Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe
Resource
win10v2004-20241007-en
General
-
Target
165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe
-
Size
688KB
-
MD5
06ef43028d863cb80499a8e79c43fcf6
-
SHA1
7158045e2fac1df01d13bdf9d4cbea48583fdafe
-
SHA256
165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0
-
SHA512
54564989557057ea3f91de2dc396a485598d7e0f36fc395a5e2222268ae5d164ab95ad7759800ee51730e0506874c4eaf3190e3e142a3f56a8cd490f9f3a2301
-
SSDEEP
12288:1Mroy907T3VKh+tMTJaLJv2Ximw4IfVVmyJJs43xEYMTKbYS4lvewEIeeZX:Fy63VBtMdaLJuSmwVmgu4hbM+lDws8X
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2496-17-0x00000000047A0000-0x00000000047BA000-memory.dmp healer behavioral1/memory/2496-20-0x0000000004BC0000-0x0000000004BD8000-memory.dmp healer behavioral1/memory/2496-48-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-46-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-44-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-43-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-40-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-38-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-36-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-34-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-32-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-30-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-28-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-26-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-24-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-22-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer behavioral1/memory/2496-21-0x0000000004BC0000-0x0000000004BD2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3823.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3823.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4560-59-0x00000000049C0000-0x0000000004A06000-memory.dmp family_redline behavioral1/memory/4560-60-0x0000000007190000-0x00000000071D4000-memory.dmp family_redline behavioral1/memory/4560-74-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-76-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-94-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-92-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-88-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-86-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-84-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-82-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-80-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-78-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-72-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-70-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-68-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-66-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-90-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-64-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-62-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4560-61-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2864 unio9683.exe 2496 pro3823.exe 4560 qu9038.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3823.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio9683.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2432 2496 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio9683.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3823.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9038.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2496 pro3823.exe 2496 pro3823.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2496 pro3823.exe Token: SeDebugPrivilege 4560 qu9038.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 540 wrote to memory of 2864 540 165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe 85 PID 540 wrote to memory of 2864 540 165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe 85 PID 540 wrote to memory of 2864 540 165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe 85 PID 2864 wrote to memory of 2496 2864 unio9683.exe 86 PID 2864 wrote to memory of 2496 2864 unio9683.exe 86 PID 2864 wrote to memory of 2496 2864 unio9683.exe 86 PID 2864 wrote to memory of 4560 2864 unio9683.exe 99 PID 2864 wrote to memory of 4560 2864 unio9683.exe 99 PID 2864 wrote to memory of 4560 2864 unio9683.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe"C:\Users\Admin\AppData\Local\Temp\165ab18e04a1a7b9c01dee599e4a278499e2dde92d1e75e3f8fe6dcd01cf07a0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9683.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9683.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3823.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3823.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 10844⤵
- Program crash
PID:2432
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9038.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9038.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2496 -ip 24961⤵PID:3540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546KB
MD5ef5da1ca2526b2d8e55a5d1b9cd69ebb
SHA14efd2ac20eecbdded550d349638d48c6cef5427c
SHA256ecee916cc6881c456c1265690403d0d4416dcc8ca9fbddb99e9f9c9812032909
SHA51267ea457a87006bdb5bf8b338d994acc399bb1468cee95644853c7e1e214febd7245c65bc4c7d4da25428de11197a33bd6a58d02ce00966e2756d46231c47c724
-
Filesize
329KB
MD528490b24ab7f785169631ea5090ba3e0
SHA138442694df884f045471277d1a7e6bf44188198e
SHA25691aa2d825003fa24ddcb3312f86909d8d861c00e1d49bfb62b0085991dc1598e
SHA512d03a7f8a83d2ee5a20fbca5890537902b6c170204ae6d8165f2d78bdb0aff701a32660c349f9a4c123051bb5d310383bcfac8cb04c5cf292a0b4fb5cc80076c7
-
Filesize
386KB
MD59fd1b960c717ebcd155d8b725d120d0c
SHA1df2136c8013bd1182620ad49a9ec07fc0231a1c8
SHA256102f0aa9e64c32a5f3509ee7b5bbc08c09ffd2506cd0ff46d93bd7b696e1591c
SHA512a48bf4772d1645c5bfe6f2cad927428fcd9d283eb5075efa1db049aad99d0d96159145ae3b116174d4cdc0a123a04b1626f374affbda5ad9db3b379238f16e83