Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe
Resource
win10v2004-20241007-en
General
-
Target
e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe
-
Size
695KB
-
MD5
569cc46df2287d34db748c1e1692e889
-
SHA1
7e793077eee94fb696ce60a9a0896293b513acc2
-
SHA256
e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62
-
SHA512
8bb63f615daefe491068191998b090dd087216ab52797cf382ae198a4a1fbc45b27a2573ce9d17cab048975b2fe1cbcc9781ff46566393b718357bccacfec264
-
SSDEEP
12288:iMrey907kf0Vk5KTvuHoVK2+ctig0wiyc/ED/0mQsc2zjsVr1gIeT:QyHMVk8T2HUb+ctigoy5YmDc2zi+IeT
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2212-18-0x00000000026C0000-0x00000000026DA000-memory.dmp healer behavioral1/memory/2212-20-0x0000000004BB0000-0x0000000004BC8000-memory.dmp healer behavioral1/memory/2212-26-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-48-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-46-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-44-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-42-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-40-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-38-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-36-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-34-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-32-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-30-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-28-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-24-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-23-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2212-21-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b0673po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b0673po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b0673po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b0673po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b0673po.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection b0673po.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3224-59-0x0000000004940000-0x0000000004986000-memory.dmp family_redline behavioral1/memory/3224-60-0x00000000049C0000-0x0000000004A04000-memory.dmp family_redline behavioral1/memory/3224-61-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-78-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-86-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-94-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-92-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-90-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-88-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-84-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-80-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-76-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-75-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-72-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-70-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-68-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-66-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-64-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-62-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline behavioral1/memory/3224-82-0x00000000049C0000-0x00000000049FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2188 ntE7554az.exe 2212 b0673po.exe 3224 c18iN53.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features b0673po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b0673po.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ntE7554az.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntE7554az.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0673po.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c18iN53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2212 b0673po.exe 2212 b0673po.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2212 b0673po.exe Token: SeDebugPrivilege 3224 c18iN53.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2188 4900 e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe 84 PID 4900 wrote to memory of 2188 4900 e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe 84 PID 4900 wrote to memory of 2188 4900 e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe 84 PID 2188 wrote to memory of 2212 2188 ntE7554az.exe 85 PID 2188 wrote to memory of 2212 2188 ntE7554az.exe 85 PID 2188 wrote to memory of 2212 2188 ntE7554az.exe 85 PID 2188 wrote to memory of 3224 2188 ntE7554az.exe 93 PID 2188 wrote to memory of 3224 2188 ntE7554az.exe 93 PID 2188 wrote to memory of 3224 2188 ntE7554az.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe"C:\Users\Admin\AppData\Local\Temp\e56b831b3a8709fcfafb0436cf0659623a277cfc7901d3eb588225b67119ab62.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntE7554az.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntE7554az.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0673po.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0673po.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c18iN53.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c18iN53.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD58d8cff7f9ff25d4b0fbcb5b02ef6e07e
SHA1264460c42c1bc1855eae79be429bae5eb4944bbe
SHA256c91214269ca20b1d77f3634ededa7994749c5909cb502b0b2226b570fdfa92e1
SHA5127b1bec5662b59df78246cfe6b4642c6f68970b6f1952c5657a857a751e4274b440b0dc9021bc31d212b23f9e66cde648c28ecf99baff6063bbed2e115cabed47
-
Filesize
323KB
MD5ee43881ab62092621b2d2e22a0295878
SHA10339221e3f787602fea6a0541817565d751a293c
SHA2562764ed1001c0289c438398b43297206b64e883f65c34eec0418f809392bab22d
SHA512df6b636d896665a3ec9ee572dc8dcb79169c02316741d9a693d7c09be7ce419e373b1c4d0635c8ecda95e936313750820fb97ee31111a005b334f44ec6112f6c
-
Filesize
381KB
MD5b7fd6550e1ca3851916615fe813c75ae
SHA136291cf993af455c8d64d8c81e7f187e930d87ff
SHA2564329461f1afe5dde94f9e943f3a0d7f6230cad1afa14247b5f09612c96d63177
SHA51299fb8ff6f99d6c4670a0c948b4ae3fc0fdbd4bac446e0cb9168fb382929c23e9419fb628b038c2c7dc2db61a844984269e9fd002f3984d362914b882fc830f56