Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe
Resource
win10v2004-20241007-en
General
-
Target
c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe
-
Size
721KB
-
MD5
cb33d2aafdeaeca45715c8042989ec57
-
SHA1
ed79954fabd7995e33ce200f272a651055bef695
-
SHA256
c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5
-
SHA512
70252ef4d8e3bc040d05265d033d98251adaa4ade99059cc7c89066f57294184923836a0f7023abec97a6280ee8e46b00b98c72978700c3f11c90c6ac1213bda
-
SSDEEP
12288:jE3ieHoOpxJokeOBsPjWw+1CJBEWQuaG6vRIo3EUz3yzXF8cs9rZu:36oOfJomiZ+1tTfZP3EiizORrk
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000800000001922c-18.dat healer behavioral1/memory/2320-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr395234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr395234.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr395234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr395234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr395234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr395234.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral1/memory/2960-36-0x00000000045E0000-0x0000000004626000-memory.dmp family_redline behavioral1/memory/2960-37-0x0000000004C30000-0x0000000004C74000-memory.dmp family_redline behavioral1/memory/2960-38-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-39-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-41-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-43-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-45-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-51-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-49-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-53-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-57-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-55-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-59-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-47-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-61-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-63-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-65-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-67-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-69-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-73-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-75-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-77-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-81-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-85-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-97-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-99-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-95-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-93-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-91-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-89-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-87-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-83-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-79-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2960-71-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1992 zihW1524.exe 2320 jr395234.exe 2960 ku679542.exe -
Loads dropped DLL 6 IoCs
pid Process 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 1992 zihW1524.exe 1992 zihW1524.exe 1992 zihW1524.exe 1992 zihW1524.exe 2960 ku679542.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features jr395234.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr395234.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zihW1524.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku679542.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zihW1524.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2320 jr395234.exe 2320 jr395234.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2320 jr395234.exe Token: SeDebugPrivilege 2960 ku679542.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 2472 wrote to memory of 1992 2472 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe 30 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2320 1992 zihW1524.exe 31 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33 PID 1992 wrote to memory of 2960 1992 zihW1524.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe"C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5c31bfc218dc4b4bc62d8deffd5ee697b
SHA156985a2622bfdf6d05f069e05593fe75dfb53c2f
SHA2562f6bbe6ecc31cdb88d3bf571e99f3d04bf1e1fcb1ce8173c06259e8acd70c002
SHA512fdea666d04f6a95393ab7da59440fe7a9680d996d8cf72ec84d8e5942c691634634ef0fa47382b791755e69f64627c31ae2a784734756aad25afcf1def76a059
-
Filesize
11KB
MD5ef81976e2567c13c535b6fbb9c7d0449
SHA1686f13926bd592e6e2e3299d2289a7a91aab4016
SHA256007180bcbbb47134203165b2d135856a2a8d5797b1b1b8517d5a72ae5ae49a79
SHA512d055f442afb631863b82f358c4923608c5e83959a03ae41ab5dabd55036259b41bdde31e0985935cca1fb75e645b7ff92340c795421e54c1b2f65539ebe5cba0
-
Filesize
383KB
MD5dc6982d18197b20cf779fe63bbb3d121
SHA145fd57ac612df4cf75c9c7c2c5d6cac54375d91a
SHA25610a0c4a7dc771f95230157b49db44efa4ed4086bc0555eb8a2fd0c7f8ad989d6
SHA512b60efef987a10ea3b72ee66a97e51cf2169375607a331997a8dabca6d2134391e9c8e20984ecc517ac03a2d5d04cb0de2514ad411522c5114825197c81a45e52