Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe
Resource
win10v2004-20241007-en
General
-
Target
e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe
-
Size
1.2MB
-
MD5
eb3ecaa37c0afb37dd77b0a846c45ff1
-
SHA1
3e9210d8f6c32a945f2e8b3239236526eb89bf77
-
SHA256
e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a
-
SHA512
f1842f715c26090836f122e6fded53e73a16e5e9a5541781a6ea263fcba37fad2a2f32da46ed22db89f94a9dc4849506888dea26b45c24b9b85df0487a00b33f
-
SSDEEP
24576:XyeWBwzaIcoCdUEdGPwZY5jlB0cI6xHwsQ4iDSdgRq:ieiIcox1RjLDvxvvw
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc6-32.dat healer behavioral1/memory/1648-35-0x0000000000CA0000-0x0000000000CAA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buUJ94MY88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buUJ94MY88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buUJ94MY88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buUJ94MY88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buUJ94MY88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buUJ94MY88.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3124-41-0x0000000002620000-0x0000000002666000-memory.dmp family_redline behavioral1/memory/3124-43-0x00000000026D0000-0x0000000002714000-memory.dmp family_redline behavioral1/memory/3124-44-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-59-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-107-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-105-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-103-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-101-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-97-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-95-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-93-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-91-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-89-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-87-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-85-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-83-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-81-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-79-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-77-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-75-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-73-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-71-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-69-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-67-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-65-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-63-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-61-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-57-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-55-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-53-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-99-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-51-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-49-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-47-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/3124-45-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3892 plCv68eB71.exe 1816 plEP12wO85.exe 2204 plJQ68rT08.exe 3444 pljJ04mF60.exe 1648 buUJ94MY88.exe 3124 cahf55XI63.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buUJ94MY88.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plCv68eB71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plEP12wO85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plJQ68rT08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" pljJ04mF60.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plCv68eB71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plEP12wO85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plJQ68rT08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pljJ04mF60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cahf55XI63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1648 buUJ94MY88.exe 1648 buUJ94MY88.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1648 buUJ94MY88.exe Token: SeDebugPrivilege 3124 cahf55XI63.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2080 wrote to memory of 3892 2080 e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe 84 PID 2080 wrote to memory of 3892 2080 e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe 84 PID 2080 wrote to memory of 3892 2080 e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe 84 PID 3892 wrote to memory of 1816 3892 plCv68eB71.exe 86 PID 3892 wrote to memory of 1816 3892 plCv68eB71.exe 86 PID 3892 wrote to memory of 1816 3892 plCv68eB71.exe 86 PID 1816 wrote to memory of 2204 1816 plEP12wO85.exe 87 PID 1816 wrote to memory of 2204 1816 plEP12wO85.exe 87 PID 1816 wrote to memory of 2204 1816 plEP12wO85.exe 87 PID 2204 wrote to memory of 3444 2204 plJQ68rT08.exe 89 PID 2204 wrote to memory of 3444 2204 plJQ68rT08.exe 89 PID 2204 wrote to memory of 3444 2204 plJQ68rT08.exe 89 PID 3444 wrote to memory of 1648 3444 pljJ04mF60.exe 90 PID 3444 wrote to memory of 1648 3444 pljJ04mF60.exe 90 PID 3444 wrote to memory of 3124 3444 pljJ04mF60.exe 95 PID 3444 wrote to memory of 3124 3444 pljJ04mF60.exe 95 PID 3444 wrote to memory of 3124 3444 pljJ04mF60.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe"C:\Users\Admin\AppData\Local\Temp\e6fd1a2c57c0aab37e7f78d3ecd170574e8f330fadd15d1341489ea9172d085a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plCv68eB71.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plEP12wO85.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plJQ68rT08.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pljJ04mF60.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buUJ94MY88.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cahf55XI63.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5403590acef7ccdf70f55fdf7496c0994
SHA12e762b9032c13228cc0235c1a50ad539fbeb1230
SHA256e1050f700dd79de16c20265e4046fb99b0da169ccc1eec81ffb419bd43df56a6
SHA512edbbdc7cfdd72de22e0fa0c020b9a45fdf214f54fa95cea8026b3fcc480a372e8ef25176369c17ceded0a8187966a1486e1d54c5d8490353ffe153b7b608302d
-
Filesize
957KB
MD5978055ba83c978c57484b6f1e219400d
SHA1099d49cb2542c08a904267e8f9caea8a76de2e9f
SHA2563cc4f8d96fa25df91a332179bea01a5626c4904aba8282ed354c32a29f726b70
SHA51228343b649d6fb4a6b6797dcac796b5d4b828562b13bcf1c204adf6ac83d1388709f357a8541c7f96d3749153c15b24272adc391fb33a375d120a6c527e102219
-
Filesize
681KB
MD52f308bf390af28ed2b6662502058d1e2
SHA1de1bc67e7f32cfa421abd7524f4ebf5e81df93b2
SHA256493a79bb4f628ba88f24cbe8525041d4b1c30af5d7c30a1d09696b48be69f535
SHA51230ba7c0cd6865059588011485e194edfc7ca07f0b41aefe985c62f717c8dcc7618eb50049a5b210095b3d30dd5617479c03fc2f060ea4db5003fb8a419735040
-
Filesize
398KB
MD587244a37a676c01e0a2958d73a793bcb
SHA1847568bf3eea5bcbd85f6c1cfd602a17288af018
SHA256d09ee75ffc43cf4f09800f5908cbb0f66632076de6227778dda592ef4381120a
SHA512a8ee046a93300fd853f6a335d0f0f64a68a3fc543b43a5df275457050556e2288d415cb764005114d5c7c88296efcde4cc6740f47cdaaa8741dca304aff4898b
-
Filesize
13KB
MD5faa8c750a0754306ebba1de6a09713d4
SHA1651b60e1738cdb8a7e673db124a11937a2861119
SHA256ec581e5d4065bbe617ead07b47dc40a771ccafa3995dde739bb58f1e4739df9a
SHA51282d57b3858d2a90708fcf45a329d05e86e38141381742b758608e0536d7b382fa35540744b451efad008de78a51eb1e52ad09605a856618ddef70dd7adb6da67
-
Filesize
311KB
MD5df8b658ff430e07a3083de9d55e38d9f
SHA1a1c69254ba895096f75660ca5c9c09f46486e65f
SHA256885045b17ae6220ea794be50c2290b1c771323b5ff3680879e7d2bd8d1576a74
SHA512ce534ec18d6e3f3f30a21c0749818ae89895281164262fe118610f4609d98d78f3164659cc8114d2d4767eff56cb446a118b72488982989c0e722fff8bcdae8a