Overview
overview
10Static
static
30f6ce02639...df.exe
windows10-2004-x64
1017dbf09aca...d0.exe
windows7-x64
317dbf09aca...d0.exe
windows10-2004-x64
101b624e343d...55.exe
windows10-2004-x64
102faa75c50b...6d.exe
windows7-x64
32faa75c50b...6d.exe
windows10-2004-x64
104be1f370e8...6b.exe
windows7-x64
34be1f370e8...6b.exe
windows10-2004-x64
10576cad65a8...60.exe
windows10-2004-x64
106aa8d5d0d6...df.exe
windows10-2004-x64
106eeb3d69d9...69.exe
windows7-x64
36eeb3d69d9...69.exe
windows10-2004-x64
1077b8709187...06.exe
windows7-x64
377b8709187...06.exe
windows10-2004-x64
107f4e227924...bb.exe
windows7-x64
37f4e227924...bb.exe
windows10-2004-x64
108a870280a0...35.exe
windows7-x64
38a870280a0...35.exe
windows10-2004-x64
108db6f54494...1f.exe
windows10-2004-x64
10b21367ffaa...ef.exe
windows10-2004-x64
10b62068be50...da.exe
windows10-2004-x64
10be5114d10d...f3.exe
windows10-2004-x64
10d191282ff4...7a.exe
windows10-2004-x64
10de9167b772...91.exe
windows10-2004-x64
10f6dc0b4c65...d6.exe
windows10-2004-x64
10f85eca1ce9...65.exe
windows7-x64
3f85eca1ce9...65.exe
windows10-2004-x64
10f8dfa98c4e...be.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 14:50
Static task
static1
Behavioral task
behavioral1
Sample
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1b624e343d222ec9333b85d3af29b913b42ba3196fcb192f618e87ec4afa8855.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
576cad65a899197ae35e757e578a7c10c29e57c266d1fa4931c6f98f3d2e3a60.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6eeb3d69d9979df74b9c482de2344395f5470b94f07494b4a4dd74fb5d286069.exe
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
6eeb3d69d9979df74b9c482de2344395f5470b94f07494b4a4dd74fb5d286069.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7f4e22792482af87ecb52079082a4c33f24544a6b37c4e5da40ac1ac7f9ca3bb.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
7f4e22792482af87ecb52079082a4c33f24544a6b37c4e5da40ac1ac7f9ca3bb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
be5114d10db820426670fbbb41db92b8671a5f55a0b396e2d54b44606067a6f3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
d191282ff466919a5feb6c8682f696332eded6dd8747d336fe16593c6ea96f7a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
f85eca1ce903e035e1355a0ec74636f6d825aeaf8efa5c98472b6acad6536365.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
f85eca1ce903e035e1355a0ec74636f6d825aeaf8efa5c98472b6acad6536365.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be.exe
Resource
win10v2004-20240426-en
General
-
Target
de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe
-
Size
309KB
-
MD5
fdf9a7c0cae94329d226d32d7d91f498
-
SHA1
ac8b5a5a564bcd9aff895a5d98d1bda40679c691
-
SHA256
de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391
-
SHA512
976121688ed988b8bf81d0499ae262a78b3d837318566044a8893285b09eb10f117f0de6535c05120379f108388a83205fb00c428ef69e0c8eb6a5030342de8d
-
SSDEEP
6144:Key+bnr+5p0yN90QEX5F5OYc1u31g4TByzCZJEXbeqEzaILim:aMr1y90Hxc1u31TTEzCZWXbBsv
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral24/memory/4264-8-0x0000000002090000-0x00000000020AA000-memory.dmp healer behavioral24/memory/4264-11-0x0000000002440000-0x0000000002458000-memory.dmp healer behavioral24/memory/4264-16-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-14-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-40-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-38-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-36-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-34-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-32-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-30-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-28-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-26-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-24-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-22-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-20-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-18-0x0000000002440000-0x0000000002452000-memory.dmp healer behavioral24/memory/4264-13-0x0000000002440000-0x0000000002452000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a6930283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6930283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6930283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6930283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6930283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6930283.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral24/files/0x0007000000023409-45.dat family_redline behavioral24/memory/2812-47-0x0000000000010000-0x0000000000040000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 4264 a6930283.exe 2812 b0660973.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a6930283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a6930283.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4264 a6930283.exe 4264 a6930283.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4264 a6930283.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2604 wrote to memory of 4264 2604 de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe 82 PID 2604 wrote to memory of 4264 2604 de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe 82 PID 2604 wrote to memory of 4264 2604 de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe 82 PID 2604 wrote to memory of 2812 2604 de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe 92 PID 2604 wrote to memory of 2812 2604 de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe 92 PID 2604 wrote to memory of 2812 2604 de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe"C:\Users\Admin\AppData\Local\Temp\de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6930283.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6930283.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b0660973.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b0660973.exe2⤵
- Executes dropped EXE
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD55faf60acaf9d026a04be6f2d095418ea
SHA1edcac55197a6b08cd7de5cd56fc4fc6552874072
SHA2563ff91f4c98994b8fd625c709d2c6c281160c50b0922fc2cc19014effaa43a09b
SHA5129f586badfdddefc08ad24fa3bfcab1c49a81cd966c43a91bd9a1c940209062cf1eb0a57c1a46cbf81c85e6a3cae81ee5898a3d9412f896c7de904780c9da54e1
-
Filesize
168KB
MD51e1a6c8b5691a4f4a0bcf77ce52d4deb
SHA1d544c9cd9fc2c7b68c8611d17ff0c2d812528b7e
SHA2565f4d6d5346c721c7e663fa0b77067ec7e0f1707faf9dced393fbe145193eff47
SHA512c0c868bae4b50c6786b3e400f169c7665631b19b020698c5c55eefa3bd3207973b4992047ffd291482a8e07f206df04aaee79b01ab5997b9ad37d46fd65dc849