Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe
Resource
win10v2004-20241007-en
General
-
Target
18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe
-
Size
679KB
-
MD5
30f2bb7d149dc69d3cbd85e246c5a2b1
-
SHA1
2f24e54039599a23780b99352393b1f4fe7f662d
-
SHA256
18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90
-
SHA512
573e4199b12780230c48af14974fab52ce0ecebde40c89240e6f4a82212a46642c28a20e98f98d6be943af5a92548dd910c1d862903d18d0030e9431af5c82fa
-
SSDEEP
12288:XMr3y90/S7ET2jucsysMv88n0qWyyR8573scLSVcNPk1XNEb8GPga3eb:ky2S7Eqm/qL8yyo7X2Ohk1qb8GPb3eb
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7e-12.dat healer behavioral1/memory/3232-15-0x0000000000A50000-0x0000000000A5A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buMx71vV42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buMx71vV42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buMx71vV42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buMx71vV42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buMx71vV42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buMx71vV42.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/788-21-0x0000000004CC0000-0x0000000004D06000-memory.dmp family_redline behavioral1/memory/788-23-0x00000000071A0000-0x00000000071E4000-memory.dmp family_redline behavioral1/memory/788-41-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-47-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-87-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-85-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-83-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-81-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-79-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-77-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-75-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-73-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-71-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-67-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-65-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-63-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-61-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-59-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-57-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-55-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-53-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-51-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-49-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-45-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-43-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-39-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-37-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-35-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-33-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-31-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-29-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-27-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-69-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-25-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/788-24-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2952 plJk92CD02.exe 3232 buMx71vV42.exe 788 cacf81Gx35.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buMx71vV42.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plJk92CD02.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plJk92CD02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacf81Gx35.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3232 buMx71vV42.exe 3232 buMx71vV42.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3232 buMx71vV42.exe Token: SeDebugPrivilege 788 cacf81Gx35.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2952 1984 18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe 85 PID 1984 wrote to memory of 2952 1984 18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe 85 PID 1984 wrote to memory of 2952 1984 18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe 85 PID 2952 wrote to memory of 3232 2952 plJk92CD02.exe 86 PID 2952 wrote to memory of 3232 2952 plJk92CD02.exe 86 PID 2952 wrote to memory of 788 2952 plJk92CD02.exe 95 PID 2952 wrote to memory of 788 2952 plJk92CD02.exe 95 PID 2952 wrote to memory of 788 2952 plJk92CD02.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe"C:\Users\Admin\AppData\Local\Temp\18730b667a85a1a7cafa882414f27b66cd11e7c1315dc42722eb6a6f0a275b90.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plJk92CD02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plJk92CD02.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buMx71vV42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buMx71vV42.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cacf81Gx35.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cacf81Gx35.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
398KB
MD53d4d0e2c8a25d58c76ca3d1e7221ab0b
SHA1a56cbd29feb149ae1c033cd0041e7cfa7d75b711
SHA2561a442686485d2cad803f0cc908901d3bdce8956faf08587cd05e0b59ce8597c0
SHA512cd1c0c4b5b1e9ebc558b9befaa9319b9eac551e1d1ef213d7c747402d806c1967c92572845cc0e272f3a607d310fc25e964eb632d5cf5cd6eba557b06a3f875a
-
Filesize
14KB
MD5c7b92d5450b8f885138e004cce13aef3
SHA1941b75883f31ce0d7056d014e8fb7c1ea4c84a2b
SHA256bc469f902a6ac6f91a856f73d4a11322c2d8d17e5fb48d76a1caef1889712eaa
SHA512d17fba880d09390c8f04055b87e000b530e9c254da5579a748b38b1657f18ae1232e1fe681a2f316997134d63c1798c077c0d13298f59340a982951422a8951b
-
Filesize
367KB
MD51d723ff94958004611f8d9036d32a484
SHA1494b2b1df04dd00bd4a6582ca026b45ed1e26f5e
SHA256ce58c79e2d8396ebc000387ba86ec87273d28bd7dfa8310c49c59b22c7de42af
SHA5129738bf0e92ad9b1f526a48a4262410186a961e0aa9e04ef1ecc4769b29d92339f46e331a65810ce72b27df319260ac8aba0636742690e95bc34f6d59fbf2ff61