Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe
Resource
win10v2004-20241007-en
General
-
Target
21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe
-
Size
532KB
-
MD5
d8993aa75f18a510cb0417b628471c6e
-
SHA1
0db16e20aeeec0e1b4d7b9813e0ae958a236e992
-
SHA256
21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384
-
SHA512
f2e5582c590e79b7901978d609ab8589a5831a1837696510ab142e23d14cd62d62ce1b5f654c085ba65a74216bd52b1fd3fe1d909becd20ae5cc82dd34d55954
-
SSDEEP
12288:yMrGy90qPpu0E7mH7w/vxreFFXGGm7XVU5r:wyPu0fwXeLm7XVar
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8a-12.dat healer behavioral1/memory/3260-15-0x0000000000310000-0x000000000031A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw08zi41zb07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw08zi41zb07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw08zi41zb07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw08zi41zb07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw08zi41zb07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw08zi41zb07.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1100-22-0x00000000022A0000-0x00000000022E6000-memory.dmp family_redline behavioral1/memory/1100-24-0x0000000004B70000-0x0000000004BB4000-memory.dmp family_redline behavioral1/memory/1100-80-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-88-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-86-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-84-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-82-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-78-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-76-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-74-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-72-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-70-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-68-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-66-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-62-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-60-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-58-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-56-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-54-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-50-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-48-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-46-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-44-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-42-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-40-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-38-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-36-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-34-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-64-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-52-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-32-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-30-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-28-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-26-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/1100-25-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1136 vID7664zM.exe 3260 sw08zi41zb07.exe 1100 tQP00OK23.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw08zi41zb07.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vID7664zM.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vID7664zM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tQP00OK23.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3260 sw08zi41zb07.exe 3260 sw08zi41zb07.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3260 sw08zi41zb07.exe Token: SeDebugPrivilege 1100 tQP00OK23.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3816 wrote to memory of 1136 3816 21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe 83 PID 3816 wrote to memory of 1136 3816 21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe 83 PID 3816 wrote to memory of 1136 3816 21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe 83 PID 1136 wrote to memory of 3260 1136 vID7664zM.exe 85 PID 1136 wrote to memory of 3260 1136 vID7664zM.exe 85 PID 1136 wrote to memory of 1100 1136 vID7664zM.exe 93 PID 1136 wrote to memory of 1100 1136 vID7664zM.exe 93 PID 1136 wrote to memory of 1100 1136 vID7664zM.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe"C:\Users\Admin\AppData\Local\Temp\21873ff139457de3499d5a4dee71530636bc23ac91a4d5b0ba54a2467ce67384.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vID7664zM.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw08zi41zb07.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQP00OK23.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD53962d03a05b515ae3f939e16d47b0aae
SHA1e3fc0a6f5eb139319ce9885bb17ad3a3b687eab4
SHA25637bf7c8d53fda05cc721ad9bab5694abe4abd10b839a1b1f256e3eb8bdbc08b8
SHA51249818c2e6dd36e47f842eeb80375c32c016509afb9d9854c69b043ae64893c27ebd703754f241e3eff8458b4edc0c00393d252bf8d0231e7843c18a63b6122d8
-
Filesize
11KB
MD571a0f2ad74e9f1e6b4d97d37b332421b
SHA19beac6ca08d9049647cc8c16a465f615766d5971
SHA256b03dc861feaef3aae851e0adc086fd19afaaf51255217652319d9abd77cb6662
SHA512b183496eb9402d08ba9a8a5913b6e1d24275acae041d7260472839f120c6bc8d13a1e53a4f8dceacf9288b608acc3e35b138c90ef9e34ecc91598dfd71d75ff1
-
Filesize
303KB
MD5a1f3354a99b35edf172a95b90afbc9b1
SHA18b02f77b82ec8b005aacb5bd87f50f6ceee0052f
SHA2562565aca55567f1c548f5135c387bdc75999836cb072d0896c040947bef8e852a
SHA512f189af079f9f9de1861b03a2e15c9dac741929cdb115937973270e9ffbf65e64b2a19ebc277f1f9aa10a42e4f83abed0a5c9bb4bfc86c66102c09575771ef40e