Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe
Resource
win10v2004-20241007-en
General
-
Target
8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe
-
Size
1.2MB
-
MD5
5531f35e2226a6f67799a3205b6fc301
-
SHA1
211405312ee7bf331d7d33156b8fc49cc1b92cc0
-
SHA256
8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460
-
SHA512
a5c5c1137f8acef3f7de76c9c575e4a00813e0680a20fc639540461b9991abdc5d7e0485cb9bdf433cda8ffa1ded82ffb1f6973956ccb94cddbaa8ca37033b37
-
SSDEEP
24576:Ay/IQrDpDsccR4b3A3ViAPawAUm8YugM8+mEOKiPeukaaWvChZ:HbDOR4dAP/S88+FiP7mWah
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7f-33.dat healer behavioral1/memory/3992-35-0x0000000000730000-0x000000000073A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" busB72HL15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" busB72HL15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" busB72HL15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection busB72HL15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" busB72HL15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" busB72HL15.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2580-41-0x0000000002520000-0x0000000002566000-memory.dmp family_redline behavioral1/memory/2580-43-0x0000000002610000-0x0000000002654000-memory.dmp family_redline behavioral1/memory/2580-65-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-63-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-61-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-59-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-57-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-55-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-107-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-105-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-103-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-101-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-99-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-97-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-93-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-91-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-89-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-87-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-85-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-83-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-81-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-77-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-75-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-73-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-71-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-69-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-67-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-53-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-51-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-49-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-47-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-95-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-45-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-79-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/2580-44-0x0000000002610000-0x000000000264E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4288 plmi85NI84.exe 4340 plDD21Ve37.exe 1452 plic29Eo01.exe 3852 plpg88gB90.exe 3992 busB72HL15.exe 2580 caKs38YK50.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" busB72HL15.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plic29Eo01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plpg88gB90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plmi85NI84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plDD21Ve37.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plmi85NI84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plDD21Ve37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plic29Eo01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plpg88gB90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caKs38YK50.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3992 busB72HL15.exe 3992 busB72HL15.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3992 busB72HL15.exe Token: SeDebugPrivilege 2580 caKs38YK50.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4288 4768 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe 83 PID 4768 wrote to memory of 4288 4768 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe 83 PID 4768 wrote to memory of 4288 4768 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe 83 PID 4288 wrote to memory of 4340 4288 plmi85NI84.exe 84 PID 4288 wrote to memory of 4340 4288 plmi85NI84.exe 84 PID 4288 wrote to memory of 4340 4288 plmi85NI84.exe 84 PID 4340 wrote to memory of 1452 4340 plDD21Ve37.exe 85 PID 4340 wrote to memory of 1452 4340 plDD21Ve37.exe 85 PID 4340 wrote to memory of 1452 4340 plDD21Ve37.exe 85 PID 1452 wrote to memory of 3852 1452 plic29Eo01.exe 86 PID 1452 wrote to memory of 3852 1452 plic29Eo01.exe 86 PID 1452 wrote to memory of 3852 1452 plic29Eo01.exe 86 PID 3852 wrote to memory of 3992 3852 plpg88gB90.exe 88 PID 3852 wrote to memory of 3992 3852 plpg88gB90.exe 88 PID 3852 wrote to memory of 2580 3852 plpg88gB90.exe 100 PID 3852 wrote to memory of 2580 3852 plpg88gB90.exe 100 PID 3852 wrote to memory of 2580 3852 plpg88gB90.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe"C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD567ff8ed388f035ca7d8359de289bb08e
SHA1a10ba1aafaa39e07f54888e9b4fc67d1b77bf766
SHA256ec1ce2d8d894ec86e8e07ec23a2fb0b9285458349303935adb45446c18acde84
SHA5121c6d6c5e0e4ba1278bb9f4f52555f954d4c131081119e035bd30318318afe978c73848b2f5e26b5226466f4f7068f87cedc55c2e0ab750ceca30e61456a34e6c
-
Filesize
936KB
MD5f7029d8355baff6927ae7e35fdb137ed
SHA18a5df90b274146edd1a0ce3c2f730d634303c81f
SHA2562dabe42c0446f20ed04d5d3307da648416274791a4249558500785d952ebd0cd
SHA5120b697c6f05006cef82d3f9cca67fd93135867c20ce4fd520d31a7a7e57e5da76e70e7347bd73bf6052fbb712daba0786ebc4f65020958b4101419c17fc6f9970
-
Filesize
667KB
MD5ebd5324b501d443d5ce7c65591b93128
SHA18e2c31f839eda683e28733f2b6ff97b41a20a115
SHA256a55c17d85eb18760afe356e7a4b9aa84566a9a40497c038b9a6e59d1d2fe0bb3
SHA51273a54a461dc17cafc22a04f3f0ccc37213378a0a4feb6818a71b4b7d0ed2f814b0f2ad916a97886e3a879ad61f9ac72e5518e55256fe5826b29711f25c55cc62
-
Filesize
392KB
MD5f6fd9dcf2b23b8b0536fb545cc2ff151
SHA173683510cf93188a55e78cc20a3a656a8aa0f371
SHA256dd470a3b209379ad44989b6ceab743756fadcde772e18d2d7ff604f7d6913302
SHA512294a081f99837f07b3ac4cd4c11f72c3927565ce0587e7332bdbd39e1a90ea403c9a7f19addb4fab42b6cfb87c14db5ec8afd9e4ad6bd634bf4dbbb66fec3250
-
Filesize
16KB
MD505037c45b2be2d93d731f9078b628afc
SHA1843a256a79fcf892093ba21d72e90d2582449739
SHA256c094870e242d0e906cd1ea83c1cb5e2d1151b4414cc7a722984a8cfafad85cb7
SHA512cd043022c84658406b1cfc259d512142c69fde88d78a99206b9ffc7a6e833ccfdf9f8fdd850a1cffbe5a9464d1a2daa33f1ad3a2d85742a0c37d4e149f3a77e4
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f