID 4392 wrote to memory of 4140 4392 smU32lB60.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe"C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
906KB
MD50c48443198836bed2d412b49a852bdbb
SHA1fdd139aa10efa700a2f18a022dc995e9e9697d4b
SHA2562c0c8195814f4dd6268dcb8a28971851215c6833fd5ee6c9ebea5fa227e6ca16
SHA51256d36b3ef3373ed1897d87a1aad1bc7ab53b8fd9ec4578c1c0d1ab37ebcd0aa268b81576d9cf559900202a56e015d6dd95da8077444f452907fe5d6e89d02254
-
Filesize
682KB
MD5c919d05886ac6143a025c58301012f61
SHA106ab29ef3daff24c45ecc6ad61e6bc0ad76a36d5
SHA25650922d00630558b9197fc7c1ae98742250e805ba7b27199d64ccf4a342572102
SHA512c96b23ae67294e9be6e12e1622a815d7ab672958b369991749677b48f22fd266053653802c191128ebd9b11ad044a8b649fc1ea67f1d376f9788f05c7b1865ab
-
Filesize
399KB
MD58fcbc09ad7098522547609f48c66831b
SHA1d93a1cb789b0ef4cd14e0fa2211deef814483614
SHA256d49245074ab6612a095780fea461963d7b0030c21300b808568ac92a139bc81e
SHA512f54898d517b511c67c13dc1a5849e0d5f98e5de99ee7ca3c911d9381710cb5bcb9cab8ea038dff9bf06256bf779947517855e7b078a8fbeda4ab6284e7f17a11
-
Filesize
11KB
MD54759c87cb8aae3b368ce489ed3888406
SHA1428b9a715af61d129a9a86145884f344a557f1aa
SHA25648ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62
SHA512e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04
-
Filesize
362KB
MD589043a2a2ea21c3bd2a007ecd51c585f
SHA18a69615923db088e06a0ea0e6b9c0c910275573d
SHA256f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf
SHA512206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd