Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:36
Static task
static1
Behavioral task
behavioral1
Sample
98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe
Resource
win10v2004-20241007-en
General
-
Target
98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe
-
Size
1.1MB
-
MD5
347dd83722e3fd847b066e2222250328
-
SHA1
761185740ba55f6e8349568a6311994b69adac55
-
SHA256
98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307
-
SHA512
e6ddbeac2bf1ceac0ed1748057400bfb39ea9aebf9c9194e48d9d478108f23d3e84ad8d7f691c8724ae481438ce5cb6026bc15cb6274378baa51220e857c3848
-
SSDEEP
24576:WyF08Wi0cCuyVvMaVMt1ZTCNpCjJSfKBC+5Xt8h7c2Frpz:ly8Wi0nvMaerMNplSBC+598hlF
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb2-33.dat healer behavioral1/memory/5020-35-0x0000000000970000-0x000000000097A000-memory.dmp healer -
Healer family
-
Processes:
ibS66iA91.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ibS66iA91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ibS66iA91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ibS66iA91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ibS66iA91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ibS66iA91.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ibS66iA91.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1464-41-0x00000000025E0000-0x0000000002626000-memory.dmp family_redline behavioral1/memory/1464-43-0x0000000005170000-0x00000000051B4000-memory.dmp family_redline behavioral1/memory/1464-44-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-45-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-107-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-103-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-101-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-97-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-95-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-93-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-91-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-89-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-87-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-85-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-83-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-81-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-79-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-77-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-75-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-73-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-69-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-67-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-65-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-63-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-61-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-59-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-57-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-56-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-53-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-51-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-105-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-99-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-71-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-49-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/1464-47-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
vmBl83lH35.exevmjq34UE74.exevmBU92ux95.exevmtD07KD78.exeibS66iA91.exekIE36UB58.exepid Process 968 vmBl83lH35.exe 4396 vmjq34UE74.exe 316 vmBU92ux95.exe 3668 vmtD07KD78.exe 5020 ibS66iA91.exe 1464 kIE36UB58.exe -
Processes:
ibS66iA91.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ibS66iA91.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
vmtD07KD78.exe98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exevmBl83lH35.exevmjq34UE74.exevmBU92ux95.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmtD07KD78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmBl83lH35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmjq34UE74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmBU92ux95.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vmjq34UE74.exevmBU92ux95.exevmtD07KD78.exekIE36UB58.exe98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exevmBl83lH35.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmjq34UE74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmBU92ux95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmtD07KD78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kIE36UB58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmBl83lH35.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ibS66iA91.exepid Process 5020 ibS66iA91.exe 5020 ibS66iA91.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ibS66iA91.exekIE36UB58.exedescription pid Process Token: SeDebugPrivilege 5020 ibS66iA91.exe Token: SeDebugPrivilege 1464 kIE36UB58.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exevmBl83lH35.exevmjq34UE74.exevmBU92ux95.exevmtD07KD78.exedescription pid Process procid_target PID 828 wrote to memory of 968 828 98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe 83 PID 828 wrote to memory of 968 828 98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe 83 PID 828 wrote to memory of 968 828 98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe 83 PID 968 wrote to memory of 4396 968 vmBl83lH35.exe 85 PID 968 wrote to memory of 4396 968 vmBl83lH35.exe 85 PID 968 wrote to memory of 4396 968 vmBl83lH35.exe 85 PID 4396 wrote to memory of 316 4396 vmjq34UE74.exe 88 PID 4396 wrote to memory of 316 4396 vmjq34UE74.exe 88 PID 4396 wrote to memory of 316 4396 vmjq34UE74.exe 88 PID 316 wrote to memory of 3668 316 vmBU92ux95.exe 89 PID 316 wrote to memory of 3668 316 vmBU92ux95.exe 89 PID 316 wrote to memory of 3668 316 vmBU92ux95.exe 89 PID 3668 wrote to memory of 5020 3668 vmtD07KD78.exe 90 PID 3668 wrote to memory of 5020 3668 vmtD07KD78.exe 90 PID 3668 wrote to memory of 1464 3668 vmtD07KD78.exe 95 PID 3668 wrote to memory of 1464 3668 vmtD07KD78.exe 95 PID 3668 wrote to memory of 1464 3668 vmtD07KD78.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe"C:\Users\Admin\AppData\Local\Temp\98fe1a2e295420e5dfde227cc59da55c7ca3ffb8368143e475cd1f50340c9307.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmBl83lH35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmBl83lH35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmjq34UE74.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmjq34UE74.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmBU92ux95.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmBU92ux95.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmtD07KD78.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmtD07KD78.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibS66iA91.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibS66iA91.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kIE36UB58.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kIE36UB58.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
989KB
MD574d0651d8c0df25e0279a40e2cced416
SHA1052c36b587e46891174d1111c64bc8d61e8caef4
SHA256c61b0705306cc327abfc9bf17d07f26a81d9baa22415f83c356638ef5aa645a9
SHA512fae768589d25d7040010a8090cb4ef28a5edb99028f097780f4c834629af44a2474eae3878834e1354b272385bdec2b50916196c75f617350d8b88e64fea2efd
-
Filesize
888KB
MD566e2158fc935d8e660266881c32c3fb6
SHA172081865ac9e6fa5449d6bad64106f3792ec08c9
SHA256594a2198c7ab902615eb430093bfc44c0d4239a5401d74f8e491e8064651b25a
SHA51280f5f5efc731327672c4fc8fe8acd2bece1db59037127cbd737cf2274c4548cf6a25f6c1c8e10732276a6e027edb132569b0ac9cc0accd97bbe99606f1540a66
-
Filesize
665KB
MD52723fc635c966182075df6323c4633de
SHA16d992b8bd04d81b36615bdc5fc694bdb82e6cf31
SHA256dd558598da77302460172332905e013100adb0069e84569ac275ef2a2217e4a3
SHA5129ef290490411cc6c534dbd4d4f7846671be0b38514ebac03809537addd0b275b8f2a5d6a1c1a134411f78623004e502fffa1e0581868fd234958c9aba27efd7b
-
Filesize
386KB
MD55a484e12597a84182395495dc3852f8d
SHA1ce9c4f5e08c463002a3ea7ed53fe5449611c0762
SHA25661e918e2828575699ced3b93240131da3e28b14c68c40eeccda76e0c7f73c15c
SHA512b43c754ac0bf4cc77f32eddcd2d05ba43b758e7206b64e85abcfa645f688b30f584e4f0b354c707a5ea9fa90df625978281316393845f2076567c7bd9b1c639e
-
Filesize
12KB
MD5b383c2b049c8392397de834932ea8de4
SHA1898a37cbd4bb27f4f483c8f945f9cb4b4e2a5475
SHA256f9538fd7796392b356c0e438f1ee5f85bb376fd73dad0f58056d2a5a9689267c
SHA5121a04199bc0c235411c9aabf522b7080a5bc05c68ae528e00bc6241aa66e45e35487ac7067bb4e9d19c4cfb2516ca29461d12b23ba43969380d2c090d3dc20801
-
Filesize
300KB
MD5bc06501e2cbbcfd5b533d51c6a5ef3fb
SHA17caa42a1b56383b958098d71bdffbe0b69b1ba93
SHA2561ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16
SHA51298da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970