Analysis
-
max time kernel
290s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19-09-2023 06:52
Static task
static1
Behavioral task
behavioral1
Sample
x0152493.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
x0152493.exe
Resource
win10-20230915-en
General
-
Target
x0152493.exe
-
Size
776KB
-
MD5
e5ed98e8c559c2b4fa39ac65df23acbc
-
SHA1
ac40f951df6670db14fc5b995d0837df900f53a2
-
SHA256
84d57ba5b907bee85896dd7e76ca5d0f1fc4ac8998062b0b97ea4d4e7b4e5ca9
-
SHA512
e8eb3c240e4f515582e8723b1d0d0046307876318f29388df163bb50f9f6f227da3ea29707d813b4b1dfa7ab6da1ef42c11088492a46cd74a344f69028111c00
-
SSDEEP
12288:mMr4y90Efv9ot3T+XRgplf4YR+LKRYQt4vXwqU0h7h6qnUfe/kRjvJYv+:iy+igplf1TZ+Y8VoqUfe/ejR
Malware Config
Extracted
redline
vasha
77.91.124.82:19071
-
auth_value
42fc61786274daca54d589b85a2c1954
Signatures
-
Detects Healer an antivirus disabler dropper 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2760-35-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2760-36-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2760-38-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2760-40-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2760-42-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
x6103409.exex3716465.exeg4780743.exeh2391710.exepid process 2232 x6103409.exe 2580 x3716465.exe 3044 g4780743.exe 2868 h2391710.exe -
Loads dropped DLL 9 IoCs
Processes:
x0152493.exex6103409.exex3716465.exeg4780743.exeh2391710.exepid process 2980 x0152493.exe 2232 x6103409.exe 2232 x6103409.exe 2580 x3716465.exe 2580 x3716465.exe 2580 x3716465.exe 3044 g4780743.exe 2580 x3716465.exe 2868 h2391710.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
x3716465.exex0152493.exex6103409.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3716465.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" x0152493.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6103409.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
g4780743.exedescription pid process target process PID 3044 set thread context of 2760 3044 g4780743.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2760 AppLaunch.exe 2760 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2760 AppLaunch.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
x0152493.exex6103409.exex3716465.exeg4780743.exedescription pid process target process PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2980 wrote to memory of 2232 2980 x0152493.exe x6103409.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2232 wrote to memory of 2580 2232 x6103409.exe x3716465.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 2580 wrote to memory of 3044 2580 x3716465.exe g4780743.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 3044 wrote to memory of 2760 3044 g4780743.exe AppLaunch.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe PID 2580 wrote to memory of 2868 2580 x3716465.exe h2391710.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x0152493.exe"C:\Users\Admin\AppData\Local\Temp\x0152493.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6103409.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6103409.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3716465.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3716465.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4780743.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4780743.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h2391710.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h2391710.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD50161d5878fc9f3e1441c6d07fa80d8b6
SHA1aafaee6eb2797c94d5b62a3a671f9bfe4b683022
SHA256a637ad2cf121eafebf568f99bbe320aafe238f05fa722bd8d47f16b25d229696
SHA5122547bf0a2f0f49de2ec04d075e8d8783663bfe8477cea2e494a8be1d113f94951679156e1661e0ac9c76f0c55ed65acb79a735a65e953a47354e73a2f539e71e
-
Filesize
506KB
MD50161d5878fc9f3e1441c6d07fa80d8b6
SHA1aafaee6eb2797c94d5b62a3a671f9bfe4b683022
SHA256a637ad2cf121eafebf568f99bbe320aafe238f05fa722bd8d47f16b25d229696
SHA5122547bf0a2f0f49de2ec04d075e8d8783663bfe8477cea2e494a8be1d113f94951679156e1661e0ac9c76f0c55ed65acb79a735a65e953a47354e73a2f539e71e
-
Filesize
320KB
MD5bd8aac74df67f6fde61f5f9a924ed6d4
SHA1836e6a69bbef277e18383abe776abc058b9c5341
SHA2564e82ae18daf05be90f7731212b8b696a52e48d1a771d434e99c7705bf6e5486b
SHA512da1c41e43d9ef43eb78b39cd7a1aa1d443181d189385065e8380c188d981436cac43cc33d3d72c251739ce2719472c4bb5706d44adda540e2b50213c2722c727
-
Filesize
320KB
MD5bd8aac74df67f6fde61f5f9a924ed6d4
SHA1836e6a69bbef277e18383abe776abc058b9c5341
SHA2564e82ae18daf05be90f7731212b8b696a52e48d1a771d434e99c7705bf6e5486b
SHA512da1c41e43d9ef43eb78b39cd7a1aa1d443181d189385065e8380c188d981436cac43cc33d3d72c251739ce2719472c4bb5706d44adda540e2b50213c2722c727
-
Filesize
236KB
MD535e9af813fed242aacb760b30ef4bc9b
SHA1463fedc2556f79351422a4f35d5504ed05738f59
SHA25627884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7
SHA5124c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523
-
Filesize
236KB
MD535e9af813fed242aacb760b30ef4bc9b
SHA1463fedc2556f79351422a4f35d5504ed05738f59
SHA25627884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7
SHA5124c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523
-
Filesize
236KB
MD535e9af813fed242aacb760b30ef4bc9b
SHA1463fedc2556f79351422a4f35d5504ed05738f59
SHA25627884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7
SHA5124c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523
-
Filesize
174KB
MD52f1b9cdf5437829d0b5dfc330aa68a46
SHA12b7e1d147bc90dc655275566f77343006e5aed83
SHA25646e347c5529f632394301cfa26bca532887f4e375d1e16438366ab9afed77015
SHA512ce9f8b5bf205734915b538f1a0d0c39e34e85e33694fbb255274fe990dbf7c9238b1a87f2407f31c02f0ddbef20fe152cbd6017fbbc4dbbfb677b11afa84df9a
-
Filesize
174KB
MD52f1b9cdf5437829d0b5dfc330aa68a46
SHA12b7e1d147bc90dc655275566f77343006e5aed83
SHA25646e347c5529f632394301cfa26bca532887f4e375d1e16438366ab9afed77015
SHA512ce9f8b5bf205734915b538f1a0d0c39e34e85e33694fbb255274fe990dbf7c9238b1a87f2407f31c02f0ddbef20fe152cbd6017fbbc4dbbfb677b11afa84df9a
-
Filesize
506KB
MD50161d5878fc9f3e1441c6d07fa80d8b6
SHA1aafaee6eb2797c94d5b62a3a671f9bfe4b683022
SHA256a637ad2cf121eafebf568f99bbe320aafe238f05fa722bd8d47f16b25d229696
SHA5122547bf0a2f0f49de2ec04d075e8d8783663bfe8477cea2e494a8be1d113f94951679156e1661e0ac9c76f0c55ed65acb79a735a65e953a47354e73a2f539e71e
-
Filesize
506KB
MD50161d5878fc9f3e1441c6d07fa80d8b6
SHA1aafaee6eb2797c94d5b62a3a671f9bfe4b683022
SHA256a637ad2cf121eafebf568f99bbe320aafe238f05fa722bd8d47f16b25d229696
SHA5122547bf0a2f0f49de2ec04d075e8d8783663bfe8477cea2e494a8be1d113f94951679156e1661e0ac9c76f0c55ed65acb79a735a65e953a47354e73a2f539e71e
-
Filesize
320KB
MD5bd8aac74df67f6fde61f5f9a924ed6d4
SHA1836e6a69bbef277e18383abe776abc058b9c5341
SHA2564e82ae18daf05be90f7731212b8b696a52e48d1a771d434e99c7705bf6e5486b
SHA512da1c41e43d9ef43eb78b39cd7a1aa1d443181d189385065e8380c188d981436cac43cc33d3d72c251739ce2719472c4bb5706d44adda540e2b50213c2722c727
-
Filesize
320KB
MD5bd8aac74df67f6fde61f5f9a924ed6d4
SHA1836e6a69bbef277e18383abe776abc058b9c5341
SHA2564e82ae18daf05be90f7731212b8b696a52e48d1a771d434e99c7705bf6e5486b
SHA512da1c41e43d9ef43eb78b39cd7a1aa1d443181d189385065e8380c188d981436cac43cc33d3d72c251739ce2719472c4bb5706d44adda540e2b50213c2722c727
-
Filesize
236KB
MD535e9af813fed242aacb760b30ef4bc9b
SHA1463fedc2556f79351422a4f35d5504ed05738f59
SHA25627884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7
SHA5124c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523
-
Filesize
236KB
MD535e9af813fed242aacb760b30ef4bc9b
SHA1463fedc2556f79351422a4f35d5504ed05738f59
SHA25627884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7
SHA5124c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523
-
Filesize
236KB
MD535e9af813fed242aacb760b30ef4bc9b
SHA1463fedc2556f79351422a4f35d5504ed05738f59
SHA25627884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7
SHA5124c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523
-
Filesize
174KB
MD52f1b9cdf5437829d0b5dfc330aa68a46
SHA12b7e1d147bc90dc655275566f77343006e5aed83
SHA25646e347c5529f632394301cfa26bca532887f4e375d1e16438366ab9afed77015
SHA512ce9f8b5bf205734915b538f1a0d0c39e34e85e33694fbb255274fe990dbf7c9238b1a87f2407f31c02f0ddbef20fe152cbd6017fbbc4dbbfb677b11afa84df9a
-
Filesize
174KB
MD52f1b9cdf5437829d0b5dfc330aa68a46
SHA12b7e1d147bc90dc655275566f77343006e5aed83
SHA25646e347c5529f632394301cfa26bca532887f4e375d1e16438366ab9afed77015
SHA512ce9f8b5bf205734915b538f1a0d0c39e34e85e33694fbb255274fe990dbf7c9238b1a87f2407f31c02f0ddbef20fe152cbd6017fbbc4dbbfb677b11afa84df9a