Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:59
Static task
static1
Behavioral task
behavioral1
Sample
c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe
Resource
win10v2004-20241007-en
General
-
Target
c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe
-
Size
1.1MB
-
MD5
4cc1f39895ae6f006d0d509d1028a8d2
-
SHA1
d6c658970ada62988dd637d0d80cfb7b78cad90b
-
SHA256
c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b
-
SHA512
1a1f490b585a9ccc1294596bb951d74b970c071667698330bcfe96e97ce4c5ad264b63cc24b5a68f0523d2b5863bd3efa96ff146e0069cfe172a62fe56525c98
-
SSDEEP
24576:nyZhV7pDMVJoIsRqrz2e7u5k7lmXTi0rGcGKimC2/VnEtjR3yXNjpV:yZhVqVWIHv7uAlsi+Gjzm7/etVib
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cba-32.dat healer behavioral1/memory/800-35-0x0000000000B60000-0x0000000000B6A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buVB27Oe75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buVB27Oe75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buVB27Oe75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buVB27Oe75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buVB27Oe75.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buVB27Oe75.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/388-41-0x0000000004AD0000-0x0000000004B16000-memory.dmp family_redline behavioral1/memory/388-43-0x0000000005170000-0x00000000051B4000-memory.dmp family_redline behavioral1/memory/388-47-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-53-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-107-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-103-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-101-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-99-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-95-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-93-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-91-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-89-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-87-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-85-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-81-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-80-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-77-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-75-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-74-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-71-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-70-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-67-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-65-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-63-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-61-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-59-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-57-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-55-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-51-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-49-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-105-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-97-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-83-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-45-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/388-44-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2520 plMS91Qg62.exe 4944 plPh24aA08.exe 1768 plSL95fF89.exe 1764 plJA80QM86.exe 800 buVB27Oe75.exe 388 caFV21gN19.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buVB27Oe75.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plMS91Qg62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plPh24aA08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plSL95fF89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plJA80QM86.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plJA80QM86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caFV21gN19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plMS91Qg62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plPh24aA08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plSL95fF89.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 800 buVB27Oe75.exe 800 buVB27Oe75.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 800 buVB27Oe75.exe Token: SeDebugPrivilege 388 caFV21gN19.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4844 wrote to memory of 2520 4844 c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe 83 PID 4844 wrote to memory of 2520 4844 c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe 83 PID 4844 wrote to memory of 2520 4844 c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe 83 PID 2520 wrote to memory of 4944 2520 plMS91Qg62.exe 84 PID 2520 wrote to memory of 4944 2520 plMS91Qg62.exe 84 PID 2520 wrote to memory of 4944 2520 plMS91Qg62.exe 84 PID 4944 wrote to memory of 1768 4944 plPh24aA08.exe 86 PID 4944 wrote to memory of 1768 4944 plPh24aA08.exe 86 PID 4944 wrote to memory of 1768 4944 plPh24aA08.exe 86 PID 1768 wrote to memory of 1764 1768 plSL95fF89.exe 88 PID 1768 wrote to memory of 1764 1768 plSL95fF89.exe 88 PID 1768 wrote to memory of 1764 1768 plSL95fF89.exe 88 PID 1764 wrote to memory of 800 1764 plJA80QM86.exe 90 PID 1764 wrote to memory of 800 1764 plJA80QM86.exe 90 PID 1764 wrote to memory of 388 1764 plJA80QM86.exe 93 PID 1764 wrote to memory of 388 1764 plJA80QM86.exe 93 PID 1764 wrote to memory of 388 1764 plJA80QM86.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe"C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996KB
MD588a7c440ba6a258395f7ba5e6db29263
SHA1a4e89c322c4607e4ff04e7f10279654a9cf82e45
SHA2563fe77d9168812401c9498315680fd14eb7f2edee8d5ee4a4e131662aab84d4b0
SHA51230e347c9731320d814fbe8a2173716e8ea2c3ec42440b5a357914d62b2b52d12dd03cf36ff3f176a197f10deadf9e854ce4d202431610c79154f6c31f6c3504e
-
Filesize
892KB
MD5644a35ccced75f6bbe3d9c44a83116da
SHA1dd80400673cdc473f17366985c9a70c77f966b89
SHA2568b7c95094da886e8f300b9abcef7154481ef7d216509963eefd2558bab8bbe94
SHA5123b515b14055602198ebc05c0b39689f2611458dc18cbc57a9c10f85b99ea7fc3185d6792157f8938a70ebacba7bab8ce78ce09b104de758c6c4a626db9fff693
-
Filesize
666KB
MD50b92bb24bef10d276a17fed51356cde0
SHA14e7449c5c560da1ea69dc7d5de97eb3fe2b760d1
SHA256782d4b75582a09f7a110215642a63dafb809040bc4c2a46e5f54bb3c54d41f4f
SHA51225d229062a4b120f74d122d50f8f4bc7f80344cc8d40fd47a715a350c76201e0d8110c57d99362154cc8a45bbd965c7b28193623a384566d0c6a0a1c89afaee0
-
Filesize
391KB
MD5d6f6093082c377a3e22482c71d79d950
SHA1c8ddb15edf2574ed9c20f69c7e541fdb1381b776
SHA2567736a59d4b323253f2a35f178d1cf2f43a3242a760dd18486dc85f19a1b14bc7
SHA51254377e8b39d150d04ae81621a30de01e8a19eb8d82b8b6e980acb2213cd0f4da2c4b8408726965d72eda1df3281a8bc9740ed09cd60cc7c87b08dd5023bd5ae7
-
Filesize
16KB
MD5d5ca0183e104522dc8688b9fde6384f9
SHA113de197195327a0cdd466a034c4fb050053df1f5
SHA2562f834a83b7e3794a930e3ac9ec6ba824ee9119e105d23f5aa7e04ee555688a98
SHA51217d596f00ac5cc3481f69fd6d67463e7bbf9a34d4795143fc239b9a882fe0771865919cda9257a28e03ae02ebd63665a68e43412fec01e92e5f7aa662663a22a
-
Filesize
301KB
MD5c20ade32de13d71d0544db09353ae664
SHA12360c19884041d41655172027c5ae07d537e01b4
SHA256680ab026b99110c40b7082b3d30fa3f74ee17d49c1b6b3d97cb72ba4cf3323fc
SHA512c09973e49b5d30ad8f3528913c73394e5144eaa857bdcbc05186a65bea1a5dc6c937e58d7e2ec2fb2aa017af312f678fad5b857c9fa988a7d78a04abfbe512aa