Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe
Resource
win10v2004-20241007-en
General
-
Target
8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe
-
Size
1.1MB
-
MD5
57c49e7719cc816bd25bd1e778391edf
-
SHA1
724365b02ed28afc72673ed3250fba8285b4d85c
-
SHA256
8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2
-
SHA512
5778016ffc8a4b8ba4b2da45935c84fb98842af652b0d92f397fffb518a26114cd92f1b52c5835af039942705e31c6c57f3df072f014bb1a741cafb737803c3d
-
SSDEEP
12288:WMrLy90GmBAlygB8E8h1Ktc4T5hTHk9AP4L/uWo3vGPg1wSjvFpkJ4XdkPfAceWO:Ry1bsMX8h1yVvw9buthmkFOSdoA/9
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9d-26.dat healer behavioral1/memory/4460-28-0x0000000000550000-0x000000000055A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iNT92JN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iNT92JN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iNT92JN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iNT92JN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iNT92JN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iNT92JN.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1784-34-0x0000000004BE0000-0x0000000004C26000-memory.dmp family_redline behavioral1/memory/1784-36-0x0000000007190000-0x00000000071D4000-memory.dmp family_redline behavioral1/memory/1784-50-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-52-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-98-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-96-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-94-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-92-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-90-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-88-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-84-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-82-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-80-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-78-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-76-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-74-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-72-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-70-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-68-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-66-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-64-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-62-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-60-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-58-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-56-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-48-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-100-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-46-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-44-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-42-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-86-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-40-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-38-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-54-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/1784-37-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1232 sVE65PH76.exe 3520 srX37jJ41.exe 4768 saq72Ff13.exe 4460 iNT92JN.exe 1784 kkj98JQ.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iNT92JN.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sVE65PH76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" srX37jJ41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" saq72Ff13.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language srX37jJ41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language saq72Ff13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kkj98JQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sVE65PH76.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4460 iNT92JN.exe 4460 iNT92JN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4460 iNT92JN.exe Token: SeDebugPrivilege 1784 kkj98JQ.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2564 wrote to memory of 1232 2564 8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe 82 PID 2564 wrote to memory of 1232 2564 8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe 82 PID 2564 wrote to memory of 1232 2564 8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe 82 PID 1232 wrote to memory of 3520 1232 sVE65PH76.exe 83 PID 1232 wrote to memory of 3520 1232 sVE65PH76.exe 83 PID 1232 wrote to memory of 3520 1232 sVE65PH76.exe 83 PID 3520 wrote to memory of 4768 3520 srX37jJ41.exe 84 PID 3520 wrote to memory of 4768 3520 srX37jJ41.exe 84 PID 3520 wrote to memory of 4768 3520 srX37jJ41.exe 84 PID 4768 wrote to memory of 4460 4768 saq72Ff13.exe 86 PID 4768 wrote to memory of 4460 4768 saq72Ff13.exe 86 PID 4768 wrote to memory of 1784 4768 saq72Ff13.exe 96 PID 4768 wrote to memory of 1784 4768 saq72Ff13.exe 96 PID 4768 wrote to memory of 1784 4768 saq72Ff13.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe"C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
905KB
MD541288373432a73184167966c46465d3e
SHA177e34bdafa177fa7e9c148b8b44ce450e91c3324
SHA25620248e9f11ba2792db80b181086fb94ebbdea0b314a60be93e547e42657010a7
SHA512b22ecf771ed103f3b4a4ea3cf31ae99fb8ec1237bc818131726db20bc235649207120e1e51acb5cd76bb77fff4416568cba1958947ded2f5727c93d0acff0937
-
Filesize
682KB
MD5803bead51b64f1d47818c3c8de41a52a
SHA12b6542fd9001056ccf1a702cfdf32fc536ba3589
SHA256e153e41f67febc814a63aba356167861400b378a4782faafc8845fbe57c08a34
SHA512e3382318084a7c1ed2cded1eeefa3a4b98929a410c59794fd092a1114145381d610d95e65b9c3a892eb2b3b4f643ad314fa425096448c1f41f58b49a5f3ab0f4
-
Filesize
399KB
MD559d1dd6f1027ec76e8f60ebfb87bb2c3
SHA120720894881ad763c165ced843d3e18920458ccb
SHA2568877e6541a946e3ae5966211f09de3913bc66c399e046b0057baff16b3d86b60
SHA51276ea5ddb13cfdd96c98c1aef65600ac4ef6f17a6b8ad06d366dc052faa2a61362d97f5717281baea832adac1f2f5b0f3344ffe5999b0c70e1cad760935f190a4
-
Filesize
11KB
MD504f3c63ce81835b2054683bcfc3dde69
SHA1cd1f5d0a2a905ac46c556dd1157ae6bfddfdae4e
SHA2567539469ced6e51a6dad4db72bc209948028e863dbda0a33910f700056964a6f9
SHA5120593f081909f7fd614dc073404527c64341929a90bf93fbdef9758100d99260eb94c8e521e70cae42cd9ee0921e93860588ab8e8a9f88c3cb819567f215277ad
-
Filesize
362KB
MD589043a2a2ea21c3bd2a007ecd51c585f
SHA18a69615923db088e06a0ea0e6b9c0c910275573d
SHA256f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf
SHA512206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd