Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe
Resource
win10v2004-20241007-en
General
-
Target
17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe
-
Size
1.2MB
-
MD5
44f1dde35b2a9d60c8bfeae3df16d2b1
-
SHA1
ce5c36f118aeb79070cfbb264b955b01a8c09944
-
SHA256
17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e
-
SHA512
b057ed288cd92d8d096e7258fc5f828f099898c1e071f8677d314850580b4f5161bd10ffcadbf5627ece489e03107248d9addc3caa096dd7fdca13e063989364
-
SSDEEP
24576:ayqvTDf5z5l+hCjRr56fh8Y+THrFDvx11TOw6oqldL1KsMdXbxQINcmW:hURFACV+h8Y+Rb1TOw6ohXbxfc
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca9-32.dat healer behavioral1/memory/2112-35-0x0000000000320000-0x000000000032A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bujV50Fl81.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bujV50Fl81.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bujV50Fl81.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bujV50Fl81.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bujV50Fl81.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bujV50Fl81.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2320-41-0x0000000004DA0000-0x0000000004DE6000-memory.dmp family_redline behavioral1/memory/2320-43-0x0000000007330000-0x0000000007374000-memory.dmp family_redline behavioral1/memory/2320-53-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-57-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-55-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-105-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-91-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-69-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-51-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-49-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-47-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-45-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-44-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-107-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-103-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-101-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-99-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-97-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-95-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-93-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-89-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-87-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-86-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-83-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-81-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-79-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-77-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-75-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-74-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-71-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-67-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-65-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-63-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-61-0x0000000007330000-0x000000000736E000-memory.dmp family_redline behavioral1/memory/2320-59-0x0000000007330000-0x000000000736E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 412 pleL99nn28.exe 2488 plDl45ND52.exe 1592 plVd46Vj18.exe 3580 pleu04Lr28.exe 2112 bujV50Fl81.exe 2320 caug83Ec77.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bujV50Fl81.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" pleu04Lr28.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pleL99nn28.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plDl45ND52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plVd46Vj18.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caug83Ec77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pleL99nn28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plDl45ND52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plVd46Vj18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pleu04Lr28.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2112 bujV50Fl81.exe 2112 bujV50Fl81.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 bujV50Fl81.exe Token: SeDebugPrivilege 2320 caug83Ec77.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1508 wrote to memory of 412 1508 17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe 84 PID 1508 wrote to memory of 412 1508 17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe 84 PID 1508 wrote to memory of 412 1508 17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe 84 PID 412 wrote to memory of 2488 412 pleL99nn28.exe 85 PID 412 wrote to memory of 2488 412 pleL99nn28.exe 85 PID 412 wrote to memory of 2488 412 pleL99nn28.exe 85 PID 2488 wrote to memory of 1592 2488 plDl45ND52.exe 86 PID 2488 wrote to memory of 1592 2488 plDl45ND52.exe 86 PID 2488 wrote to memory of 1592 2488 plDl45ND52.exe 86 PID 1592 wrote to memory of 3580 1592 plVd46Vj18.exe 88 PID 1592 wrote to memory of 3580 1592 plVd46Vj18.exe 88 PID 1592 wrote to memory of 3580 1592 plVd46Vj18.exe 88 PID 3580 wrote to memory of 2112 3580 pleu04Lr28.exe 89 PID 3580 wrote to memory of 2112 3580 pleu04Lr28.exe 89 PID 3580 wrote to memory of 2320 3580 pleu04Lr28.exe 102 PID 3580 wrote to memory of 2320 3580 pleu04Lr28.exe 102 PID 3580 wrote to memory of 2320 3580 pleu04Lr28.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe"C:\Users\Admin\AppData\Local\Temp\17ffc304b5f3da31439c363234b56a98ef1831eb70bd62a0abf5712feedc2f5e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pleL99nn28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pleL99nn28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDl45ND52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDl45ND52.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plVd46Vj18.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plVd46Vj18.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pleu04Lr28.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pleu04Lr28.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bujV50Fl81.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bujV50Fl81.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caug83Ec77.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caug83Ec77.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5c7098553823432a5c3e8d0a461b4a4e1
SHA195f1bf97e4df44193fc801f9ad1e91c5dcabb40c
SHA2568ee2a719375f9b3838d558c920db3c259162b47b0ee3b138fcd9fc0f5a172b72
SHA51259614c97ca74f603d411c8f782148adf2c5805b3738add1027bf0e2ef24799d9337fef14655698981bf948e58a625927680eb648f6bf6076e34de7e010ea0ece
-
Filesize
955KB
MD552664557e228fea1a7844e0f715b9014
SHA14c5af52798717bb8ea29135672cdede351b2bc70
SHA2566de52cfb77f38aa05c5aafcb28263c7c8808665fdd070f3a0748a32ab5de5ac8
SHA512ec7aadeb879ba47788a9e48445cc85465658d8c68effbae6149bdfc6955c4699117c62542c04ef86031af804f05e4b32356f08d1c3ca0e79bd22f225528892c0
-
Filesize
679KB
MD51cec0cdf8c42886caf70371848a65c76
SHA15bc366f5d482ccd833f7a687e51c64ca42b6b991
SHA256b4390b911fb2ea64ec3e4fc71c8c9fac57b6492ae335640f1899dc67f55b63dd
SHA5124ae0d9bd9139bbb90e89618af899955383c9c53dbca92b385341ff26f6f98832f0e64674c8ddd7df0d293a18830e8e5a45c31d0d1db099d202cdbf64fdb5535b
-
Filesize
398KB
MD57aae823c3d1b12921512300c80ff5b7e
SHA1f57e70d87dfb022b0131007681dd81e08077234b
SHA2569beb9127902764612e2efc362bfa007699207dc04198d9558c4e8b78c59afac7
SHA512866245a65b19fdc8524ad419f7ade719a4595f49f644ce2a2124f61a27a02650056d527265bf3cc9b05ca66b8891f2ea832dca37a3eb706aaee03a61eb9cd051
-
Filesize
14KB
MD5509a96bd5b27da3dcf442c2246180c51
SHA1154df3491ef51b02fd184962beef12f197de92d8
SHA2565c91d854616493e23cb631e93ed1b3d93a3c69619120954318d5ff1c4be47168
SHA51261df5230a0df77b6ba05aa8063b25d09a16fa7e0292f1522fbcf17e40706bd95fb3186508872eae76ee2e4514a6b332bbe8a3fa1ed18bf4b41d0c7efb6beb77d
-
Filesize
367KB
MD51d723ff94958004611f8d9036d32a484
SHA1494b2b1df04dd00bd4a6582ca026b45ed1e26f5e
SHA256ce58c79e2d8396ebc000387ba86ec87273d28bd7dfa8310c49c59b22c7de42af
SHA5129738bf0e92ad9b1f526a48a4262410186a961e0aa9e04ef1ecc4769b29d92339f46e331a65810ce72b27df319260ac8aba0636742690e95bc34f6d59fbf2ff61