Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe
Resource
win10v2004-20241007-en
General
-
Target
5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe
-
Size
1.1MB
-
MD5
9ff253ffea39b6c0eb70dfccdb4a61ea
-
SHA1
b0b1d8432afb90fa71b79045fb894a59f7284cb7
-
SHA256
5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825
-
SHA512
0994180987067dceffe7f2be8f4578e8132430067b9eeaf8ce75a7416a4386c77143fae46cad2b6c405c273469d9e079eefca38437a933b2dd915089f62aa03d
-
SSDEEP
24576:qyomk/4M1e8ml4UxwWHUqNgkl691A/E6YgUJhCsGW2hSYzO:xomi4Qe8mlAJEgkI6E6+YsGxhS
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9f-26.dat healer behavioral1/memory/3860-28-0x00000000008C0000-0x00000000008CA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iVe48On.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iVe48On.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iVe48On.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iVe48On.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iVe48On.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iVe48On.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2336-34-0x0000000004CC0000-0x0000000004D06000-memory.dmp family_redline behavioral1/memory/2336-36-0x0000000007770000-0x00000000077B4000-memory.dmp family_redline behavioral1/memory/2336-37-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-98-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-100-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-96-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-94-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-92-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-90-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-86-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-84-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-82-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-80-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-76-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-74-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-72-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-70-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-68-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-64-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-62-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-60-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-56-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-54-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-52-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-50-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-48-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-46-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-44-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-42-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-38-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-88-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-78-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-66-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-58-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/2336-40-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1020 sGT14Yb32.exe 3060 sZX35fF12.exe 5092 svJ69so29.exe 3860 iVe48On.exe 2336 ktX38Ge.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iVe48On.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sGT14Yb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sZX35fF12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" svJ69so29.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sGT14Yb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sZX35fF12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svJ69so29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ktX38Ge.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3860 iVe48On.exe 3860 iVe48On.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3860 iVe48On.exe Token: SeDebugPrivilege 2336 ktX38Ge.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3016 wrote to memory of 1020 3016 5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe 83 PID 3016 wrote to memory of 1020 3016 5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe 83 PID 3016 wrote to memory of 1020 3016 5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe 83 PID 1020 wrote to memory of 3060 1020 sGT14Yb32.exe 85 PID 1020 wrote to memory of 3060 1020 sGT14Yb32.exe 85 PID 1020 wrote to memory of 3060 1020 sGT14Yb32.exe 85 PID 3060 wrote to memory of 5092 3060 sZX35fF12.exe 86 PID 3060 wrote to memory of 5092 3060 sZX35fF12.exe 86 PID 3060 wrote to memory of 5092 3060 sZX35fF12.exe 86 PID 5092 wrote to memory of 3860 5092 svJ69so29.exe 87 PID 5092 wrote to memory of 3860 5092 svJ69so29.exe 87 PID 5092 wrote to memory of 2336 5092 svJ69so29.exe 94 PID 5092 wrote to memory of 2336 5092 svJ69so29.exe 94 PID 5092 wrote to memory of 2336 5092 svJ69so29.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe"C:\Users\Admin\AppData\Local\Temp\5306029cf3f5d1aa9b16bcaecec6ae715ee7698bb72a2e4ade27d9af733f9825.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sGT14Yb32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZX35fF12.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svJ69so29.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVe48On.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ktX38Ge.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
963KB
MD522c1a9074ddf65496dcc43ad3fcebfbb
SHA1764759675da39a12c870931349a14faf033f9f6b
SHA25616462b753be529c8725c668393de46d61685291203a55b40c23e88f2e8f2d4bc
SHA5125a6816f96c75cbb0b03a2a94ba14e2b6ac246f58c424f05d9cc89b2d5f3ccb29ea674ef9eaabf4d2a20f4b7ba5ddf57194c402fa29ff7e28ea8da936f00282e4
-
Filesize
685KB
MD57c3b8c5ceed9b9bff4c64070c979ffa9
SHA1aa69d44c6a96763e97f570e743233549625249e2
SHA2561f1b976c4223d577342ed204ceb4e592ebf8840300f817b150530a4e99dc9761
SHA512f3b2ce3b39eb4c226c47e571d473e3b7ab8fd392b7b6a3be7c6ea2d3a4e20ab6316d3789439cb744831c63c2860803fde7baed44ed59428573657c1c55caeb66
-
Filesize
400KB
MD5dae4c26c153780c2d75c6330eec4cd15
SHA127b1d6575a51a7588ec579a2c7c4a7e4815f94ff
SHA256d09e5e019bf2e21ccc84d2b0d6fb958992083cb384ff566e46a5ed5bb95caf47
SHA5123c6f6f6669eab9a6101f0308ac987c822c9a2804a0529a19c3d1cde4f0bc6c0156fe09fbfd61f41a6d0a5aae624da61f85ef6747def57dfbaaf141fe96d7b802
-
Filesize
11KB
MD5b1f79154e59b5f3e06ff6e21f24e7109
SHA1af8f64023d822bb68d99911e7a450a23b4a80b93
SHA25671d7e954767d719978ae02ad4a6e75cce4f08e2cc394591528d7247678a523a9
SHA5121ec860288512bba7e493b9f4223de67b287507190fd1fa14f60e3f18e1d21b9a5d1b6a55bdb9b1c963d5305d6718b414be1ed2566b83e65c6e031a581f005fa2
-
Filesize
344KB
MD5a6adc2e80b48f93ba7b7a58f2465d794
SHA1f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41