Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe
Resource
win10v2004-20241007-en
General
-
Target
433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe
-
Size
481KB
-
MD5
55488a9607fe2a057142faea5ba825f6
-
SHA1
d2651f9a67b60ace7bde408c380f2ba242d56b0f
-
SHA256
433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819
-
SHA512
fd617b7114fc786115fa17a91c800ce624e00db8aedd6fe4f197be07b72bb04183356553272bf1f7d3933154623a04d021db2001b71b0624016fa38ea891058a
-
SSDEEP
12288:sMrwy90l5JQeLP7Rpt4YhEklRu9DP/JYFO:Myc55PpZCklR2LH
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3440-15-0x0000000000810000-0x000000000082A000-memory.dmp healer behavioral1/memory/3440-19-0x0000000002540000-0x0000000002558000-memory.dmp healer behavioral1/memory/3440-46-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-44-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-42-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-40-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-38-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-36-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-34-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-32-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-30-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-28-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-26-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-24-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-22-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-21-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3440-48-0x0000000002540000-0x0000000002552000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9335692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9335692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9335692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9335692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9335692.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a9335692.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cae-54.dat family_redline behavioral1/memory/4868-56-0x00000000003A0000-0x00000000003D0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3132 v2480339.exe 3440 a9335692.exe 4868 b9293449.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a9335692.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a9335692.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2480339.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2480339.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9335692.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9293449.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3440 a9335692.exe 3440 a9335692.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3440 a9335692.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3908 wrote to memory of 3132 3908 433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe 84 PID 3908 wrote to memory of 3132 3908 433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe 84 PID 3908 wrote to memory of 3132 3908 433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe 84 PID 3132 wrote to memory of 3440 3132 v2480339.exe 85 PID 3132 wrote to memory of 3440 3132 v2480339.exe 85 PID 3132 wrote to memory of 3440 3132 v2480339.exe 85 PID 3132 wrote to memory of 4868 3132 v2480339.exe 93 PID 3132 wrote to memory of 4868 3132 v2480339.exe 93 PID 3132 wrote to memory of 4868 3132 v2480339.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe"C:\Users\Admin\AppData\Local\Temp\433fab2c541ba204345b97c0525fede80f7c474db84acdacda18e09a89847819.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2480339.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2480339.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9335692.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9335692.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9293449.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9293449.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD58af2fdfac62450c5e99c07f680f052c7
SHA1abbe4abcbcfe3b17c03eff734b96ab27a9c3c5b0
SHA2564fb53dcd873e4afc5be798bbcf23157d20e82bb1405216ed047a31e6fc331342
SHA5129250a8fc4b03c5cd81cda3df82b510516cf2b6000d22e81d04543c991b8eee00338463c3505fbbd8d8ae240fb17de2b867ae81db821ffd7e264a103837453ece
-
Filesize
180KB
MD5c40f3b77df31778ae92519c21b8ee215
SHA1ac9692045c8e5148fd6d0c53a13aeec16805b71a
SHA25665872028a1e3df02884f36d1537f8cf59ec1a5eda724933bbab07028671a527e
SHA5127d47ceae63bc8b86b881f6849d1bbd8e373cc0e05553a09ec5dba705c92ff87f8d0a0658d67ed7a17bec39bc000885db0ef791d14356d294f7b1137b92e27940
-
Filesize
168KB
MD595b35a21492ae23f982d74c976ec5ae6
SHA11554c56d8d238f905eac15ce368af5bcc48b89bf
SHA256dba988a528fa1a139efceb537c6ffe212197795a6b91fbba60d87217b6b23ddd
SHA512929e8465e7d5bddb0af97e711f9a659769b7ff79268ebc85203cf7d802d27b4410db6b60143b15442dc01907db3679c8fd8f1c61d84223b3248bff45f76c8396