Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe
Resource
win10v2004-20241007-en
General
-
Target
51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe
-
Size
1.0MB
-
MD5
e854694d1af63b4be83f4f350ad3cce5
-
SHA1
5844789aa97b9ca0da146f1233349440b2b4c53b
-
SHA256
51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795
-
SHA512
a43df24d907ed5ea8b93562f645ba2fa4586e248a48c1a3cdb15bec0a1d6135df2f7be97413d29e2841855c0313fa5e2639938371bfa756c8d0a28c101457028
-
SSDEEP
24576:ByxV/Rg59zHuNOB8RfKg5Ng3gDtolzDxGAcqOv1k3FgoUoLk15P:0xt259buNnNgOmxGAOva3FgoVk
Malware Config
Extracted
redline
ramon
193.233.20.23:4123
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bc8-26.dat healer behavioral1/memory/2396-28-0x0000000000270000-0x000000000027A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bJy19NC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bJy19NC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bJy19NC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bJy19NC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bJy19NC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bJy19NC20.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4976-34-0x0000000004AF0000-0x0000000004B36000-memory.dmp family_redline behavioral1/memory/4976-36-0x0000000004CE0000-0x0000000004D24000-memory.dmp family_redline behavioral1/memory/4976-38-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-49-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-100-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-98-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-94-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-92-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-90-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-88-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-86-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-85-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-82-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-80-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-76-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-74-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-72-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-71-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-69-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-66-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-64-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-62-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-60-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-58-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-54-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-52-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-50-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-46-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-44-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-42-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-40-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-96-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-78-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-56-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline behavioral1/memory/4976-37-0x0000000004CE0000-0x0000000004D1E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 436 piL62VW44.exe 4840 pcW54XJ41.exe 3060 psE80cX54.exe 2396 bJy19NC20.exe 4976 cth86MC20.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bJy19NC20.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" piL62VW44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" pcW54XJ41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" psE80cX54.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cth86MC20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language piL62VW44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcW54XJ41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language psE80cX54.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2396 bJy19NC20.exe 2396 bJy19NC20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 bJy19NC20.exe Token: SeDebugPrivilege 4976 cth86MC20.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2992 wrote to memory of 436 2992 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe 83 PID 2992 wrote to memory of 436 2992 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe 83 PID 2992 wrote to memory of 436 2992 51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe 83 PID 436 wrote to memory of 4840 436 piL62VW44.exe 84 PID 436 wrote to memory of 4840 436 piL62VW44.exe 84 PID 436 wrote to memory of 4840 436 piL62VW44.exe 84 PID 4840 wrote to memory of 3060 4840 pcW54XJ41.exe 85 PID 4840 wrote to memory of 3060 4840 pcW54XJ41.exe 85 PID 4840 wrote to memory of 3060 4840 pcW54XJ41.exe 85 PID 3060 wrote to memory of 2396 3060 psE80cX54.exe 86 PID 3060 wrote to memory of 2396 3060 psE80cX54.exe 86 PID 3060 wrote to memory of 4976 3060 psE80cX54.exe 91 PID 3060 wrote to memory of 4976 3060 psE80cX54.exe 91 PID 3060 wrote to memory of 4976 3060 psE80cX54.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe"C:\Users\Admin\AppData\Local\Temp\51d8bd14eb366dce31331aa4a24ae95a0229bc8d6565188b2a0d7a198b074795.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piL62VW44.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pcW54XJ41.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\psE80cX54.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bJy19NC20.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cth86MC20.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
906KB
MD566fc2fccab41154dd1692cf3dc402f04
SHA1a7e9d3dca110b58ae9d94d76bed76d027671c55a
SHA25633ef0d6c87d4300ab29e4bebd2ae6bdfd994153c7c4acec0cb508b9040ae1310
SHA512b7579c5b6cf9e02025f15e99af5647b8b7403068d6b3de225bb3d48a0e88c9f2610bc9e739f954a166c07a25653fa8d3102d7babf2a0a46d78323829acac0a7c
-
Filesize
682KB
MD52b8cdcf379b6154ad54a20da79acf99c
SHA16d32cfef1047eb057e65a5dae2a3bec672c9eb75
SHA25628994a1c971308756dcc57d4a5713a47bcd12d7a67868860bc3b399b7032e2aa
SHA51274b037fbd607a9a519599433d0898b492ccc4a05b4331599c52727148bf39745bae03057dc00ee5917fb82cb8634a007680c47744ec4e0bba89ffb439e73f814
-
Filesize
399KB
MD5906162a64c40ed824ea68f25f2c8f0a3
SHA1228308df9cff615b9be308f064f9b5b18193c7e1
SHA2562ecc945d7ae3c7e5ccff80223284ce9c637a46545556aae43ca4a8d88c801655
SHA512c87ee814dc7f3f38ddc5eb1f2ba365081e18351dee54dbafd416ae535e1e6ef76120127b323787ab7ddd90d388a10891443753f79ce8d17f02a81db32ac791c6
-
Filesize
11KB
MD576989d4a2115b82a2049cdb33100157a
SHA1a88856b86bd4d4740012517c0fbfdebaccebe04a
SHA256fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4
SHA51219719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6
-
Filesize
374KB
MD5f3855c4eadab09dffd655f592be5e9fb
SHA159f051e8d1dfd6784e4a2f84b3acf535b814009d
SHA2565f6c4ea9d0babf1692ddbdd16e61b0b70c3e3776ad1673414663104d1ce536db
SHA5122f4b3f7d9959319f4fa60bb7624465afd73f9c8e0665f4563fa04e2f5704b957d58975d9758f1d1b30bb1f02c7fa8515b2a2f8f80084d9a120142dae0fc2c4a1