Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe
Resource
win10v2004-20241007-en
General
-
Target
150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe
-
Size
1.2MB
-
MD5
c0a9dbbef699da8851a5ce0fd567c5af
-
SHA1
9cf483565ac981545e78f4e992f2538b7ddd5083
-
SHA256
150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238
-
SHA512
6f6712d8faac5a064a3b5421b6ec107cacce3710e9afe349c4d4ffa6ca79863f1eb538a8ade7b69a922b07348852583a3b12999e2edb2cc92ce47ea80906f69d
-
SSDEEP
24576:UypUmJM7/UtcNtv+jsQ7xMT8jJdYcoLGfhnMSzJHY:jpUm67OcNtv+4Q1MT8Ec/iSzJH
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc5-33.dat healer behavioral1/memory/5100-35-0x0000000000CF0000-0x0000000000CFA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buaJ79tT21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buaJ79tT21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buaJ79tT21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buaJ79tT21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buaJ79tT21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buaJ79tT21.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2756-41-0x0000000004A00000-0x0000000004A46000-memory.dmp family_redline behavioral1/memory/2756-43-0x0000000004D80000-0x0000000004DC4000-memory.dmp family_redline behavioral1/memory/2756-59-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-107-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-105-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-103-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-101-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-99-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-93-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-91-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-89-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-88-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-85-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-83-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-82-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-79-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-77-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-75-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-73-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-71-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-69-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-67-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-65-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-63-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-61-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-57-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-55-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-53-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-51-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-49-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-97-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-95-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-47-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-45-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/2756-44-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2344 plIW39QJ44.exe 4132 plbi10NU96.exe 1440 plEI01Xn27.exe 1912 plRl69xi77.exe 5100 buaJ79tT21.exe 2756 caso25Qc87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buaJ79tT21.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plIW39QJ44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plbi10NU96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plEI01Xn27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plRl69xi77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plIW39QJ44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plbi10NU96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plEI01Xn27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plRl69xi77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caso25Qc87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5100 buaJ79tT21.exe 5100 buaJ79tT21.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5100 buaJ79tT21.exe Token: SeDebugPrivilege 2756 caso25Qc87.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2344 2012 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe 84 PID 2012 wrote to memory of 2344 2012 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe 84 PID 2012 wrote to memory of 2344 2012 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe 84 PID 2344 wrote to memory of 4132 2344 plIW39QJ44.exe 85 PID 2344 wrote to memory of 4132 2344 plIW39QJ44.exe 85 PID 2344 wrote to memory of 4132 2344 plIW39QJ44.exe 85 PID 4132 wrote to memory of 1440 4132 plbi10NU96.exe 88 PID 4132 wrote to memory of 1440 4132 plbi10NU96.exe 88 PID 4132 wrote to memory of 1440 4132 plbi10NU96.exe 88 PID 1440 wrote to memory of 1912 1440 plEI01Xn27.exe 89 PID 1440 wrote to memory of 1912 1440 plEI01Xn27.exe 89 PID 1440 wrote to memory of 1912 1440 plEI01Xn27.exe 89 PID 1912 wrote to memory of 5100 1912 plRl69xi77.exe 90 PID 1912 wrote to memory of 5100 1912 plRl69xi77.exe 90 PID 1912 wrote to memory of 2756 1912 plRl69xi77.exe 97 PID 1912 wrote to memory of 2756 1912 plRl69xi77.exe 97 PID 1912 wrote to memory of 2756 1912 plRl69xi77.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe"C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD563006e779a1321af9fc63a4f5e08d1ff
SHA17c4207fe719e32627fd1f863f77f0c2b24971f5c
SHA25601bc15a2a4eec2e8de037392ce4ca1f1416fee9a86c482c24fb6644293d65205
SHA512b4dfb6dda517ec06280a97d7a00bb30c209db8cc2728e176dabd881aa2079c24859b48da939941ffcaf7a93a7f72e2a30278b15e8c369d96b7c28d72846a8063
-
Filesize
959KB
MD57801bb449714abdaf33bc82bf77eea7f
SHA1aef687a3bf80ba07c64acd53d072263317bbd39b
SHA256b66b400f860479d01b647e1ce479bf2355e3ea1d1666234942aa60214d4edb78
SHA5129c9b9666816c93e5e9f27866f826037e3d8e27f98102467f25d0ba2dabee22c0e787c457077a425dc453ad549e29fa22871b81de68469685ec42ce35b3a88442
-
Filesize
682KB
MD5d2f2658e42a8fa6249f5f49a4054f33c
SHA1eeea2356f581cf1576b96d61cd7635f193ff8513
SHA256875624098547ae7e8210b5c345700e12196d06b66888fa41204efda37423011c
SHA5127ac142ca44c73a0805299d49e5611d4c8e1e2c989032de2016d7961fa113b4addd46ab4e3b3bab9c72acd38c7c30aa9ae8472df041f5366b1f4226e76de7b285
-
Filesize
399KB
MD5ec3aa3fc265d64c3372c94191d8fed99
SHA1dea70c2a00754a52cfcada8528c26384950583fe
SHA2564e8295c6a816b69c0e74a96c706dcb373f740d3f47d4de63881f68843f921bf3
SHA512a804a2e9cacfded79118b9e08ff22d737c53f424295b8bee52a8afb792bbb31258ad4aeba110fcc0aa8807ad222c88bb417f483c581d0e5b3e912a514289664a
-
Filesize
14KB
MD51d961f38462df3d93ce0a4773ba8275b
SHA12ea2ce026296b7fc1988e9e962df91b23c62ace7
SHA256d789a63d78a848dcb7770511716005b924a6502ec3ea6eead783ec270ef3a91f
SHA5128dcca398e0b6eff2c4b1671d522d4be49d24850a6146d7a8d67b72bc887ead80d80ae91fd3a18b867e1c2a68b29ca8f4638311f8e219a9844c1942ceb5e2e3a6
-
Filesize
375KB
MD58543cf3384382f56703a6ee451ac68f3
SHA1353211899c2c986e0d038a11f566e02e3113e113
SHA2562f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf
SHA512609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186