Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe
Resource
win10v2004-20241007-en
General
-
Target
f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe
-
Size
544KB
-
MD5
c01d2c69083281f035af1109142c3850
-
SHA1
558db6c2f93cb0cc13c5c7dd7e43d29aadcf5dde
-
SHA256
f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23
-
SHA512
a39336942613484af06f34e4d02b43f7f13ff9253ee0942b94ad46eae308ab7b405a49c2c1f5bcfb1e1ed2359c4efd4cc799ecfb2b33ce660289c28ab7b4e5c7
-
SSDEEP
12288:sMrAy90n6M1EsBVf96wkbQv/s0L6D6rKgcOQVSTLBdWZ8dicZ:cyvM1XBVF9koXBhce3jCqx
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b92-12.dat healer behavioral1/memory/2832-15-0x0000000000540000-0x000000000054A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw77xl54jU65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw77xl54jU65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw77xl54jU65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw77xl54jU65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw77xl54jU65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw77xl54jU65.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4064-22-0x00000000049C0000-0x0000000004A06000-memory.dmp family_redline behavioral1/memory/4064-24-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/4064-44-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-46-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-88-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-86-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-84-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-82-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-78-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-76-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-74-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-72-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-70-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-68-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-66-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-64-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-60-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-58-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-56-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-54-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-52-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-50-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-48-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-42-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-40-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-38-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-36-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-34-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-32-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-30-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-80-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-62-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-28-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-26-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4064-25-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1580 vel8244dp.exe 2832 sw77xl54jU65.exe 4064 taf90GQ14.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw77xl54jU65.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vel8244dp.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1520 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vel8244dp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taf90GQ14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2832 sw77xl54jU65.exe 2832 sw77xl54jU65.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2832 sw77xl54jU65.exe Token: SeDebugPrivilege 4064 taf90GQ14.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3664 wrote to memory of 1580 3664 f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe 83 PID 3664 wrote to memory of 1580 3664 f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe 83 PID 3664 wrote to memory of 1580 3664 f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe 83 PID 1580 wrote to memory of 2832 1580 vel8244dp.exe 84 PID 1580 wrote to memory of 2832 1580 vel8244dp.exe 84 PID 1580 wrote to memory of 4064 1580 vel8244dp.exe 93 PID 1580 wrote to memory of 4064 1580 vel8244dp.exe 93 PID 1580 wrote to memory of 4064 1580 vel8244dp.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe"C:\Users\Admin\AppData\Local\Temp\f9488f043e25c8bd21e1bec0c58d42e3b36f1207e00cb5104e14eec7a0db7e23.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vel8244dp.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vel8244dp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw77xl54jU65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw77xl54jU65.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taf90GQ14.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taf90GQ14.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1520
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD5a7194b2f6a7fff6baca783bc33080528
SHA1be2dd55a08aa2c92eed9b8b1b55531485e1cb8d9
SHA2569e426d346ef4176318b6d5328c58e4855b4b1bce6ce4c76cfe99481148d1f242
SHA512209f814667e3829e44e1d4b70efb88c871bf5f91402c07324ad265eafe1aa75056006d10e15e56afa6d2e11ab2d4502cea5f15739d210fa46584805e6d2ae5fd
-
Filesize
14KB
MD50947d1f45062a7e26202fcec187b8b27
SHA14aeca0d41f3fa7d719d963eec0545d7ed3d4a96d
SHA2562bd2fbf9b98195742e5df28f1e0719d6436a6b55b132b05a73b815722c64ecb8
SHA51223bb3b3c36615dc0fd2848dee2b69ed3451e5c0f63e43432d7c432b9660da63cb2500001bddb57059d0a787e586c37fd39a6590d53be0895585080ad635147d8
-
Filesize
375KB
MD547b1a20db297f70b1d9db60ea51d14d9
SHA1b55664710122138d23e0e295dcade2b9aea41120
SHA25680aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287
SHA512e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288