Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 14:14
Static task
static1
Behavioral task
behavioral1
Sample
f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe
Resource
win10v2004-20241007-en
General
-
Target
f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe
-
Size
686KB
-
MD5
a925d14ef2216023e3faf4ce91596d7e
-
SHA1
0f2b8a1dcdabb480a9612e9e8d00a7f20e93ff24
-
SHA256
f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d
-
SHA512
131e7847793251095e36e4cb26a908e68d7bcdb427276a9ba9d6a317cfd2f668db8054d16fcfacebaf27a9e1925f4ce5e87d7693589fd4e77d273ca6785de3a2
-
SSDEEP
12288:6Mray90QRQWUwc9P3yJXBJTIOJ/+/kLKjPZrALZYuFJM10N4R2fOmeg:EydQOKyFBJr+8LcZrAtY4+meg
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1892-18-0x0000000004B00000-0x0000000004B1A000-memory.dmp healer behavioral1/memory/1892-20-0x0000000004BC0000-0x0000000004BD8000-memory.dmp healer behavioral1/memory/1892-28-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-48-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-46-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-44-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-42-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-40-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-39-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-37-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-34-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-32-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-30-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-26-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-24-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-23-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/1892-21-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8591.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8591.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8591.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3096-60-0x00000000070F0000-0x0000000007136000-memory.dmp family_redline behavioral1/memory/3096-61-0x0000000007770000-0x00000000077B4000-memory.dmp family_redline behavioral1/memory/3096-62-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-95-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-93-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-92-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-89-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-88-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-85-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-83-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-81-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-79-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-78-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-75-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-73-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-71-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-69-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-67-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-65-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/3096-63-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3148 un431221.exe 1892 pro8591.exe 3096 qu5056.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8591.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8591.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un431221.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8591.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5056.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un431221.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1892 pro8591.exe 1892 pro8591.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1892 pro8591.exe Token: SeDebugPrivilege 3096 qu5056.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1548 wrote to memory of 3148 1548 f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe 84 PID 1548 wrote to memory of 3148 1548 f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe 84 PID 1548 wrote to memory of 3148 1548 f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe 84 PID 3148 wrote to memory of 1892 3148 un431221.exe 85 PID 3148 wrote to memory of 1892 3148 un431221.exe 85 PID 3148 wrote to memory of 1892 3148 un431221.exe 85 PID 3148 wrote to memory of 3096 3148 un431221.exe 94 PID 3148 wrote to memory of 3096 3148 un431221.exe 94 PID 3148 wrote to memory of 3096 3148 un431221.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe"C:\Users\Admin\AppData\Local\Temp\f31de66c283f9ce1563c6c8b40cc7451c8e243fd57db5dab3cafc840c53a2f6d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un431221.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un431221.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8591.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8591.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5056.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5056.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD54fb4ce135b275bbf47fe428857eefa54
SHA1434ee9e8047308d7f025e172bd6ab1f00d3269fb
SHA256ca3f3abd67a0b5d52cdcd46bb6085e40266c0d69fba8b3b52a27fc3d85f0cf8c
SHA51214551aa0e00eefd8a6ec2f62b7cb1778f14b55c06870bffd246ab1679826122fee21de167b812cae5dbbc55547de5f80d7e45249d2a6e05915b7dff7de958d77
-
Filesize
325KB
MD584606ffbe2d3230d6201b6b233fcfb6e
SHA19129fabf03b8fe23e06b393543d9fcc3008d847a
SHA2569dbb716f43c1f8fd46b0a989972a9d084e2b476e958dec4621b5ca651893c5fb
SHA5128ec37340107ff225f589d83ebe8554fe9a572325b0fb9c733d46ddda4640dd642026bcaa0e8f14d4e84c709d47cf2234f491c3f725c344708d4a6141a91adeb7
-
Filesize
384KB
MD527f1c2f3fbe5752157f65d036255b07f
SHA115962dc4167143cbe9d01b1824faab20f7d3864f
SHA2562fb8b4574659a7aa2ed21461852de45de668e68b3ff407e8143142b2efe38a3f
SHA51257722b6424dab0454a44749c7b3355481244a54e59f7f8eeec2c8dc7081095ad73cfceec50fdb08f015693d6dbc0751f30a909bc965b11f7330783cee3d188d8