Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe
Resource
win10v2004-20241007-en
General
-
Target
e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe
-
Size
522KB
-
MD5
e8eca111f79cb9d2642e5ed6007f33f4
-
SHA1
8621c70183ec54fb8970cfa46a1d69c01ee061fd
-
SHA256
e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e
-
SHA512
414b0933445e18a4c3c851125232aa99c00f4ba97e6ab958174788855aa305a71fbda255f6f69f97a2b84362eb4aa3eeec78e602d49204a3756a9b915220251f
-
SSDEEP
12288:3MrWy90M2O/TPPuUU9KDsB5ArMLDbygSQA7l/CvKXt1nGJ3:Nyh2O7mKc5TL3yNDRK8t1nGZ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c85-12.dat healer behavioral1/memory/1376-15-0x0000000000DF0000-0x0000000000DFA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr124673.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr124673.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr124673.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr124673.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr124673.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr124673.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2760-21-0x0000000004A50000-0x0000000004A96000-memory.dmp family_redline behavioral1/memory/2760-23-0x0000000004AD0000-0x0000000004B14000-memory.dmp family_redline behavioral1/memory/2760-37-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-87-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-85-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-77-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-83-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-81-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-79-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-75-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-71-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-69-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-67-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-65-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-63-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-61-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-59-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-57-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-55-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-53-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-51-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-49-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-47-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-45-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-43-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-41-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-39-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-35-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-33-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-31-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-73-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-29-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-27-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-25-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/2760-24-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 804 ziPg9265.exe 1376 jr124673.exe 2760 ku482805.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr124673.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziPg9265.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziPg9265.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku482805.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1376 jr124673.exe 1376 jr124673.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1376 jr124673.exe Token: SeDebugPrivilege 2760 ku482805.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4732 wrote to memory of 804 4732 e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe 83 PID 4732 wrote to memory of 804 4732 e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe 83 PID 4732 wrote to memory of 804 4732 e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe 83 PID 804 wrote to memory of 1376 804 ziPg9265.exe 85 PID 804 wrote to memory of 1376 804 ziPg9265.exe 85 PID 804 wrote to memory of 2760 804 ziPg9265.exe 92 PID 804 wrote to memory of 2760 804 ziPg9265.exe 92 PID 804 wrote to memory of 2760 804 ziPg9265.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe"C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD54a99fbb3ed374dc9b1c4d4a47e348bab
SHA1ea862d969475b64a2c065036c65fc4ff37758c98
SHA2566e09fafa1afca7d57cd5917c69bed0778f2924e6ac328f7fb297ce79609c0001
SHA51231ba21037d7a25b5de41449f664174158821800bbb163a730ef874784c3a7fc276493064f60fcbddacf41841e651e10153fea893e699295d1ee7f4aacbbc76d3
-
Filesize
15KB
MD582c749fa6625d8c6e48c420f5c2565b1
SHA1eff963bc29076776689c1990bed0e3b0321ec337
SHA256e664a7bbd65f77b24bb7ab344c2cbee17bc65adca1d8dbc9c51abd5edf4af477
SHA5125884175c453db14cf5d7c59da42bbf95c46d3208a3bb49f0421f859930aa4eebf28d32895dc52c518283dbf8e2cb9aa3fea1e068e461009416e9a80a53d7d4de
-
Filesize
294KB
MD5ade81ab1cf1d6c5ee90f40cf8780f88a
SHA135ebfeca8199fe13f1ab89fcdf01ec0dbd1f05d3
SHA256056c951c72290de0123a806fe72eb981153d9911380cfcafbc6c003a3b224674
SHA512b8152e753d4faef97c681ebd02b6fe377af06d34e6f3b24e7702c5aa67ad025697b9403b3e628b286ae42158dd980b85f7350a6bf6e5d42ae1d3b6a57da81d9b