Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe
Resource
win10v2004-20241007-en
General
-
Target
db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe
-
Size
1.1MB
-
MD5
234cdb36f6668fd84fda8ac440c8eb00
-
SHA1
d1db34ac6b04c21bb289a445b9875986dab0147a
-
SHA256
db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf
-
SHA512
d31aeaf144e5ac374ff849859650bc7f84a9cac76b34db310ca41dd6e5913b5125f3b5926cb8cf90418c666bb5433b774c6f10bcbac530f1744cb98b1f07706c
-
SSDEEP
24576:Ly6sYyDf8rvk4vn0gXZ9aEf+N5nmeHGFPzXif6RTk3rEgiSI:+6sY4f8IYzp9BemTFPzSCRTkbEg5
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca0-32.dat healer behavioral1/memory/3864-35-0x0000000000E00000-0x0000000000E0A000-memory.dmp healer -
Healer family
-
Processes:
buIg74Pc18.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buIg74Pc18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buIg74Pc18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buIg74Pc18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buIg74Pc18.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buIg74Pc18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buIg74Pc18.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4748-41-0x00000000025E0000-0x0000000002626000-memory.dmp family_redline behavioral1/memory/4748-43-0x0000000004CC0000-0x0000000004D04000-memory.dmp family_redline behavioral1/memory/4748-53-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-59-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-107-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-105-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-103-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-101-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-97-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-95-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-93-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-91-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-89-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-87-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-85-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-83-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-81-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-79-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-77-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-73-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-71-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-69-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-67-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-65-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-63-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-61-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-57-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-55-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-51-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-49-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-99-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-75-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-47-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-45-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/4748-44-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
pljs10DG68.exeplwh48kj31.exeplBP82lh84.exeplQG17AJ34.exebuIg74Pc18.execatm67qR21.exepid Process 4176 pljs10DG68.exe 1760 plwh48kj31.exe 4152 plBP82lh84.exe 464 plQG17AJ34.exe 3864 buIg74Pc18.exe 4748 catm67qR21.exe -
Processes:
buIg74Pc18.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buIg74Pc18.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
plwh48kj31.exeplBP82lh84.exeplQG17AJ34.exedb47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exepljs10DG68.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plwh48kj31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plBP82lh84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plQG17AJ34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pljs10DG68.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exepljs10DG68.exeplwh48kj31.exeplBP82lh84.exeplQG17AJ34.execatm67qR21.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pljs10DG68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plwh48kj31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plBP82lh84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plQG17AJ34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language catm67qR21.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buIg74Pc18.exepid Process 3864 buIg74Pc18.exe 3864 buIg74Pc18.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buIg74Pc18.execatm67qR21.exedescription pid Process Token: SeDebugPrivilege 3864 buIg74Pc18.exe Token: SeDebugPrivilege 4748 catm67qR21.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exepljs10DG68.exeplwh48kj31.exeplBP82lh84.exeplQG17AJ34.exedescription pid Process procid_target PID 4332 wrote to memory of 4176 4332 db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe 83 PID 4332 wrote to memory of 4176 4332 db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe 83 PID 4332 wrote to memory of 4176 4332 db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe 83 PID 4176 wrote to memory of 1760 4176 pljs10DG68.exe 84 PID 4176 wrote to memory of 1760 4176 pljs10DG68.exe 84 PID 4176 wrote to memory of 1760 4176 pljs10DG68.exe 84 PID 1760 wrote to memory of 4152 1760 plwh48kj31.exe 85 PID 1760 wrote to memory of 4152 1760 plwh48kj31.exe 85 PID 1760 wrote to memory of 4152 1760 plwh48kj31.exe 85 PID 4152 wrote to memory of 464 4152 plBP82lh84.exe 88 PID 4152 wrote to memory of 464 4152 plBP82lh84.exe 88 PID 4152 wrote to memory of 464 4152 plBP82lh84.exe 88 PID 464 wrote to memory of 3864 464 plQG17AJ34.exe 89 PID 464 wrote to memory of 3864 464 plQG17AJ34.exe 89 PID 464 wrote to memory of 4748 464 plQG17AJ34.exe 102 PID 464 wrote to memory of 4748 464 plQG17AJ34.exe 102 PID 464 wrote to memory of 4748 464 plQG17AJ34.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe"C:\Users\Admin\AppData\Local\Temp\db47aacaa2dffb98debd4cd8f6f3331d99518d109d15ad9797ff78e93a59e1bf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljs10DG68.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljs10DG68.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwh48kj31.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwh48kj31.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBP82lh84.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBP82lh84.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plQG17AJ34.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plQG17AJ34.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buIg74Pc18.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buIg74Pc18.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catm67qR21.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catm67qR21.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
991KB
MD57aded1c022a43bad8625d698a475cd8b
SHA11a6034812f7f821b3aeb96e8c707c298a50e4056
SHA256d8c972665f74b393b00e5954bdd6a93b97e2e1c1961fd720799f7aa7d0eeb0af
SHA512451a0bdc63aeb8101432bf5982bcb57b53fafb8121b90956f08c6b96d036b8fcb436aa15ef077f689accc09282f9a6bbbb1b7e1d6398f8c9f4d5615951fc71f2
-
Filesize
888KB
MD51f0859bff43178a3944fc65a7bc650b1
SHA13182cacfea5e78fe3ca28e7909bff6df3a4bd496
SHA256881d390c4adf70a2e6a65eb8aeb17e09a122be81a19f1a2b0df3323972318ef8
SHA5129c0ada8e4b7d06feea26ee302522c16f38dfd7934db94cb337e678840cf3bd605a03d69f1ac14e16c8c0cd435a09001b76f147a5fbc5282af14ebbaec2ac54c7
-
Filesize
665KB
MD50940b34bbe65654d3ef38d7c2281f2e8
SHA158e581ef1a43bc17487fbc9aee782abd92c58293
SHA2564aa6206477eaf68a519ca764bf4aa284493b1912320d32b64e3ccde7058bfd14
SHA512831b0ffbe96895ee9485ca8f606f6cc289fd60b0996d6cf20de9aeb0ca04b94da9e62ceedb29272df11be23a241f039b6dc53543ea0658354d060f78159ddf8b
-
Filesize
386KB
MD50a9839478c6a174137b5f8a12b31c7f2
SHA184ebd01e7579758655f4f603c053d2c10b69833c
SHA256f4b9cfbd0fdc91379c01a9e2ba0f3b01c61b60b7a31ef2cd36c997665ff9233b
SHA512e0eceffaee14c73c3df783957f3373a882cfbb3ef06542d1f914e12a952dc7c61cbb3b310ab6e31a318a20641c755d4e5206a164b9d904481141f433d37ac02b
-
Filesize
11KB
MD57ea3fe27a839c3010203aec97adbd0d1
SHA10e76413df2faf132b2f52a9d9d53d7c5d758efe4
SHA2561cf68fa80ce65f5d24517fdb7ec130c86ff0bfaccc353c51eb11f16fc0984a74
SHA5126b8326f4109d29c204d72438922a11348305f0dbb158db1f39c0caba2674d830f3b3152c5ccf2ee93b4c746eb0aef27be05cd5d3955eb8f1dd23a0afc7a30bb6
-
Filesize
300KB
MD5bc06501e2cbbcfd5b533d51c6a5ef3fb
SHA17caa42a1b56383b958098d71bdffbe0b69b1ba93
SHA2561ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16
SHA51298da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970