Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe
Resource
win10v2004-20241007-en
General
-
Target
f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe
-
Size
1.0MB
-
MD5
0654fc5ebee6c050d85ec8e18383b504
-
SHA1
2abb530dba301167625940336f350b0bd9e85bed
-
SHA256
f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b
-
SHA512
c8e73efe122021f1b8c7435d283a0c1b7620cf8e4be8d81df9fadd0996f879b137f77640edaf7c2e7e910efaa7aa51f3ae5d1e692c8f4c9f6f57e5b4504e1100
-
SSDEEP
24576:nyrBxjdRl1G/wYwIvJMUziMl0vph5diu8NjjCj:yrBxh1GoHIvuUl0tL8Nj
Malware Config
Extracted
redline
ramon
193.233.20.23:4123
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b83-26.dat healer behavioral1/memory/4356-28-0x0000000000B10000-0x0000000000B1A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iIN12xv99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iIN12xv99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iIN12xv99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iIN12xv99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iIN12xv99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iIN12xv99.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3536-34-0x00000000022C0000-0x0000000002306000-memory.dmp family_redline behavioral1/memory/3536-36-0x0000000002790000-0x00000000027D4000-memory.dmp family_redline behavioral1/memory/3536-80-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-101-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-98-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-96-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-94-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-92-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-90-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-88-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-86-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-84-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-82-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-78-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-76-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-74-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-72-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-70-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-68-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-66-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-64-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-62-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-60-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-58-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-54-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-52-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-50-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-48-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-46-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-44-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-42-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-40-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-56-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-38-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline behavioral1/memory/3536-37-0x0000000002790000-0x00000000027CE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4744 sfg66hd65.exe 1660 szl97ZW44.exe 3940 sTC30aE50.exe 4356 iIN12xv99.exe 3536 kbn57pY84.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iIN12xv99.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sfg66hd65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" szl97ZW44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sTC30aE50.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5840 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sfg66hd65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szl97ZW44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sTC30aE50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbn57pY84.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4356 iIN12xv99.exe 4356 iIN12xv99.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4356 iIN12xv99.exe Token: SeDebugPrivilege 3536 kbn57pY84.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 768 wrote to memory of 4744 768 f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe 83 PID 768 wrote to memory of 4744 768 f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe 83 PID 768 wrote to memory of 4744 768 f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe 83 PID 4744 wrote to memory of 1660 4744 sfg66hd65.exe 84 PID 4744 wrote to memory of 1660 4744 sfg66hd65.exe 84 PID 4744 wrote to memory of 1660 4744 sfg66hd65.exe 84 PID 1660 wrote to memory of 3940 1660 szl97ZW44.exe 86 PID 1660 wrote to memory of 3940 1660 szl97ZW44.exe 86 PID 1660 wrote to memory of 3940 1660 szl97ZW44.exe 86 PID 3940 wrote to memory of 4356 3940 sTC30aE50.exe 87 PID 3940 wrote to memory of 4356 3940 sTC30aE50.exe 87 PID 3940 wrote to memory of 3536 3940 sTC30aE50.exe 98 PID 3940 wrote to memory of 3536 3940 sTC30aE50.exe 98 PID 3940 wrote to memory of 3536 3940 sTC30aE50.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe"C:\Users\Admin\AppData\Local\Temp\f106a7bc94889c0ed0338db096ed43b39d3b6609549fe969933d776b99b4661b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sfg66hd65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sfg66hd65.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\szl97ZW44.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\szl97ZW44.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sTC30aE50.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sTC30aE50.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iIN12xv99.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iIN12xv99.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kbn57pY84.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kbn57pY84.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
888KB
MD558cbe11a2a301c36e19e1330f1d99288
SHA102330b9335d96923e537c17edbfefa50bc3e881e
SHA256003e46576971773cb170513759bc1e4fb5a8cc8b449079d4cdbe60afeab8759a
SHA512442ae13dc3abd733b6569b1492ce324114d5a6e079be21da31ae703f9f63cae83a0086c3a3e783e03325de58733fd01dc2c86002200e96cbdb6347f3095bec5f
-
Filesize
664KB
MD5dd1a6486c9fadb3904d26eb4d51d3ec3
SHA17f9db6063f6e68f7a0851f81a5b44ffc12946d88
SHA25663643358db194e9c660a06f7f7bd8419a48c79ba205c2fc36a0aef7c82342151
SHA512561c01cdfba737f8832ac1b9b6986d5b5fb6d458ed65775f62737328f27d8dec677c86a426cbd9cd1e55e64659f4ae67ff220adbf7ec8cbee355b0a9fcdb3453
-
Filesize
390KB
MD596adb4a93e602668d5e055f3ca63094f
SHA11c502f72de5be6f93311a714102ca0efe22a7bf1
SHA256187c4be2e13c7b09f5a9768bbcf8fb372a8242043e1767992992f59ce56f8bc6
SHA512c317cbc2a8a6ebcfdbeb3b4e6428c220039de1bfcd043a02497e57297e1ae526acde20ad537b3e6b174d228ff03e7d8e929fbae58a46cb1651180c1cdadc9d24
-
Filesize
11KB
MD53c38f931f72cb0aa075cdf0e6bea862b
SHA1b1c1440a05cac0821b5fae6db2d7c562d038b7f2
SHA2566826b169a9f1ef16ba6cd102e73b51e9c833647a9a8f6a7334b41bd7e6cb6185
SHA512d4aedffd023f5532ee489b689e24c80390a745334f720bc81fe96a75f212188dd90b739b9692a8937af9ad6e36617da9f82f8fa9cde1db0a51176d2c69ecb729
-
Filesize
309KB
MD5d93c8ec64c1b9a271154d619050f47f7
SHA1b3dc784177eb84ba50e61c561cc44050f8cc29c0
SHA256f442fb793aa7699ebf9efb1b38f0cf2fb7a1ef6629e5ccfb37486792572c353d
SHA512bc0a7e0bf84c1d95e9f9a38f6275f693323df5c9926830acc8c030561800a641b83edfa25afe427dd1c74d6f7a9e98002d88bef5642347bba154795c82da7a2f