Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe
Resource
win10v2004-20241007-en
General
-
Target
fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe
-
Size
1.2MB
-
MD5
50bfcad72d29ea623304a5dd04e5484a
-
SHA1
fee6cb10bb79f1123a15e45b33ae3ada569a8b79
-
SHA256
fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719
-
SHA512
8ddc023abc38d50b85f399b553304dfc2fe0e87ace41927671d27bdbf4f7de9b9295fe83deee2fa8fc529d1b1f79c5c5a1babb0ae4ba8cf67e1745dd5294161d
-
SSDEEP
12288:mMrty90THAM0KOYt7ooDKatQGRlffRJmBZu7eUJur93EIGImGRRahYL2Sxl6hnsI:Tyy7/Q6OUJJIl1YhYKeWA3/G4itiywg
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb9-33.dat healer behavioral1/memory/2356-35-0x0000000000FC0000-0x0000000000FCA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buxz12Qp46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buxz12Qp46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buxz12Qp46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buxz12Qp46.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buxz12Qp46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buxz12Qp46.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/212-41-0x00000000049F0000-0x0000000004A36000-memory.dmp family_redline behavioral1/memory/212-43-0x0000000004B40000-0x0000000004B84000-memory.dmp family_redline behavioral1/memory/212-47-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-57-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-107-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-105-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-103-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-101-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-99-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-97-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-95-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-93-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-91-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-89-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-87-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-83-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-81-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-79-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-77-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-75-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-73-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-72-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-69-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-67-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-63-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-61-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-59-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-55-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-53-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-51-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-49-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-85-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-65-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-45-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline behavioral1/memory/212-44-0x0000000004B40000-0x0000000004B7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4120 plKm15iQ00.exe 3696 plpa03rq83.exe 2840 plja71gS40.exe 4516 plWN70gW84.exe 2356 buxz12Qp46.exe 212 cadz01Ca85.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buxz12Qp46.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plpa03rq83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plja71gS40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plWN70gW84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plKm15iQ00.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plKm15iQ00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plpa03rq83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plja71gS40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plWN70gW84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cadz01Ca85.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2356 buxz12Qp46.exe 2356 buxz12Qp46.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2356 buxz12Qp46.exe Token: SeDebugPrivilege 212 cadz01Ca85.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1104 wrote to memory of 4120 1104 fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe 83 PID 1104 wrote to memory of 4120 1104 fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe 83 PID 1104 wrote to memory of 4120 1104 fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe 83 PID 4120 wrote to memory of 3696 4120 plKm15iQ00.exe 85 PID 4120 wrote to memory of 3696 4120 plKm15iQ00.exe 85 PID 4120 wrote to memory of 3696 4120 plKm15iQ00.exe 85 PID 3696 wrote to memory of 2840 3696 plpa03rq83.exe 87 PID 3696 wrote to memory of 2840 3696 plpa03rq83.exe 87 PID 3696 wrote to memory of 2840 3696 plpa03rq83.exe 87 PID 2840 wrote to memory of 4516 2840 plja71gS40.exe 88 PID 2840 wrote to memory of 4516 2840 plja71gS40.exe 88 PID 2840 wrote to memory of 4516 2840 plja71gS40.exe 88 PID 4516 wrote to memory of 2356 4516 plWN70gW84.exe 90 PID 4516 wrote to memory of 2356 4516 plWN70gW84.exe 90 PID 4516 wrote to memory of 212 4516 plWN70gW84.exe 98 PID 4516 wrote to memory of 212 4516 plWN70gW84.exe 98 PID 4516 wrote to memory of 212 4516 plWN70gW84.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe"C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD511462e068f11faff85171d9873373f75
SHA18ba525be5b75a11fb7f7dce9967136fd29a4e754
SHA2567ee1a8ac396b3cd754c42bdd957fa1e00b1ef575f4eb8ba4d19f31d6b97270b9
SHA512201fa9dcb54d139dd508a895b2235bd9ce73995aeaca2f686d98b52ceaf2204874b97efe89b519bc385d7cdb158deb0548fc73eb3753be8f9c2ecb15ca29a634
-
Filesize
974KB
MD56ee11fe378a08f269781165b66e3780d
SHA1ba7927b981dca0dbce9ccd9d4fee3db2504da960
SHA256a9a2f9e8fcbb643439c822131dbafc2613e9d111df0cfd1ed81df53b146bc19d
SHA512eca830365adffece2c82e046dd6a0017a0f9a9452e987cc5f38f9b75fc29ec4b462fdc2fc31190d21b139c7c93f84790d788b813ff9f0c755f14ddeefcc27941
-
Filesize
692KB
MD53871f08e02bcab2e42b33397b9f72c07
SHA19725fe4325783baa2ef9ff571244b983da71a420
SHA2560aa39174c4a31ba950861bf5c8362de5c8fb6db1ff699b29b2be44c12559df3e
SHA512b598a8a1cbcf2c61b5ff2af08b276fec9f3984a187c75fe0e39b010441ab6201879511dd1c387a5c5982bb3d35b70747a4747a6472add6cc340db47d277c9de5
-
Filesize
404KB
MD5c57afb423d0f47dc19c0f7c517fb4b92
SHA1a1d62492b4dc19e766e25fa11a9044dfd20da61c
SHA2560353b11cf93f02e9648278bebc88cc9e54fcf4932764b4aafdeb07e7d06467c7
SHA5122b60642662558030ee252442bd6f5fca2a7cce8ff7a4ba26a8294571b35ff509b574bf1dd6cdd4f704f552acd933c60724dfd77af137c589f304d0e6ca9b8019
-
Filesize
12KB
MD5102966585816bcda269165e0785f39df
SHA15a351f0bbe9a27b961b939aa639dd7c3e312b3fe
SHA256c6babb3ca19027457fdce2f4afbf9a1d03226889ac4cdb199dcf3bfb3482ca13
SHA512bf8a031209932d3e257b34b65685e94a0043de927078cedc0aa0d7fff3ff1cb3ea1132f3b5a55fe953f4a4e313c9e2983521417a6fa989e3ed3505cb3a6f5d40
-
Filesize
380KB
MD5a3da8951bb23f305fd251958e8535aa4
SHA1ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54
SHA256786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a
SHA512be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d