Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe
Resource
win10v2004-20241007-en
General
-
Target
b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe
-
Size
536KB
-
MD5
16dcc638e74d1f4baebf61b2166d562d
-
SHA1
073565b612683e3ee67325ffb03c24b27eeb8ce7
-
SHA256
b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a
-
SHA512
03466c966fa273cf9c92a54025e7b29f5936d7c27f4d7238bdeb85cb9f428f21ba1a1242af30b1b9e6d24eb76f2de44c9c6d976dbc9e2909f29ae94c3f45d595
-
SSDEEP
12288:mMrgy900i5f4HibHN0QXCguFONSzs+t2LC7ebk/w:qyy5bN0+C0NSn2O75/w
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023ba9-12.dat healer behavioral1/memory/4612-15-0x0000000000D00000-0x0000000000D0A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr039571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr039571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr039571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr039571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr039571.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr039571.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2464-22-0x00000000026B0000-0x00000000026F6000-memory.dmp family_redline behavioral1/memory/2464-24-0x0000000002AF0000-0x0000000002B34000-memory.dmp family_redline behavioral1/memory/2464-34-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-38-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-88-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-86-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-84-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-82-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-78-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-76-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-74-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-72-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-70-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-68-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-66-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-62-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-60-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-59-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-56-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-54-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-52-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-50-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-48-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-46-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-44-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-40-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-37-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-32-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-30-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-80-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-64-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-42-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-28-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-26-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline behavioral1/memory/2464-25-0x0000000002AF0000-0x0000000002B2F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4508 ziYR2294.exe 4612 jr039571.exe 2464 ku138258.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr039571.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziYR2294.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziYR2294.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku138258.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4612 jr039571.exe 4612 jr039571.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4612 jr039571.exe Token: SeDebugPrivilege 2464 ku138258.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3216 wrote to memory of 4508 3216 b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe 83 PID 3216 wrote to memory of 4508 3216 b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe 83 PID 3216 wrote to memory of 4508 3216 b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe 83 PID 4508 wrote to memory of 4612 4508 ziYR2294.exe 84 PID 4508 wrote to memory of 4612 4508 ziYR2294.exe 84 PID 4508 wrote to memory of 2464 4508 ziYR2294.exe 95 PID 4508 wrote to memory of 2464 4508 ziYR2294.exe 95 PID 4508 wrote to memory of 2464 4508 ziYR2294.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe"C:\Users\Admin\AppData\Local\Temp\b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYR2294.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYR2294.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr039571.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr039571.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku138258.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku138258.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD50ecb404d22c9a553ec9d46ba77d82065
SHA14206b25482b941ef1c135b2fbcb51fcff6cccb70
SHA2567b0ae6a4aa5211d01404a26a3519aef2a60ad5a45f7b5995d5c8f2eb269e71ea
SHA512b12295a9783cd883189e2899370d0152e7de724c147446aefc6c86068958f54400b1a18c2b2105ff543f84b88f04f1dca18612517d5d7ad684d875cc1403dd1c
-
Filesize
13KB
MD51cae544cc6fd9799359bbd263ce70521
SHA1b122272a668de00f35cd1f2bffdc00cac0d433b2
SHA256e980eea6c4c53877af2553d66a4d376fdc78c3e22a8109e6ab3fa79bd5157368
SHA512144bddd3b51b90ee46908d9f9815be9034351ecb8e01fe9745fc3fe0c743f155d8c682d5cdd429d1e3373dd23f086515858713333b3356fccb637c5553141c10
-
Filesize
353KB
MD5528699ea7d92880803561479145f50ea
SHA10416d8c823d7bea34b6d35541018c063d7785fe1
SHA256e0ad8709acff1be623434b9ea43c05ab7a542d8866782d08b9dfd5cb3fdbf3f0
SHA5125b94c6b8e217d0eee1172276e147f4480ebbaa0a6a7825785e7077fe870399bda7a37c4e3e57599b772e9db13346b43f4af71531435eeb427fff27ac7618b4e4