Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe
Resource
win10v2004-20241007-en
General
-
Target
a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe
-
Size
525KB
-
MD5
8c7f97a864afd24ba6fd66b65b5db246
-
SHA1
5ee445b462b5e7f23afbd3dd681e779f076db43f
-
SHA256
a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e
-
SHA512
861ee6664b881821b0005d06b0d3f49078d53ec33a1029e90ae2ce8d687563db0e8e1f83964630e963b3f723d8c218305e5eeea30f86fc702de20d150701fc5f
-
SSDEEP
12288:bMr8y90oBHcZs2YIdEnm1nW/lcEzC82tiHG:7yzdIJLnteG
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b96-13.dat healer behavioral1/memory/2412-15-0x0000000000060000-0x000000000006A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf28nL43eS86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf28nL43eS86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf28nL43eS86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf28nL43eS86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf28nL43eS86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf28nL43eS86.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2704-22-0x0000000002790000-0x00000000027D6000-memory.dmp family_redline behavioral1/memory/2704-24-0x0000000004CB0000-0x0000000004CF4000-memory.dmp family_redline behavioral1/memory/2704-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-79-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-60-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-46-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-40-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-36-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-34-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-32-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-30-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-28-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-26-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2704-25-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 852 vhGE5018ma.exe 2412 sf28nL43eS86.exe 2704 tf48gr78wj52.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf28nL43eS86.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhGE5018ma.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhGE5018ma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf48gr78wj52.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2412 sf28nL43eS86.exe 2412 sf28nL43eS86.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2412 sf28nL43eS86.exe Token: SeDebugPrivilege 2704 tf48gr78wj52.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2168 wrote to memory of 852 2168 a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe 83 PID 2168 wrote to memory of 852 2168 a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe 83 PID 2168 wrote to memory of 852 2168 a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe 83 PID 852 wrote to memory of 2412 852 vhGE5018ma.exe 84 PID 852 wrote to memory of 2412 852 vhGE5018ma.exe 84 PID 852 wrote to memory of 2704 852 vhGE5018ma.exe 92 PID 852 wrote to memory of 2704 852 vhGE5018ma.exe 92 PID 852 wrote to memory of 2704 852 vhGE5018ma.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe"C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD502c864ce5b8c5eb2cf145f72fe73c5d0
SHA122d93ea9d58dd6cbb0ed406fc83eaee90f6c81f2
SHA2567c3205244e76cc80ffa3cad2e4138fefd314479e3ed59ff67e5477516aa4e40d
SHA51252b8787801f1d62b7a60265b1b54c028b04242bb03f4f27cbae7be0d3b360f49ca3943db0c227a77d37cd733fc73bd04d9cecbc10da199dd0faafc4cbd77e83f
-
Filesize
12KB
MD58a3793d6f2f25c9119382380dae46ba4
SHA12deee8af4e98b1849cde7ee9722a419d69a36a87
SHA256c9470a2786af60b9d763bb3ebe9513bff1a3151516803b8fe6105b999dd5d266
SHA512bd9f9a08cf7c97e77d8b980d2c07c351e7ce64b17ada5ea702bd62178abce3f3a87eec8b10dc3ec78c94ca8c336803ca123e3c176ee019ac8ad58df4f953bafa
-
Filesize
291KB
MD5249978248eadf5f91425671a026f54a0
SHA180596f205182dcbeb05b93e5cdb77a067c723cf1
SHA2560acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682
SHA512aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14