Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe
Resource
win10v2004-20241007-en
General
-
Target
6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe
-
Size
1000KB
-
MD5
994fcc05197111cc1d065135b940bdd3
-
SHA1
959f9a1085948ecb758c635dee6a4610438ea06d
-
SHA256
6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931
-
SHA512
8f8194b3b2fd1731ce23e0d3d68e5c303451ff16fb7c8368e72e9eb943c0700903e0150e84461b7570dfe631fe226cd4913fb77e28e45f4ca0fb92638f2f8d1a
-
SSDEEP
24576:6y31BAXIik6BNeIcvAVkmRBcTEotSmuEjag:BFBAXIivBNeIcvKkz39N
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0009000000023c58-26.dat healer behavioral1/memory/4536-28-0x0000000000880000-0x000000000088A000-memory.dmp healer behavioral1/memory/4576-34-0x0000000002470000-0x000000000248A000-memory.dmp healer behavioral1/memory/4576-36-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/4576-37-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-44-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-64-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-63-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-60-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-58-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-56-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-54-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-52-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-50-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-48-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-46-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-42-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-40-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/4576-38-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" tz1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" tz1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" tz1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" tz1125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" tz1125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" v7496by.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection tz1125.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4348-72-0x0000000002530000-0x0000000002576000-memory.dmp family_redline behavioral1/memory/4348-73-0x00000000051C0000-0x0000000005204000-memory.dmp family_redline behavioral1/memory/4348-83-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-85-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-103-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-99-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-91-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-87-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-81-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-79-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-77-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-75-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-74-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-107-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-105-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-101-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-97-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-95-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-93-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline behavioral1/memory/4348-89-0x00000000051C0000-0x00000000051FF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 5024 zap7875.exe 2132 zap6451.exe 4020 zap0008.exe 4536 tz1125.exe 4576 v7496by.exe 4348 w41EM73.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" v7496by.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" tz1125.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zap7875.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zap6451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zap0008.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4184 4576 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zap7875.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zap6451.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zap0008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7496by.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w41EM73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4536 tz1125.exe 4536 tz1125.exe 4576 v7496by.exe 4576 v7496by.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4536 tz1125.exe Token: SeDebugPrivilege 4576 v7496by.exe Token: SeDebugPrivilege 4348 w41EM73.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2500 wrote to memory of 5024 2500 6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe 83 PID 2500 wrote to memory of 5024 2500 6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe 83 PID 2500 wrote to memory of 5024 2500 6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe 83 PID 5024 wrote to memory of 2132 5024 zap7875.exe 85 PID 5024 wrote to memory of 2132 5024 zap7875.exe 85 PID 5024 wrote to memory of 2132 5024 zap7875.exe 85 PID 2132 wrote to memory of 4020 2132 zap6451.exe 86 PID 2132 wrote to memory of 4020 2132 zap6451.exe 86 PID 2132 wrote to memory of 4020 2132 zap6451.exe 86 PID 4020 wrote to memory of 4536 4020 zap0008.exe 87 PID 4020 wrote to memory of 4536 4020 zap0008.exe 87 PID 4020 wrote to memory of 4576 4020 zap0008.exe 97 PID 4020 wrote to memory of 4576 4020 zap0008.exe 97 PID 4020 wrote to memory of 4576 4020 zap0008.exe 97 PID 2132 wrote to memory of 4348 2132 zap6451.exe 102 PID 2132 wrote to memory of 4348 2132 zap6451.exe 102 PID 2132 wrote to memory of 4348 2132 zap6451.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe"C:\Users\Admin\AppData\Local\Temp\6c311ee8d9090705e269d671db66cacccd41cc0c5bf2331b5774f210ce59f931.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7875.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7875.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6451.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6451.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0008.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0008.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1125.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1125.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7496by.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7496by.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10886⤵
- Program crash
PID:4184
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41EM73.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w41EM73.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4576 -ip 45761⤵PID:1548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD59cbe97a4323a0f711bd0aef80717f654
SHA19fa9f19adb47e8245927aea26badc87a534b3ca0
SHA256ab33284be2c834b9c919a3b3e4417e4240a312b08c110220612cddfa9783c081
SHA51229b5760114b5ee85236c191c987af9c5f5a4ad904c6bde7f77181829589cd2fe19762c94010577bdadf39726525e3e9016e8e464dd27be21254dd883c014c5fd
-
Filesize
674KB
MD5071d1ef64bb408fcb7a4aad84d5d7cfa
SHA13b8312c312da230ab9eb0fa8245b2911e8db73b1
SHA2562d37b1782647ee508214bc811206a75f7a23b174a38118364f5db1d5005400e1
SHA5127ce3c51d16bd2acc8534530462d6241991d63ad0a115801992db1c188a65d45157431a17e80d2fd872bb47e1e6b523446d921517d7113b7a36168cbcf256a918
-
Filesize
318KB
MD5ae2c22778cb46572908c704839bca3b5
SHA152287c688d1a78296c867ec6df8c74bece57f7f6
SHA2566f17e144630fd502b2b242314260d54bde26998b1704642576df3c9b1971fb52
SHA5121efb657d88e6f23acf039eae67b8bf9b9e2c81e853212fc7e7784244e5a18c1ee92d0cc0b232f5a8aacb67cf9e8f6a593e759543acee1d1da871269b4f90e6b5
-
Filesize
333KB
MD54320deab9a016451bce0beffffc76851
SHA1c1cc15d32b72e3e721148393ef5bfb1456a16ded
SHA25656dd94936f824e80c056d602c638c992665f4612886f246061d564eb4b6127f7
SHA512fdc8b81d52d4b72f974513d444173565f0782c809d94f7f63a668302710fca73011159cd93ef3ac14cdcde1b9f6ed9b99372e32b0e8a7fdd010bff55447b6c13
-
Filesize
11KB
MD514b593dca325ed32557bdc85e8218951
SHA1c342788e42717760f9a714e9910449fffd0d5293
SHA25693efed1225541d50d7a2732a029efd839a8d447c54333a686c35f0604826885f
SHA512754a141b7ad8b9265183bfea80ab4389745404f7391122c2f7fb29fe9eba4808f7ac18b2b7d7231a72e581513be37b9fc590474d8976bdfbc3faf0823319196a
-
Filesize
259KB
MD53311bb8fb350fba9fc14f84e1dc6cc15
SHA1389d1a38e4dfad363f5d572c6c3cada58695e4dd
SHA25669a0a8e1432709971a55ba3283595c657bf17bf8102354c54f5c9c0d0677dd8c
SHA5127d11684b32518922a24a43034d315312d61c7f385806f441c540b30ab5f7757d999beb1a9505a0975c67289497f3de6b1e201239827dc84a8183ae951a575008