Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe
Resource
win10v2004-20241007-en
General
-
Target
6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe
-
Size
836KB
-
MD5
2eeef679dabce901807bb7d7af869e53
-
SHA1
de69cb1a0be0b3e3870d4ec370f8b72edb4b10dd
-
SHA256
6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b
-
SHA512
3771fe75a608149841a2cab0f7889b3178278c2e4300d69d7bee41b1976694fd9115bcce6a31742fbcbfa6e417c80effe7fe01f834039d3fae8a7235b44b0661
-
SSDEEP
12288:JMr5y90oBNUIEE48azJWzEOrQLSbqQ5Hd3ICLv+vYtDWvzIExWJqsf1/hKe5:EyxQ6YKEOPbqoHhICLvYYcsd3S+
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b61-19.dat healer behavioral1/memory/540-22-0x0000000000E20000-0x0000000000E2A000-memory.dmp healer behavioral1/memory/1480-29-0x00000000048B0000-0x00000000048CA000-memory.dmp healer behavioral1/memory/1480-31-0x0000000007660000-0x0000000007678000-memory.dmp healer behavioral1/memory/1480-32-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-39-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-59-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-57-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-55-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-54-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-52-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-49-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-47-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-45-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-43-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-37-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-35-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-33-0x0000000007660000-0x0000000007672000-memory.dmp healer behavioral1/memory/1480-41-0x0000000007660000-0x0000000007672000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h44Ar04.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f8328xP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f8328xP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f8328xP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h44Ar04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h44Ar04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h44Ar04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h44Ar04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f8328xP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f8328xP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f8328xP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h44Ar04.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4160-68-0x00000000076D0000-0x0000000007714000-memory.dmp family_redline behavioral1/memory/4160-67-0x0000000004AA0000-0x0000000004AE6000-memory.dmp family_redline behavioral1/memory/4160-72-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-78-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-102-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-100-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-98-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-94-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-92-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-90-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-88-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-86-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-84-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-80-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-76-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-74-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-70-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-69-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-96-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline behavioral1/memory/4160-82-0x00000000076D0000-0x000000000770E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2076 niba4835.exe 4056 niba8925.exe 540 f8328xP.exe 1480 h44Ar04.exe 4160 iBGAA79.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f8328xP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h44Ar04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h44Ar04.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba4835.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba8925.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1220 1480 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niba4835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niba8925.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h44Ar04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iBGAA79.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 540 f8328xP.exe 540 f8328xP.exe 1480 h44Ar04.exe 1480 h44Ar04.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 540 f8328xP.exe Token: SeDebugPrivilege 1480 h44Ar04.exe Token: SeDebugPrivilege 4160 iBGAA79.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2076 1280 6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe 83 PID 1280 wrote to memory of 2076 1280 6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe 83 PID 1280 wrote to memory of 2076 1280 6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe 83 PID 2076 wrote to memory of 4056 2076 niba4835.exe 85 PID 2076 wrote to memory of 4056 2076 niba4835.exe 85 PID 2076 wrote to memory of 4056 2076 niba4835.exe 85 PID 4056 wrote to memory of 540 4056 niba8925.exe 86 PID 4056 wrote to memory of 540 4056 niba8925.exe 86 PID 4056 wrote to memory of 1480 4056 niba8925.exe 97 PID 4056 wrote to memory of 1480 4056 niba8925.exe 97 PID 4056 wrote to memory of 1480 4056 niba8925.exe 97 PID 2076 wrote to memory of 4160 2076 niba4835.exe 102 PID 2076 wrote to memory of 4160 2076 niba4835.exe 102 PID 2076 wrote to memory of 4160 2076 niba4835.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe"C:\Users\Admin\AppData\Local\Temp\6025eef877d4beaa2dc37d0e011929ccff1b8bcb3f93fb2e5cd7b1dcb00b4d4b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4835.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4835.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba8925.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba8925.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8328xP.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8328xP.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h44Ar04.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h44Ar04.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 10645⤵
- Program crash
PID:1220
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iBGAA79.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iBGAA79.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1480 -ip 14801⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD56ceee864892dfe375ca3b8f1ecde0ef1
SHA1b24f10f3ce2f87120ba896f384ebe958b830dad0
SHA25689c22fcf920d4c2cc169e02cc86724fc7fead2391230d4f59f312b1ae99ddc7b
SHA5123c64e5bfba0c257fe285cc78cc93f89245419528c77cc1b84eb8e7c9c3b8af1d11d28b8f45c18792eafadd4d9f334bb2c3ccb746fc88eb18d741060da39094a2
-
Filesize
391KB
MD58ab77f9061984a87d29561e8e7c8f405
SHA1ede3490b7f8d9df1fdfc094ee5f1439fa230f836
SHA256e247b4911ae840c4304b36efffeb2a91662227ef49f06f02ff3316da99e68edc
SHA51234f663b30b141b29cf4f5e6be51907c0498a68052d618c5d08d58baa064bf9624bb964049873553f0d9ec16b826ababe41f8ed156387e825c186de62a27b0cc5
-
Filesize
344KB
MD556fd52c58288556bd61f89fce4b08607
SHA15abefc1ad602253d98a3c7ecf377df755e8a715d
SHA2568bccc599b256d1f9c207e6acc884048118736e865355556e134d670560788159
SHA5126d54156f52f580a9d8a715ccc6f5e1ff6a2a5feca6aa8e012a10d4e24ae372245ec976a3dbf87ab02256d00286bcf5d697b4d5beb3ac5390bb85ea1ed1af24ec
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5d472b8c40c2643d66d15deb029b1db19
SHA10dad68552bd9aaf2c6e690a87b1249c2055adaee
SHA2568f0211de21a86af8b706ae7fca6c94ea5b6257893d34aa633ca1f72c32b342bb
SHA5125aa84956ec14dcabd71290118b1c39d81a2d6ac0769a36b3cce5624c4658791773dca6623e153962f6d828d639449868f48fa32fa3a0c247c49b2f66c1eeea07