Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 01:24 UTC
Static task
static1
Behavioral task
behavioral1
Sample
e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe
Resource
win10v2004-20241007-en
General
-
Target
e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe
-
Size
1.2MB
-
MD5
1aa19e1709f5bf79aae55375110077b4
-
SHA1
51d01e2308e868be50bd3af35bd8262f3636a442
-
SHA256
e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f
-
SHA512
dc2f69e88cfd42332fa2cd9a8e8d9ce06010d7b9da356b43dbfcb9f616cb23534d6534c7b715c3dab4b0ead4198e987d1cd205de90da7af19ee76ccaa502df51
-
SSDEEP
24576:+pQsfGjoufGJCgl9KDJU4x3FZHlc0nQAI7Hu7ecHHMnnxPiH7S:+h+0ufGQgl9ybfH2qQ1LqHohiH
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000600000001a049-38.dat healer behavioral1/memory/2016-42-0x0000000000A80000-0x0000000000A8A000-memory.dmp healer behavioral1/memory/2768-57-0x0000000002FB0000-0x0000000002FCA000-memory.dmp healer behavioral1/memory/2768-58-0x0000000003020000-0x0000000003038000-memory.dmp healer behavioral1/memory/2768-59-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-68-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-86-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-84-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-82-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-80-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-78-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-76-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-74-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-72-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-71-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-66-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-64-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-62-0x0000000003020000-0x0000000003032000-memory.dmp healer behavioral1/memory/2768-60-0x0000000003020000-0x0000000003032000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bus1204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bus1204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bus1204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" con9625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" con9625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" con9625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bus1204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bus1204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bus1204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" con9625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" con9625.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1136-101-0x00000000030C0000-0x0000000003104000-memory.dmp family_redline behavioral1/memory/1136-100-0x0000000003030000-0x0000000003076000-memory.dmp family_redline behavioral1/memory/1136-131-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-129-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-127-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-125-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-123-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-121-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-119-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-117-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-115-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-113-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-111-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-109-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-107-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-105-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-103-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline behavioral1/memory/1136-102-0x00000000030C0000-0x00000000030FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 1888 kino2271.exe 3056 kino5947.exe 3068 kino4046.exe 2016 bus1204.exe 2768 con9625.exe 1136 dIP10s14.exe -
Loads dropped DLL 13 IoCs
pid Process 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 1888 kino2271.exe 1888 kino2271.exe 3056 kino5947.exe 3056 kino5947.exe 3068 kino4046.exe 3068 kino4046.exe 3068 kino4046.exe 3068 kino4046.exe 2768 con9625.exe 3056 kino5947.exe 3056 kino5947.exe 1136 dIP10s14.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bus1204.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features con9625.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" con9625.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features bus1204.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kino4046.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kino2271.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kino5947.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language con9625.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dIP10s14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino2271.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino5947.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino4046.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2016 bus1204.exe 2016 bus1204.exe 2768 con9625.exe 2768 con9625.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2016 bus1204.exe Token: SeDebugPrivilege 2768 con9625.exe Token: SeDebugPrivilege 1136 dIP10s14.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 2380 wrote to memory of 1888 2380 e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe 30 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 1888 wrote to memory of 3056 1888 kino2271.exe 31 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3056 wrote to memory of 3068 3056 kino5947.exe 32 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2016 3068 kino4046.exe 33 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3068 wrote to memory of 2768 3068 kino4046.exe 34 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35 PID 3056 wrote to memory of 1136 3056 kino5947.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe"C:\Users\Admin\AppData\Local\Temp\e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2271.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2271.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5947.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5947.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4046.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4046.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1204.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1204.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con9625.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con9625.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIP10s14.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIP10s14.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5add94bdb084cb990c783fe9308cf96be
SHA192ea51381a2708f9622cd3f1b1faa82a04a42ba4
SHA2565d42d00a9a37c12a5bfd971ea2b992d60afe6516db0dbeaf42eebbba2a6dd50a
SHA512fefe9ee7c18cf7f13a5f11458c87728a6ddea2f176429bf3d0777b71f992c31c15822c84216d5bf88f194eedf9026928f0dbf102cf5f56c167ac05c6726aee6d
-
Filesize
844KB
MD5564cc43b86db34b742137662602ab3ab
SHA1577bcbad1511c992a322274291bb1fb7385cd459
SHA256ea98be9679e2163bd02d22bc4f8d7f9ad8f038dd7b18d6cd4b0eccf0e58ab392
SHA512b9448c7668c71490b6fb7afe9c24953a5e3fc7dcd9fbb4b3a67d0227622a18e77edec3b82aad0facbaff868beafcab3d420c8a5b171ab011f3c25fa41d9005c4
-
Filesize
702KB
MD5c6c7fba7e091b12acd8bd5889e7b87ca
SHA13308e2cd8e003f4fe878fe776aaf69c8a1bc6cd0
SHA2561cc5332927d935d02c498b5c946c7bbcfc5143df1b1b40d8f71d28905f795ac1
SHA5122133c986c3c6957df75446a91c5c9237936b3c418c4de2a8c4f16dfe900215d01c0a074e095212b86ff3bfcdea5a98b5ad608bb412222941f55edcff47408a17
-
Filesize
348KB
MD5402ef217873c38e5e38493c29e50e18d
SHA1ab52486519a30e1ef6dab13f17b1dfb32c2086be
SHA2569e894d8e8112da10fc0b5938b160c1d53de15300d6666b5738db5a180f87cd78
SHA512931d7e06aa0080c7ca4546750265b9552857ee69133f2d8ab996cb940b9a5e81f2600f20710721dd6f5d483df3fbeacb4849981a71809c5544e31281f68abf5a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
337KB
MD535a176e6918ad78a3991b165e430d3c3
SHA171478f6ec1baa3d8a29c97520953b2c12c0192ab
SHA2568be527cc2dfd61ba40c49f16054efe1932c6f18cb56a948feb381b963e7401d9
SHA51219bde67ab088d999322ce06c4d3120ed22fbada9a352e988e77e6d98fa9eaafeffa5c65dd149e73e86743bd5a3ac30f9c2fbcac46a9d5c95e88c91e3aeb1ac44