Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe
Resource
win10v2004-20241007-en
General
-
Target
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe
-
Size
693KB
-
MD5
13e7465ea80d98db3c705f2d1514dc58
-
SHA1
0cceb60c32215991807f4eb1aab27119743159e7
-
SHA256
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173
-
SHA512
2f89d36e8e5d1af7e0c4097ad57505715c9f5fc219881c438263724713beb1401ce8e8def80f905ec7c71762d317b0cd85f640722ac8c2c83e68074a45e259ec
-
SSDEEP
12288:kBVTbILUBFnob9ROF52dVW5iXygBfovnzMd6T0BplqHvnLM8d:WRAUBFo7V1XyiovzvIPlSvL5d
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0007000000019234-18.dat healer behavioral1/memory/2128-23-0x0000000001090000-0x000000000109A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr053814.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr053814.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/2652-38-0x0000000004DD0000-0x0000000004E16000-memory.dmp family_redline behavioral1/memory/2652-39-0x0000000004E10000-0x0000000004E54000-memory.dmp family_redline behavioral1/memory/2652-45-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-57-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-40-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-41-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-43-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-55-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-63-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-65-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-79-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-77-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-75-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-81-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-73-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-71-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-69-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-67-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-61-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-59-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-53-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-101-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-51-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-49-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-47-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-99-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-97-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-95-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-93-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-91-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-89-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-87-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-85-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline behavioral1/memory/2652-83-0x0000000004E10000-0x0000000004E4E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2136 ziOc8233.exe 2128 jr053814.exe 2652 ku613286.exe -
Loads dropped DLL 6 IoCs
pid Process 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 2136 ziOc8233.exe 2136 ziOc8233.exe 2136 ziOc8233.exe 2136 ziOc8233.exe 2652 ku613286.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr053814.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziOc8233.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziOc8233.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku613286.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2128 jr053814.exe 2128 jr053814.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2128 jr053814.exe Token: SeDebugPrivilege 2652 ku613286.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2132 wrote to memory of 2136 2132 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 30 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2128 2136 ziOc8233.exe 31 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33 PID 2136 wrote to memory of 2652 2136 ziOc8233.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD5fbb0766c66e33ee3a53e9ed2b827daa0
SHA18928d09d37a301d996657da261f2697ba3a647fd
SHA25659b04f3e7728eb2f28ea01087a66a2c8ba6edcc36f43c81dbf61da5a5e99c7b1
SHA512d973971cec47db5b79905c93853ed456d6dae1420992a668f74917d0d3eb7f2b7baebbba658b79289457ae1d032424db214a51ef7229ce77c7bdb74f42540494
-
Filesize
12KB
MD56e8f52ddef9bef053648d152ac59f057
SHA15c54bbcd7e25c9518c0f431357cc79ac64af1de8
SHA25607a913a067031ab6c5b18b73b6026320586bea449bc6f9d183fa72553bb17d49
SHA5127f740f706ebda245c4f3a0224b42f292fd3fb681f6ba4bad9a0b4c9469c4652a11bd1b8bb2f3b7cb5a82ccd06e22bef047fad1041b95538ef58b990fc4a9cd78
-
Filesize
379KB
MD5746c4dd70fed84f4a332eb0472cd09b1
SHA1009678bae4c4fe11393e8196f91d98122273e7df
SHA2565f7919f529a13f35bd52dd31bae98948a6e130e29785b3dcc99e238d5bfdfc43
SHA51282b2db294024f50e3394058361fe8582e43927040aa975995a14be143f22bf04ea98c17114c7cbd3d0e8a9fb275eb9e169aa84d74d6656247e77d8f369fe12a0