Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe
Resource
win10v2004-20241007-en
General
-
Target
2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe
-
Size
1.1MB
-
MD5
26a3dd5ee685b4c830fa289a715e1ed5
-
SHA1
f9c62396d4d6cdd9c1f710936e60612d12d51171
-
SHA256
2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f
-
SHA512
3575d52be03c53e07831f32e383169ddb5983418bd721be74bf9e627ecee8c3520125dbbd32aeb07c585d3dbea2852d83cc2aacfdecd1507f2177e182bb63896
-
SSDEEP
24576:iyea8rLRd1w6sUC//UDlwVt45C6vTVQ0cWb+QbnURdz:Jea8//1w6i/Up245/DbDURd
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0059000000023ba6-32.dat healer behavioral1/memory/2284-35-0x0000000000430000-0x000000000043A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buna14wg02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buna14wg02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buna14wg02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buna14wg02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buna14wg02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buna14wg02.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4156-41-0x00000000026B0000-0x00000000026F6000-memory.dmp family_redline behavioral1/memory/4156-43-0x0000000004BD0000-0x0000000004C14000-memory.dmp family_redline behavioral1/memory/4156-55-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-107-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-105-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-103-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-101-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-97-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-95-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-93-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-91-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-89-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-87-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-85-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-83-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-81-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-77-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-75-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-73-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-71-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-69-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-67-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-65-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-63-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-61-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-59-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-57-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-53-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-51-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-50-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-99-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-79-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-47-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-45-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline behavioral1/memory/4156-44-0x0000000004BD0000-0x0000000004C0E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4496 plSp47nm46.exe 3600 plnJ68vL16.exe 3024 plvH72Gs88.exe 2184 plWP38mG35.exe 2284 buna14wg02.exe 4156 caVK43IT57.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buna14wg02.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plnJ68vL16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plvH72Gs88.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plWP38mG35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plSp47nm46.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plSp47nm46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plnJ68vL16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plvH72Gs88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plWP38mG35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caVK43IT57.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2284 buna14wg02.exe 2284 buna14wg02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2284 buna14wg02.exe Token: SeDebugPrivilege 4156 caVK43IT57.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1684 wrote to memory of 4496 1684 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe 83 PID 1684 wrote to memory of 4496 1684 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe 83 PID 1684 wrote to memory of 4496 1684 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe 83 PID 4496 wrote to memory of 3600 4496 plSp47nm46.exe 84 PID 4496 wrote to memory of 3600 4496 plSp47nm46.exe 84 PID 4496 wrote to memory of 3600 4496 plSp47nm46.exe 84 PID 3600 wrote to memory of 3024 3600 plnJ68vL16.exe 86 PID 3600 wrote to memory of 3024 3600 plnJ68vL16.exe 86 PID 3600 wrote to memory of 3024 3600 plnJ68vL16.exe 86 PID 3024 wrote to memory of 2184 3024 plvH72Gs88.exe 88 PID 3024 wrote to memory of 2184 3024 plvH72Gs88.exe 88 PID 3024 wrote to memory of 2184 3024 plvH72Gs88.exe 88 PID 2184 wrote to memory of 2284 2184 plWP38mG35.exe 89 PID 2184 wrote to memory of 2284 2184 plWP38mG35.exe 89 PID 2184 wrote to memory of 4156 2184 plWP38mG35.exe 98 PID 2184 wrote to memory of 4156 2184 plWP38mG35.exe 98 PID 2184 wrote to memory of 4156 2184 plWP38mG35.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe"C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
997KB
MD5aa36b4e19d2c64cb2a77fabe3876fac5
SHA110d7c9d8e2e6b5108e245f61413af104d2287905
SHA25602c9aec800b530693ba115c7fa5160ff2f8384dff1011e85712ca583a3312dad
SHA512078ec4e79986461042e6cc47976e78c0c0450df32451842284ee1aa386087708d8efeb6672c01585367aad0ba6adb60eea9c2edc0e5611b6b3d15e0d624edc61
-
Filesize
893KB
MD5bf4f711c128f1e503fc31ec383cff510
SHA1ba452e3005deb44a0da88b71c0a0c217f1b23c17
SHA2560046964ced5a585fa476ca0473f7232e61de1267cdafec46d9f585dfa3d9e76e
SHA5129429d5bc36937c3ef3118dea23687ca73f2f559dab1356df32981e9e70739a2a39a0625753bd6d6e08e0fe3357a2ef95423854863ffc59ba4870eaceed50e288
-
Filesize
667KB
MD52e378bb4471fc24346324f088058a9b2
SHA1a8c2ac17d4b04e7efabcfd59e604a8ee37a4ccad
SHA256352e0895bfcf72868d86a15b83bd680d9d690e281f917f8a1e63fa6fab4cf469
SHA512f4ce1f0f4f8283ea9f58c03de43d73cef1a18b1c0116e9bd884a298e262b18a42bd39ea62f911f0ac7c2072f54b8080a8624474c215dacdc518021db058ba124
-
Filesize
392KB
MD540d5ef9a4492b69cece82aa6a6067f05
SHA174243043947f51dd32a3d8bd8906e343f1c3a781
SHA25651a7fbb318160625153ffd73faac18c399b4cd867f44ed26e797aaf39337ad7c
SHA512dcc1a380659673eda567c08017d2ff9d495ae61174487daf11a9b410f623c9606e3d5813ed5a6603e063bb7f4f9783a321336bb1a611db7ea945a6913159d71c
-
Filesize
17KB
MD55fd12f066c4d1f6b7a68489696b9c65a
SHA1fd51fcd5960b0305a685aef6b425225e2f13024b
SHA256b1d9037b7cca29d57757d1a2b934af8712812cb544972651d78fd0af94038b49
SHA512d158cb0f653ac54cee65e90cce2d6a0fa571dae2759970d169532f4de61ab7ac75407445a6cf5e96f1aea5d042cf1b5c68886ab0df95c73df66f66a19b022daa
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b