Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe
Resource
win10v2004-20241007-en
General
-
Target
ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe
-
Size
1.2MB
-
MD5
d0535676cf8613b82aff2fdc1ba15ce7
-
SHA1
e38ef917c5aee45ce26c83ab348beb188a5c6363
-
SHA256
ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba
-
SHA512
b0de3231af3aec6302c3f9c27f8072c80a1c8590a11e550574cd0836c50e47c2f870801819d7dacac19a26a68a656136dac68aa1a9df151c44ddb212376d4586
-
SSDEEP
24576:EymaxCSVWqNNPzXNCjb4OnYRbt8m6RV9mr0eQi6NLs7Ll2W3cFT:TmAvsqNFcjUOnkKm6Hg/ONLKLlhc
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9f-32.dat healer behavioral1/memory/1540-35-0x0000000000010000-0x000000000001A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buPP88aU61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buPP88aU61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buPP88aU61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buPP88aU61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buPP88aU61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buPP88aU61.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4104-41-0x0000000004BF0000-0x0000000004C36000-memory.dmp family_redline behavioral1/memory/4104-43-0x0000000005250000-0x0000000005294000-memory.dmp family_redline behavioral1/memory/4104-55-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-107-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-106-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-103-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-101-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-99-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-97-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-95-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-93-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-91-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-89-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-87-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-85-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-81-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-79-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-77-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-75-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-73-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-71-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-69-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-67-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-65-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-63-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-61-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-59-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-57-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-53-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-51-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-49-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-47-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-45-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-44-0x0000000005250000-0x000000000528E000-memory.dmp family_redline behavioral1/memory/4104-83-0x0000000005250000-0x000000000528E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 1712 plTD63tH43.exe 1636 plWn52Tr46.exe 3488 plxK22xd12.exe 1684 plxs42Pr03.exe 1540 buPP88aU61.exe 4104 caiT63dU80.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buPP88aU61.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plTD63tH43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plWn52Tr46.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plxK22xd12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plxs42Pr03.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plTD63tH43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plWn52Tr46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plxK22xd12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plxs42Pr03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caiT63dU80.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1540 buPP88aU61.exe 1540 buPP88aU61.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1540 buPP88aU61.exe Token: SeDebugPrivilege 4104 caiT63dU80.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3444 wrote to memory of 1712 3444 ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe 85 PID 3444 wrote to memory of 1712 3444 ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe 85 PID 3444 wrote to memory of 1712 3444 ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe 85 PID 1712 wrote to memory of 1636 1712 plTD63tH43.exe 86 PID 1712 wrote to memory of 1636 1712 plTD63tH43.exe 86 PID 1712 wrote to memory of 1636 1712 plTD63tH43.exe 86 PID 1636 wrote to memory of 3488 1636 plWn52Tr46.exe 87 PID 1636 wrote to memory of 3488 1636 plWn52Tr46.exe 87 PID 1636 wrote to memory of 3488 1636 plWn52Tr46.exe 87 PID 3488 wrote to memory of 1684 3488 plxK22xd12.exe 89 PID 3488 wrote to memory of 1684 3488 plxK22xd12.exe 89 PID 3488 wrote to memory of 1684 3488 plxK22xd12.exe 89 PID 1684 wrote to memory of 1540 1684 plxs42Pr03.exe 90 PID 1684 wrote to memory of 1540 1684 plxs42Pr03.exe 90 PID 1684 wrote to memory of 4104 1684 plxs42Pr03.exe 98 PID 1684 wrote to memory of 4104 1684 plxs42Pr03.exe 98 PID 1684 wrote to memory of 4104 1684 plxs42Pr03.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe"C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD531e49c076c9f5f481049d21f5d7466a4
SHA1f1c8c843f27c49dac45309e51c5da71ea80d0354
SHA2564c59f0140a2a5bec54a47116ef8b46b009113e90e7cd837207eb82a73126dddd
SHA512c29eba3c70c7c51a7b2c05e46eab0c63fb403c8471fda3705022b927522e8b1287b91bf69a4d14804b8af5fa1a620af543ad973dfdf8fe2d195993fc490894cb
-
Filesize
958KB
MD56f9db12e693f874756df86591469c811
SHA12ec5afc635c0f18d71ddecd7dbb6960ce7472f71
SHA2569b019b3da9f6f051ff2c823ebdcc6df3744e31e381ae8a38d06a14d5cc283893
SHA5122268d71baa74abc170851629bec6b484f9bc503a335dfd633c850350e06542ab5abb6750413ab1acd7c796c3681305e67b79af7e0090c81de67f6bfcc6882133
-
Filesize
683KB
MD5211d334d1a60cda7626157e350d84ff6
SHA1ecd805b6bf786afb6d54af9ed6994b054cf06d0b
SHA25604eec6e8f16c21184164a6656e34f509af70643572d4abaa53547c9627db35d2
SHA51258f3f9342ed2474f64296ed22d71cae29fa62d8947c884e823b0ee7459218309ce7d6402db7675dddd6e3b3424ff1a69efc2eb06cf3748865b4b6b9af151d75c
-
Filesize
398KB
MD5b9699518cc3eb473f1e40fa602fdd5f5
SHA182f0aa154492521a3369cfbea9f433474e87ec80
SHA2569a44e92d9f91f46c440147b6ac59e8c7cd4d60a7d3bb2adb441eabe4dbe2e348
SHA51245c6fbb9a4e333583783ad01fa88415998ea1ab443f1e7e158b384981f71dc0e8f759ebdde7f72330652daf9a31faf3b3b6b0343cef483cdd0462216c07e31b1
-
Filesize
15KB
MD50230b8e0207c22f72ca5384d0dae0537
SHA1c9d08bf47ef6e162c0cb7469a667af02ec6b2b75
SHA256a8c034dd6336e263f91ed34e502adfeda4c77ad2d83a646d5ba0cbee1b8baa02
SHA512f9ce412f9017b66e5b6f8c0c1f38dff9904941c4ab64b2461bd76fbf5101c7f350c5bfc314e943717493d1c552f28e51ccdf14766f671089e1e5332a701eb4fc
-
Filesize
305KB
MD5463f0342eb5474bc19102d174e782a52
SHA1b688ca055a9e17bcddb4795120d198771d7e1142
SHA256c2cc1ff0910959f41320a8155bd4b8cc28a156c5ab9529f83ea0f741af1c432e
SHA51263b3fb356d0f5bc7be1574990dd7de7c68e845e15356e4934cba291d8019a7dbfaedab28e9795f2d33af98982e715738ddf16ff96bfb2cbca7d05814a1d79dc3