Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe
Resource
win10v2004-20241007-en
General
-
Target
c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe
-
Size
1.1MB
-
MD5
9b586dd3bef41e4ad44a148bcb56ea5d
-
SHA1
e9dd586bcc563b6a7596656b7370e746aa9c901f
-
SHA256
c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314
-
SHA512
de4e06242d12d095e1012d1467d5ed28d936409688c5068bc19f4c8a6c4fe721bbffcb81884b668ea37bc339acf3d0a78c4e1c46ac622819802a75f2885e9ea6
-
SSDEEP
24576:7ymjVbt65DdJYjXD9SKQhjjzU6tC2gCtX5QKsC+nfB4o:umjP4bQXD9ohj3U6zQKf+Z
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023caa-32.dat healer behavioral1/memory/1148-35-0x00000000000E0000-0x00000000000EA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buVf39Df34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buVf39Df34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buVf39Df34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buVf39Df34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buVf39Df34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buVf39Df34.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2004-41-0x0000000004C20000-0x0000000004C66000-memory.dmp family_redline behavioral1/memory/2004-43-0x0000000007780000-0x00000000077C4000-memory.dmp family_redline behavioral1/memory/2004-51-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-65-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-107-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-103-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-101-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-99-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-97-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-93-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-91-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-89-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-87-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-85-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-81-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-79-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-77-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-75-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-73-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-71-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-69-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-67-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-63-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-61-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-59-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-57-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-55-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-53-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-49-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-106-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-95-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-83-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-47-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-45-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/2004-44-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4948 pljw31LG71.exe 4444 plxd97bI62.exe 640 plBd81sr51.exe 3052 plcI56xG63.exe 1148 buVf39Df34.exe 2004 caGS19pj86.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buVf39Df34.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pljw31LG71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plxd97bI62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plBd81sr51.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plcI56xG63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pljw31LG71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plxd97bI62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plBd81sr51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plcI56xG63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caGS19pj86.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1148 buVf39Df34.exe 1148 buVf39Df34.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1148 buVf39Df34.exe Token: SeDebugPrivilege 2004 caGS19pj86.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1536 wrote to memory of 4948 1536 c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe 84 PID 1536 wrote to memory of 4948 1536 c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe 84 PID 1536 wrote to memory of 4948 1536 c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe 84 PID 4948 wrote to memory of 4444 4948 pljw31LG71.exe 86 PID 4948 wrote to memory of 4444 4948 pljw31LG71.exe 86 PID 4948 wrote to memory of 4444 4948 pljw31LG71.exe 86 PID 4444 wrote to memory of 640 4444 plxd97bI62.exe 87 PID 4444 wrote to memory of 640 4444 plxd97bI62.exe 87 PID 4444 wrote to memory of 640 4444 plxd97bI62.exe 87 PID 640 wrote to memory of 3052 640 plBd81sr51.exe 88 PID 640 wrote to memory of 3052 640 plBd81sr51.exe 88 PID 640 wrote to memory of 3052 640 plBd81sr51.exe 88 PID 3052 wrote to memory of 1148 3052 plcI56xG63.exe 90 PID 3052 wrote to memory of 1148 3052 plcI56xG63.exe 90 PID 3052 wrote to memory of 2004 3052 plcI56xG63.exe 98 PID 3052 wrote to memory of 2004 3052 plcI56xG63.exe 98 PID 3052 wrote to memory of 2004 3052 plcI56xG63.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe"C:\Users\Admin\AppData\Local\Temp\c6233181b20fcf23057144de45231deb58c24bcb503fda3b8d8e34d4a50ff314.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pljw31LG71.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plxd97bI62.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plBd81sr51.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcI56xG63.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVf39Df34.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caGS19pj86.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1022KB
MD5e171d9b0426d2e7ae0b8a009af0d5b3b
SHA1c210ba65a018b49d445b94d5387cad33c980314a
SHA25688937f0d4f1c18d0ab41039e560e594cf9845a1d806a60bdec9856c3a5af1185
SHA5122c7aaf58f16b804585e61caa3da2e4013ab27759c9ee6a46f9cb8f0fce7d13458668d71bc2834b9189e2b906018dc9df2943776c91aaa4c078f6caaaab400ffe
-
Filesize
919KB
MD5095ea059e0107fccf798d8b232c0a478
SHA12634296747b15d9984a15ded6a3e0d696c3387b1
SHA256e7b0a04e7d99d719cffc1ae61278222e03830e56564bc0e405db2f8327a245ae
SHA512ee162b0a7a71b42e240ea935d89d6aeb500f0abd812ab196ad2980315a159a7bf7c3894f2ab94261987fc36f158cfdf68da2c13aeabacfe40ef764029645ff75
-
Filesize
692KB
MD5b488f9aa186d5ebcb4300ed26036e249
SHA1eb92e8fee9a59df1bfa438dc428834fa6925f53b
SHA2563be5bb8b8ffe6d99ad05a23e0f97d8c3961b3898fa1e563b014679ea31592862
SHA5121cc987e5a67773c718f23654716f54e34353a2ecb68c4cf2721a160b461b156a3401ab00ea02f704297362e0ed1ad113e73a046ac209ec8152d5f97d9e3708f4
-
Filesize
404KB
MD5636111ffc679028ef4b395b5c0fb5e11
SHA1b7af1be3ad476d6a551e997ea58d0eb40ba4e93c
SHA25615c569d673c0d15d2df894a25ea3f1dde3679418756a3b3f9071efb60e6a6bb5
SHA5123db813fdb1b462192ab0f387c3e5f087e499b4f8f006109ff0099bcc5ef4d6cb7f2859aef4f7de74fab244f04bd114ec77bc3a9665f448bc91dda8578eaa4c50
-
Filesize
12KB
MD5c3b47a80a28cc450754a883d9fdaf65b
SHA1870df201d57239320785b315f654efab12dc6a6a
SHA256901855ba1e6be580ef17e205d406292ad7e2292513234a7e1754b26e815e5e01
SHA5128659d725eaf314c62451bbd6ad1a549190f8000a05c56c2e87002861bc1855839c5206f3befdee36989f8d62b1f27d7b2f86c4110c6a2ac265bfde9dfe35da15
-
Filesize
381KB
MD557b4e73c1d36751cb60a4d2e68594087
SHA10e371eaad20ebbb81735876f0f1703adee193117
SHA25639f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25
SHA512e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c