Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe
Resource
win10v2004-20241007-en
General
-
Target
a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe
-
Size
1.2MB
-
MD5
d276ff784f35306c615c20b4e8fe43cd
-
SHA1
9a560c865db3ee6bb62ede76e6fe34d3c5fab7fb
-
SHA256
a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219
-
SHA512
bfe718aba795220f597732f500940da6b8b768152f7b73ecaf7fae1e3848ba6a3d7c889b3808f349db7c26ffd8f32dfe9e4f02db8e92a7e50461dba020499e8f
-
SSDEEP
24576:yyo4LJMa/2VXTtFgC2X7N0MdlYT+tN1WyTTOOlAK:Zo4tFmXTtFvsrdmT+tNnOk
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c7e-32.dat healer behavioral1/memory/628-35-0x0000000000FA0000-0x0000000000FAA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bupD17GK38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bupD17GK38.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bupD17GK38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bupD17GK38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bupD17GK38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bupD17GK38.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5056-41-0x0000000004CA0000-0x0000000004CE6000-memory.dmp family_redline behavioral1/memory/5056-43-0x00000000071C0000-0x0000000007204000-memory.dmp family_redline behavioral1/memory/5056-107-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-85-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-59-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-47-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-45-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-44-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-105-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-103-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-101-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-99-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-97-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-95-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-93-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-91-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-89-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-87-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-83-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-81-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-79-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-77-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-75-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-74-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-71-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-69-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-67-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-65-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-63-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-61-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-57-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-55-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-53-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-51-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/5056-49-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2576 plGH94Iw82.exe 3284 plfB14wT30.exe 1432 plpu34PR48.exe 2616 plub66qY66.exe 628 bupD17GK38.exe 5056 caIZ03ex15.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bupD17GK38.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plfB14wT30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plpu34PR48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plub66qY66.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plGH94Iw82.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plfB14wT30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plpu34PR48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plub66qY66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caIZ03ex15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plGH94Iw82.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 628 bupD17GK38.exe 628 bupD17GK38.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 628 bupD17GK38.exe Token: SeDebugPrivilege 5056 caIZ03ex15.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 436 wrote to memory of 2576 436 a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe 85 PID 436 wrote to memory of 2576 436 a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe 85 PID 436 wrote to memory of 2576 436 a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe 85 PID 2576 wrote to memory of 3284 2576 plGH94Iw82.exe 86 PID 2576 wrote to memory of 3284 2576 plGH94Iw82.exe 86 PID 2576 wrote to memory of 3284 2576 plGH94Iw82.exe 86 PID 3284 wrote to memory of 1432 3284 plfB14wT30.exe 88 PID 3284 wrote to memory of 1432 3284 plfB14wT30.exe 88 PID 3284 wrote to memory of 1432 3284 plfB14wT30.exe 88 PID 1432 wrote to memory of 2616 1432 plpu34PR48.exe 89 PID 1432 wrote to memory of 2616 1432 plpu34PR48.exe 89 PID 1432 wrote to memory of 2616 1432 plpu34PR48.exe 89 PID 2616 wrote to memory of 628 2616 plub66qY66.exe 90 PID 2616 wrote to memory of 628 2616 plub66qY66.exe 90 PID 2616 wrote to memory of 5056 2616 plub66qY66.exe 96 PID 2616 wrote to memory of 5056 2616 plub66qY66.exe 96 PID 2616 wrote to memory of 5056 2616 plub66qY66.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe"C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD56b26dea5e48f18b0d8961866d33cf0d8
SHA1ad2200771b613dcd42f9e3e3eceffcc7b7beda69
SHA25610d8a04ed97dd5bd3fcb08a1919c7e6ed3ca5f7e2a590b7485a59d0a8ee9e1aa
SHA512101f8e3121c9a89087d71cd2c174970bc2d15708ed339b8fee0d47efb7ffb3ee6a2fea0d0b1a01fd9599275e27dbe5753a8a9f0a796ddcef6807250fa1a92f6b
-
Filesize
974KB
MD51e5603fcee4409660bd62c9d64cb4186
SHA103cc43ea6ebc62fcf000dc2a8cccab7f077ba30b
SHA2563d591d1bd9d7e544d84269fbdd5a8f9add21aa28acf95fba24b04868bdf33f35
SHA512bcb6fbf01d023021705dc97526d109d245469e1862558e668857abc8bdce0ad471aa28dbadc2f7411a7b32be8a0fee16a8a9fe3758abd7ef877bdffff4b77b77
-
Filesize
692KB
MD538cbe723900d59aa753cc870e127a11d
SHA16add57bcbd7d2fe555855058df7e8c9492fb6378
SHA25623724ec0e0cd8d384b7a82cd99085c963d7fd6dfee4e39e1789dcd301e7c777c
SHA512b0a294e2c1ae6328e0223baf41f55f85b33adc7223c73f348744729ed743721ed3078373372086041c21e03f69a18d894fd9126111699c2144a980e5b1bf20c4
-
Filesize
404KB
MD540584ca476ac36edfee3d977d21c01f6
SHA1eb4455335d7273b65f5438250e12a119d894f601
SHA256b6ff83cbe5ecc27ba1162cc43a20cb660746faeb6ee722e3c46d6e2557ef8dd5
SHA512c1bfd1264735e04f0a3f26d657d192f1476831bee9d2fb934ab43c5c436b8e1b18211c2d49d45c6889488591ce94d01deaa5c8cc2ffe6dddb72996d3806ffebc
-
Filesize
12KB
MD53af0ef8b7ecaaf53cd964b48f3974deb
SHA11338a465c121496da656e0af915fdb3315a00a08
SHA2562060c541405bb9947bd61fb1a4b174fa3b00470c648accab963297fcda1e955b
SHA5128d81b46fa33238b5b09672e1cc6e0d3c13fa48f5789dd285c7c965c6b69835051dbc27bcf63f459e5d90a6bda2c3dd16901ec919d632120782e5a68b56449439
-
Filesize
380KB
MD5a3da8951bb23f305fd251958e8535aa4
SHA1ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54
SHA256786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a
SHA512be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d