Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe
Resource
win10v2004-20241007-en
General
-
Target
d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe
-
Size
1.3MB
-
MD5
e63eabf1f2d035235619b3e8a2711b69
-
SHA1
25e909756bcb3d55f8cc30959d2c2c3270855e0b
-
SHA256
d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c
-
SHA512
2a928c924261a0869a241d8cbd580d7c0acf07fb3a67d62a3c68350d59c113303437791c6fae232170df16326bdce9ab0b6c11da929e90c94fbb5c470af8f3a3
-
SSDEEP
24576:XyagxHLC2ozxjtiO4EseuTPpvrt6HRwywlhD/n3d5CJt5:ihxQxrtseuVv6ipV3
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cab-39.dat healer behavioral1/memory/2600-42-0x0000000000260000-0x000000000026A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ipE24Qc02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ipE24Qc02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ipE24Qc02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ipE24Qc02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ipE24Qc02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ipE24Qc02.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/212-48-0x0000000004C20000-0x0000000004C66000-memory.dmp family_redline behavioral1/memory/212-50-0x00000000071B0000-0x00000000071F4000-memory.dmp family_redline behavioral1/memory/212-68-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-70-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-114-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-110-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-108-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-106-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-104-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-102-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-100-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-98-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-96-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-94-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-92-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-90-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-88-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-86-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-82-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-80-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-78-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-76-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-75-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-72-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-66-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-64-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-63-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-60-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-59-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-56-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-54-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-112-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-84-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-52-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/212-51-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 7 IoCs
pid Process 2212 vmbk86pr01.exe 2956 vmZD91di44.exe 3160 vmzr97DT74.exe 2964 vmdp51OZ43.exe 2424 vmcJ24Fb63.exe 2600 ipE24Qc02.exe 212 kBo90IF85.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ipE24Qc02.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmbk86pr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmZD91di44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmzr97DT74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmdp51OZ43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" vmcJ24Fb63.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmbk86pr01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmZD91di44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmzr97DT74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmdp51OZ43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmcJ24Fb63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kBo90IF85.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2600 ipE24Qc02.exe 2600 ipE24Qc02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2600 ipE24Qc02.exe Token: SeDebugPrivilege 212 kBo90IF85.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2212 4908 d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe 83 PID 4908 wrote to memory of 2212 4908 d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe 83 PID 4908 wrote to memory of 2212 4908 d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe 83 PID 2212 wrote to memory of 2956 2212 vmbk86pr01.exe 85 PID 2212 wrote to memory of 2956 2212 vmbk86pr01.exe 85 PID 2212 wrote to memory of 2956 2212 vmbk86pr01.exe 85 PID 2956 wrote to memory of 3160 2956 vmZD91di44.exe 87 PID 2956 wrote to memory of 3160 2956 vmZD91di44.exe 87 PID 2956 wrote to memory of 3160 2956 vmZD91di44.exe 87 PID 3160 wrote to memory of 2964 3160 vmzr97DT74.exe 89 PID 3160 wrote to memory of 2964 3160 vmzr97DT74.exe 89 PID 3160 wrote to memory of 2964 3160 vmzr97DT74.exe 89 PID 2964 wrote to memory of 2424 2964 vmdp51OZ43.exe 90 PID 2964 wrote to memory of 2424 2964 vmdp51OZ43.exe 90 PID 2964 wrote to memory of 2424 2964 vmdp51OZ43.exe 90 PID 2424 wrote to memory of 2600 2424 vmcJ24Fb63.exe 91 PID 2424 wrote to memory of 2600 2424 vmcJ24Fb63.exe 91 PID 2424 wrote to memory of 212 2424 vmcJ24Fb63.exe 99 PID 2424 wrote to memory of 212 2424 vmcJ24Fb63.exe 99 PID 2424 wrote to memory of 212 2424 vmcJ24Fb63.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe"C:\Users\Admin\AppData\Local\Temp\d53b0c47296790e301ccc8bc3817ff5e1e1d56c75cc808a9dff24d95ed0bc78c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmbk86pr01.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmZD91di44.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzr97DT74.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdp51OZ43.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmcJ24Fb63.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ipE24Qc02.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kBo90IF85.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5135fe05769fde4811b7b82f9e6953898
SHA1801e3f4cb9f2de8d6f23eef1ae3ad27144a10ea3
SHA2562cad8389ef3e318f85a1d1e510d6c82deeaa03bfb5d426da75b7b444bf738d88
SHA51217942df4a59e79c301623b779872c05a76650c78da0c4901fae612e42bf7159d5e67a814b8d84d9405aa83acf408cb02a4ce99fd89d19d85b7ac4b459378b9d8
-
Filesize
1.0MB
MD53b64502135251765957881b1004f2d64
SHA1060d2dd0a7c40cde8caabb5b38c2403a9e7c99fe
SHA256cc67a326deaa7036f1f44ff3753179663f88454c1fa3cdb5f4a28c7bb42d2f85
SHA5123901f0f0420009505fc2d859f7206b85da0fe69fc0428fb19a9ce9c4cff506f7925ee4f45113091aacc3ddf006ba5bdbb4f6ce33eaab5665db615ddcd9d1edde
-
Filesize
958KB
MD517ac80398b34da162fcf7ecc0f763a74
SHA157f754d8f66f40b8ca4b622c8c299cba227a92fa
SHA25643b68ab76dba1942f8344df6654135bc7facadd20c2527a1c171701881a00408
SHA512e2cc6e6d73c586bc29df7c56e8273ca8eae4f24e721a0e89395f6652455750fb97a47bb22f1d4518bfcf51f2a269f0b23097515687a7d4cf3b0261a303eb1b20
-
Filesize
681KB
MD5e1c71f8c38c51f2f332db4caf005c06e
SHA15df276c470d78409865ff1249099690db78ba353
SHA256ed6980bdebcb54e868e3250bdc35d082929e40b7b7ad0c01cd03ea08da24cb74
SHA5123004a93f81a46636acdcabdca50d2237147011060e9e54923be71c114d988aee93d9518fa6d10dda2ef3a18477422f084db40b5a9312dec863fd46237e21922c
-
Filesize
399KB
MD524a2060d275d7173342b0d49ed77f92f
SHA130eb51d998c07243eb6ea19012437d714ec761d3
SHA256f1a0d48198c0943b4a3acc02a3dbf1c961bef2882e5ad10f6582be0cfee8cbca
SHA51281006cb25e283eceb23047f71bec7d1e29d9fc59a98b6b933bb9686ea02c1d5740438a3c3fc0ac06bfa6b27d23e910fb607de9baa2b13c43dfed2a07d9f8b260
-
Filesize
13KB
MD5fbae6642738fc0259a38c805b2e77afe
SHA1e4fe779f4c01964757936b503ca9bb2ce0c08217
SHA256281b0349ecf48ce797a70455c9b129bdbaea6c82c98c39b15dc9e910665cbf02
SHA5120cf14499698a6b625eee336a142e6e7ab2e4cf5121d8fb9682824b5c95e754f84b22bc7a6ad29138dff5f2654d3d2d380f64825de2eb95153e903f4f6454edb4
-
Filesize
374KB
MD5c8e450f5bf2b3be41a6329bb78242bf2
SHA12a1388a51884b8025366ec0cc90aa168eaf28ecb
SHA256b897fedfd41567133a1c697a0a6d9ccc1ad81d6a21daa8dc0ec92f23991178ac
SHA512e3cf75058db2a5817d11b534a1b142ea71f4cdff4cd6c9e553ba9e4bbca52dba58461023dd17ebc0cd50942e4e0677640910790e11aefe51009f05bd4b760d9e