Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe
Resource
win10v2004-20241007-en
General
-
Target
0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe
-
Size
1.1MB
-
MD5
9d7c89be2d6674bc2eb4d289558ceb86
-
SHA1
75d0abf66783dc913b715b25c1266e31eb377ff9
-
SHA256
0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16
-
SHA512
b29b2716672024b16b039b765cbae4853dae8de00f713ce5ecea5bc79e1326209f89305d8e603b6d734e1cda578189a9b1bcef10c73108e10bfd5e116a565473
-
SSDEEP
24576:YyoX6Fb360vH7LpxxY2NMxZr3Vol5u0q8Oy2:foX6FbTLeWvlO
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0013000000023ba7-32.dat healer behavioral1/memory/2180-35-0x0000000000090000-0x000000000009A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ibd76HK37.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ibd76HK37.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ibd76HK37.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ibd76HK37.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ibd76HK37.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ibd76HK37.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1712-41-0x00000000023B0000-0x00000000023F6000-memory.dmp family_redline behavioral1/memory/1712-43-0x0000000005190000-0x00000000051D4000-memory.dmp family_redline behavioral1/memory/1712-59-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-107-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-105-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-103-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-101-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-99-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-97-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-95-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-93-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-91-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-89-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-87-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-85-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-83-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-81-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-79-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-77-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-75-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-73-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-71-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-69-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-67-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-65-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-63-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-61-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-57-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-55-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-53-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-51-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-49-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-47-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-45-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/1712-44-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3416 vmqX40xf95.exe 1108 vmVt47fs66.exe 4420 vmNY35Qf32.exe 972 vmux18GI80.exe 2180 ibd76HK37.exe 1712 kDu75BV14.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ibd76HK37.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmVt47fs66.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmNY35Qf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmux18GI80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmqX40xf95.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2116 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmqX40xf95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmVt47fs66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmNY35Qf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmux18GI80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kDu75BV14.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2180 ibd76HK37.exe 2180 ibd76HK37.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2180 ibd76HK37.exe Token: SeDebugPrivilege 1712 kDu75BV14.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 312 wrote to memory of 3416 312 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe 86 PID 312 wrote to memory of 3416 312 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe 86 PID 312 wrote to memory of 3416 312 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe 86 PID 3416 wrote to memory of 1108 3416 vmqX40xf95.exe 87 PID 3416 wrote to memory of 1108 3416 vmqX40xf95.exe 87 PID 3416 wrote to memory of 1108 3416 vmqX40xf95.exe 87 PID 1108 wrote to memory of 4420 1108 vmVt47fs66.exe 88 PID 1108 wrote to memory of 4420 1108 vmVt47fs66.exe 88 PID 1108 wrote to memory of 4420 1108 vmVt47fs66.exe 88 PID 4420 wrote to memory of 972 4420 vmNY35Qf32.exe 89 PID 4420 wrote to memory of 972 4420 vmNY35Qf32.exe 89 PID 4420 wrote to memory of 972 4420 vmNY35Qf32.exe 89 PID 972 wrote to memory of 2180 972 vmux18GI80.exe 90 PID 972 wrote to memory of 2180 972 vmux18GI80.exe 90 PID 972 wrote to memory of 1712 972 vmux18GI80.exe 98 PID 972 wrote to memory of 1712 972 vmux18GI80.exe 98 PID 972 wrote to memory of 1712 972 vmux18GI80.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe"C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
988KB
MD5bfae7a87f2d47686bf522e13ead90343
SHA13c0ecf2cd82cb84484a571007a0219164148e790
SHA256a4405a3ed84f9624585fb577f2d11e8b3f38734a5ed17615262de6e388413f50
SHA5125cab4584f1db595a6bc11143a95919a248a5628ea26df4f771b565b45d971957d2a899b6895c820b1568d9fa9be50785968e92b7ee5f13e07d52424fed0a918d
-
Filesize
885KB
MD5bef21e67fa4822fba440ab7ceddfce71
SHA194b3f00414695a88352ef59831acd1823610c550
SHA2560223603d3f60333683e42dfd0412a23181ba48797543c9847cfab5141fd7a05f
SHA512eb6c61826e9fe2dd85ba1a6c66c64a7c56dbffbc7faab43aee00520b904beab4703107baae76fbc7d31d5545248e6580e7a4a4b9f906d2bc90caba7978e917c1
-
Filesize
661KB
MD5973b4e17a631e057f9ed95a3e920708b
SHA16f990190fbe64c67c64f69e1a28cd1fc66d596c5
SHA256a1b564e3b17a6d91fb9a5a11358e2140e98dfd54be47c2d4ccd2f88a6979808d
SHA512642ccf7a471b0da8a63322e25a2094fdc334f223de9364674e3bfb727adafeb694d7f6bcc8fff4abd934a1857d7e6923c4a8103e253590ab09b595c00d9e361d
-
Filesize
388KB
MD58484368cc64c3ceda617ef01d6096e2b
SHA1d3d482b9da9b147430cb3407bf916a18c87dc9eb
SHA256c6af6326c8cdaa5a6f211897f57af57b31781dd24691a938999a6cbfd35038b8
SHA512bd4ac59195d09e3e8579c2f0257f5ac9f89a443b7c0aea29c9f49624be0587812e5263e33d7a20bbb7dfbaa9b4c623159bbedd9da8c3787004cf7ecd647b424b
-
Filesize
11KB
MD5da24b2706a7e8dd8ffbacde3b39d72f9
SHA11476442694f0798b17310bad3bff3416ae133436
SHA256887265dbcad5bcf84e4a8558ea5fe34ddffa581fd6a6e55544785aa1df22698a
SHA5125c7d1071b4a9666350b8cefc8edde1e819a8b1fc98bc059eb940070f89eedb648aee7db12b2ad9213485880dcd74dadadabd25a05f9c6a61f05aba0c1ab0a3f2
-
Filesize
306KB
MD59792900c815b23017f946773359ebe08
SHA115629567cf9023b6a9a7a4b69a805e8314a6bb2d
SHA256edbe4131b7bd5f130c9650d2585d97337834a62073e58fcce4d3b6d2f95d3907
SHA512cf27fc151b7d74daebdad990da0e26bea2337d2b2b90b2d5586343c077e9540e3f1a0a94099b603ffe4eaf6263e864e009795ec4ff900063237d6b44b0ec7465