Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe
Resource
win10v2004-20241007-en
General
-
Target
2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe
-
Size
958KB
-
MD5
2dd38df498d246e5aad1c8c02c3b31e0
-
SHA1
7f5ae63fc7f85388bbb72b0e8bdf66553fd09838
-
SHA256
2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95
-
SHA512
eabb475e72e51e22009ff1e391ebd21cb140703d4944b8552a4c4dd119fe060d74ac947f7f22f80c01e90634a2760497f5c1cd5e32686836cb5ace755a337683
-
SSDEEP
24576:ty+3gfkfdVswHWqnFlCAyBvXv6sp0kzScsThMKdQDxW:I+QfkfRFEjJl0kzhsTp
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bac-19.dat healer behavioral1/memory/764-22-0x0000000000F60000-0x0000000000F6A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buIQ20re10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buIQ20re10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buIQ20re10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buIQ20re10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buIQ20re10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buIQ20re10.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4828-29-0x0000000004A10000-0x0000000004A56000-memory.dmp family_redline behavioral1/memory/4828-31-0x00000000071D0000-0x0000000007214000-memory.dmp family_redline behavioral1/memory/4828-47-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-45-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-95-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-93-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-91-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-89-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-87-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-83-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-81-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-79-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-77-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-75-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-71-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-69-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-67-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-65-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-63-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-61-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-57-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-55-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-53-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-51-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-49-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-43-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-41-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-40-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-38-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-85-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-73-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-59-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-35-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-33-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/4828-32-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2204 pldC82om58.exe 2836 plWS05BD42.exe 764 buIQ20re10.exe 4828 caEj05Je95.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buIQ20re10.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pldC82om58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plWS05BD42.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pldC82om58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plWS05BD42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caEj05Je95.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 764 buIQ20re10.exe 764 buIQ20re10.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 764 buIQ20re10.exe Token: SeDebugPrivilege 4828 caEj05Je95.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3544 wrote to memory of 2204 3544 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe 85 PID 3544 wrote to memory of 2204 3544 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe 85 PID 3544 wrote to memory of 2204 3544 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe 85 PID 2204 wrote to memory of 2836 2204 pldC82om58.exe 86 PID 2204 wrote to memory of 2836 2204 pldC82om58.exe 86 PID 2204 wrote to memory of 2836 2204 pldC82om58.exe 86 PID 2836 wrote to memory of 764 2836 plWS05BD42.exe 88 PID 2836 wrote to memory of 764 2836 plWS05BD42.exe 88 PID 2836 wrote to memory of 4828 2836 plWS05BD42.exe 98 PID 2836 wrote to memory of 4828 2836 plWS05BD42.exe 98 PID 2836 wrote to memory of 4828 2836 plWS05BD42.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe"C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681KB
MD5154b755ed8b39e209b21102819a53c69
SHA140cf66e793d4321766fe1946c8a26276e9ce159d
SHA25693a76a6ba05223c90c8e56f659962b5faceaa6d80793eb4f74be69873685a37e
SHA512fc2ada576d455e3906b15ae0b8ff1ca34b14d3ac3c3ad251c7a534b37cce7993757b24f7eb73fcfc0674a747c84b7cb844fde435db2cbf19d1ceb515b3885982
-
Filesize
399KB
MD58fbd7bb022b564856a8c878af221b119
SHA11b29df15d831b2659a8b5a93cb2287c3698dda04
SHA25624234c78ad8fa53dc5800a8da9d00aff435cf521ec02104ded757d413daf33d3
SHA512bad0ea94a84d32d64573de8b54e4d3cb5e092d07a683d4527d6efdba26a4a1505048c435fbe2b60c20752e0332bd9a91fe08972210d5ea0cf6d11d0c275042ed
-
Filesize
13KB
MD5d83a07b6f1e657e333f9cec7f6b82600
SHA1628186840068d99e54dc9147a951b5d1a1ab48a8
SHA2563ed120337dc52133093f34e4faa0a6ad23c688669f9b82ec4cb78f45a6a4346f
SHA5127ceb69f448dacdafc620d64ddaefeacda0a3af8316dc98262366bf8b583b8d7bb3710c22c6338a3e4b92f3062b6b9f1628d5aa461729cf5d7e84447ab8f2dbc8
-
Filesize
374KB
MD5049b7e9c3b3777fd130ad01127cd8268
SHA17f56ea5b4e7029a2da226d899ddfce99ff960e0f
SHA256aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68
SHA512d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1