Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe
Resource
win10v2004-20241007-en
General
-
Target
8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe
-
Size
1.2MB
-
MD5
a582882fa3c18a93e66b217d05d9f6fb
-
SHA1
3b0e074a3bb8ee6a9328beaab0a8f14cf1727541
-
SHA256
8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7
-
SHA512
68df272a1aa13e89ca6b95a7208fb586b03b5720a4dff364a80c293bc115ef4a83db0147bdd64c203b044ad1e7e7f4fb645efd3f4329a3e8635fe7f28e4ec0a9
-
SSDEEP
24576:3yC6TDOji2Y9UelYsR1JFGDwEYIAKkIS0/1aJjC8ra:CnTDOjQ9UoR1nG0EYvbIF2CM
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023c77-32.dat healer behavioral1/memory/3164-35-0x0000000000360000-0x000000000036A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection budO52re96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" budO52re96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" budO52re96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" budO52re96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" budO52re96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" budO52re96.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2184-41-0x0000000002750000-0x0000000002796000-memory.dmp family_redline behavioral1/memory/2184-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp family_redline behavioral1/memory/2184-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-104-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-78-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/2184-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 984 plwR53XV66.exe 1148 pluw54Ay31.exe 760 plth89Ky84.exe 3996 plnT07rg77.exe 3164 budO52re96.exe 2184 caaT50kN16.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" budO52re96.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" pluw54Ay31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plth89Ky84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plnT07rg77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plwR53XV66.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plwR53XV66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pluw54Ay31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plth89Ky84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plnT07rg77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caaT50kN16.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3164 budO52re96.exe 3164 budO52re96.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3164 budO52re96.exe Token: SeDebugPrivilege 2184 caaT50kN16.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3720 wrote to memory of 984 3720 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe 85 PID 3720 wrote to memory of 984 3720 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe 85 PID 3720 wrote to memory of 984 3720 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe 85 PID 984 wrote to memory of 1148 984 plwR53XV66.exe 86 PID 984 wrote to memory of 1148 984 plwR53XV66.exe 86 PID 984 wrote to memory of 1148 984 plwR53XV66.exe 86 PID 1148 wrote to memory of 760 1148 pluw54Ay31.exe 87 PID 1148 wrote to memory of 760 1148 pluw54Ay31.exe 87 PID 1148 wrote to memory of 760 1148 pluw54Ay31.exe 87 PID 760 wrote to memory of 3996 760 plth89Ky84.exe 89 PID 760 wrote to memory of 3996 760 plth89Ky84.exe 89 PID 760 wrote to memory of 3996 760 plth89Ky84.exe 89 PID 3996 wrote to memory of 3164 3996 plnT07rg77.exe 90 PID 3996 wrote to memory of 3164 3996 plnT07rg77.exe 90 PID 3996 wrote to memory of 2184 3996 plnT07rg77.exe 91 PID 3996 wrote to memory of 2184 3996 plnT07rg77.exe 91 PID 3996 wrote to memory of 2184 3996 plnT07rg77.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe"C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5f003153796f70e87fdf82c03b69c67e3
SHA1df3bfa6dd79848814c54d3b4e3ad6a7ffbc89c17
SHA2569b41fd3db882884ed682679a542f29449f17fc9c66c3a4a751e308dbdb0a5bb9
SHA5122c69211c098219cf8ecfcdb18c24d19545bf1085aa4bfa65c530f5402463aaff4731687286b9228740ef6dfd2c3c4b8b1d97d0a1b7c40d4bb1b8cf24e11c6044
-
Filesize
936KB
MD5bd7aad6029dd31a1044d70254b6757fc
SHA15ced6f16380ed50f684b20c464832a16735eba84
SHA256d00cf2953ee6328d0b3daaa61056a93100ca46e3a9796905744d446a886adf6b
SHA512fe66275dd5f1d6c6b960a95ea3590c384f04baaf247224471a226c5cd786af7e7259764c626b669c4aaece8a01f1596231abb59994ab17e645e81e825ba7b29f
-
Filesize
667KB
MD59e5806e118d5cf37a1b69b9ef3cae97c
SHA16aaf49fee6e81f30385addb960351df1651e1578
SHA256c2de137b70bad720eeb2ebf1e952dd3aeba45083875240674926227a34b138e0
SHA51298e21af720a08495f335c7c3e983e8da37a92825ca1d81797087113b01f38c0949f2dd7e385b60733b8718b50fdfae045ae59c45a923874b49d7f0e0a1ebc286
-
Filesize
391KB
MD533e54a633f912b08a6d143e489dddc2c
SHA1b9f9a8eca74148c1815e5c3f7381b331112d7bfe
SHA256aa195070ece625d3cc583cb26ccff74972768ccfe965cd3055b61c65f6bb21f0
SHA512d7991c6ebc000baaaca1a876da423b5a34e637cbc428f252269e852f0fda29c4221166f1c7d6ab6e2077e69da656c0c08cd81443eeed8ac4774a404ebc735413
-
Filesize
17KB
MD596e6d9a63a0c85a0e6b1cda3dca13ddc
SHA1dad3842c8548ea821bec9a765d353b7a15f2a042
SHA2566238087f85028aa0170f4e8a55bc0d29138c9dc9d8c1fdcae4d4b57c2d134178
SHA51284957495bf0b2ad4dcb537c60d774754f3e35b0c5445c81d5a275a98b13a83c71209c636c59dbc609f81903a1c5e6d5f23fd1dc3a33fe0220b839edaa8e411b4
-
Filesize
303KB
MD512a07204bf4c65efdd968689ed260c4e
SHA18430e5110448dc962c4191a1a06b05c4e3c1a140
SHA256e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b
SHA51261dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a