Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe
Resource
win10v2004-20241007-en
General
-
Target
3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe
-
Size
1.2MB
-
MD5
d05eddc50a845520379bfb27d289ed35
-
SHA1
1d92c56f1311f665fdd88e4c2a114927bacd14b3
-
SHA256
3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab
-
SHA512
9e9472f114c4e45420385b2b37f7af408551d14768dfee37dc1aab810fb024016872b746e4a9595edd12991df9644fe3ec8880c7b872d6938bab70b76ba62dc1
-
SSDEEP
24576:My6qT/6eOolf4G4zqfryqIzeQpdupTGnBp+cr4DghZh:76q7Oo54G48ymGupKjPr2C
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9a-32.dat healer behavioral1/memory/2916-35-0x0000000000CE0000-0x0000000000CEA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buAR21yH66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buAR21yH66.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buAR21yH66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buAR21yH66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buAR21yH66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buAR21yH66.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/3844-44-0x0000000007160000-0x00000000071A6000-memory.dmp family_redline behavioral1/memory/3844-46-0x00000000071E0000-0x0000000007224000-memory.dmp family_redline behavioral1/memory/3844-48-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-47-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-98-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-108-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-106-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-104-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-102-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-100-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-96-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-94-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-92-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-90-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-88-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-84-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-82-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-80-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-78-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-76-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-74-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-72-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-70-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-68-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-66-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-64-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-62-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-60-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-58-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-56-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-54-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-52-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-86-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/3844-50-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4768 plkb49sV13.exe 2780 plSX28AB69.exe 4896 plWA19ET88.exe 4496 plsb34EQ73.exe 2916 buAR21yH66.exe 3844 caKw13th10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buAR21yH66.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plkb49sV13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plSX28AB69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plWA19ET88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plsb34EQ73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caKw13th10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plkb49sV13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plSX28AB69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plWA19ET88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plsb34EQ73.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2916 buAR21yH66.exe 2916 buAR21yH66.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2916 buAR21yH66.exe Token: SeDebugPrivilege 3844 caKw13th10.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 396 wrote to memory of 4768 396 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe 84 PID 396 wrote to memory of 4768 396 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe 84 PID 396 wrote to memory of 4768 396 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe 84 PID 4768 wrote to memory of 2780 4768 plkb49sV13.exe 86 PID 4768 wrote to memory of 2780 4768 plkb49sV13.exe 86 PID 4768 wrote to memory of 2780 4768 plkb49sV13.exe 86 PID 2780 wrote to memory of 4896 2780 plSX28AB69.exe 87 PID 2780 wrote to memory of 4896 2780 plSX28AB69.exe 87 PID 2780 wrote to memory of 4896 2780 plSX28AB69.exe 87 PID 4896 wrote to memory of 4496 4896 plWA19ET88.exe 89 PID 4896 wrote to memory of 4496 4896 plWA19ET88.exe 89 PID 4896 wrote to memory of 4496 4896 plWA19ET88.exe 89 PID 4496 wrote to memory of 2916 4496 plsb34EQ73.exe 90 PID 4496 wrote to memory of 2916 4496 plsb34EQ73.exe 90 PID 4496 wrote to memory of 3844 4496 plsb34EQ73.exe 96 PID 4496 wrote to memory of 3844 4496 plsb34EQ73.exe 96 PID 4496 wrote to memory of 3844 4496 plsb34EQ73.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe"C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5846752d9776cf9797e42e0f24951f202
SHA13d36f315a3cbcd3a3e83ed0495ba6abaf82b1a8b
SHA256999e01b1e7997f754dc679e4290528b6fb761ea4b33e48045032c2fc767f957a
SHA5129bdd1ecffffec360730bbd3a31c777d77f7e218569e5a906f8bf571fe29afab0f6c1b5e72fbae06386540d41617c2a5da3d52d0cd2dc2cd09e66a84c422de649
-
Filesize
970KB
MD52f5aa6b05006f4355d685630dbaad0d0
SHA103c08e1615b3737c2fb07429b153d363482b43fd
SHA2565b0b782a07d4785eafbb61e2235664ee4aceed418bcb485f7993b3e827c3395e
SHA5124949b26d1f5bb87ada568449ff4ce0addc90fa77acc799435d7c5bf6c1d8f5e8c4ce404cf68ac3685e391e5618f86e7113a9710dd82ccd61e3bbfb265ad97c0e
-
Filesize
690KB
MD5411e492d8d3e18009daad37ea576e95f
SHA1907096d8686ccaefde158a621320846c9b43176a
SHA2567863a83b3508ef96c4007b40f61e2147caad3304e447e48ee895352ccc00dbea
SHA51280190904e93865128511ab6ba9b6aa9da634596a9279fe382aaffa22ec5de5bc5d7f474258edddfb8d368e7dac2ed2cbfbd28936a6a9ecd88f858dc9d98c8516
-
Filesize
403KB
MD546d6c2a9d674d2babeb0ec0d9006e507
SHA1b7c0e4a85b14dfaf77d617d45492f56a86729a41
SHA2560c13b74ffda55b31fe7dc88e8ba38682e2d019eaf54bf6787092a1ffad00b4fa
SHA512bbad193ec6cc1ab80ca4fa68ce335e9cefc9e29fc85e16633451089f97f854b2ca95e4b825530de40e4b70582795a00504e97ac337cb7431333373eb4393aa70
-
Filesize
15KB
MD5290f8fba79c89a814e1d0189af17ad64
SHA1a7db61b58650fe394c019eeb96912e847ead8948
SHA25608bdde22915a2b6cc2466570ba5495a70ac356f9344b739b8f005ed230f1e213
SHA512a9adf32ab3f003530dc56ad518bc5d42025cf7d73af9ba3dcd0127204301fabe894ac94370295bfb1f617a3d8cb32b85150c2a69792618987dfadff23e99f9e5
-
Filesize
377KB
MD58240ae7f59fb434977686a2040ea62e9
SHA1c0fe02012d46dc9e12c388dd75cab32643708a18
SHA256230a7452b0db2ecd65ee767d852990ff9cb94f65c485e3a68faa4bcb11b52605
SHA51278c782edce8e3cdb57624f3be1bc69976691e1a1938b46214bde842b9cc02966be80872c7ae4093d8154c62fe9de20e2cfdf532feae5dfe647ba0d748777c96b