Overview

overview

10

Static

static

3

d5f9c0858d...82.exe

windows7-x64

10

d5f9c0858d...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2023, 22:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d5f9c0858dfcb190fc6a26b1b5c36c82.exe

  • Size

    529KB

  • MD5

    d5f9c0858dfcb190fc6a26b1b5c36c82

  • SHA1

    849b17af4883a072de31d9b9f163e7976bd15c91

  • SHA256

    71bab99ff11e56a35ef3a95123b14f96822594d625ea6508e36c1a774a6878f4

  • SHA512

    bbfe21836255414d953ef2d4972da64844d8126b1421f45f5301b5e479d14dba546234654f4f17032ee76fd956d44a7a1a58a08c07c2de6bc01c25fe9b1feb8f

  • SSDEEP

    12288:Y+FGfvMaRdnQgM3faB6H0ZAFj1UpiyQj9PI2b:Y+FcvM82gM3i0UZkhwiyQ9R

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5f9c0858dfcb190fc6a26b1b5c36c82.exe
    "C:\Users\Admin\AppData\Local\Temp\d5f9c0858dfcb190fc6a26b1b5c36c82.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9524744.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9524744.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:580

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9524744.exe
          Filesize

          260KB

          MD5

          05391c2b4897c92fcdd89480a1a61ff0

          SHA1

          e02f29e4a91ff3506d12f163685a2c80b5b8e645

          SHA256

          33497c0330d746bc6e38a74ea3b4f63fa33b58a5cb9cb94c947a6b5d25e6a5a1

          SHA512

          ef342d360e3eb73f03aa6705f3180543c7ee695030bd7888dea1e4d214933257533b1baf4c7c0bf03866813089785ccf6f4c23f2f7cb8a75a3a6c08e38ac1414

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9524744.exe
          Filesize

          260KB

          MD5

          05391c2b4897c92fcdd89480a1a61ff0

          SHA1

          e02f29e4a91ff3506d12f163685a2c80b5b8e645

          SHA256

          33497c0330d746bc6e38a74ea3b4f63fa33b58a5cb9cb94c947a6b5d25e6a5a1

          SHA512

          ef342d360e3eb73f03aa6705f3180543c7ee695030bd7888dea1e4d214933257533b1baf4c7c0bf03866813089785ccf6f4c23f2f7cb8a75a3a6c08e38ac1414

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
          Filesize

          96KB

          MD5

          6dd43c641739208db67ce75fd95c5a6b

          SHA1

          5e34a8eb6c07b9d0e5a7831038978a17b0f4299f

          SHA256

          cad21fb19e08849de3be8a83b0d5bfdf57dff9470fcf780fbc83863eb93bcc0b

          SHA512

          400969416513d87b0ac55d4e6636f56a83f512bef2b202d77e96745f6892eeb3963344441e6e0870a96c730d502480c749286c72c15335c254f1c4dc1f58cbf1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
          Filesize

          96KB

          MD5

          6dd43c641739208db67ce75fd95c5a6b

          SHA1

          5e34a8eb6c07b9d0e5a7831038978a17b0f4299f

          SHA256

          cad21fb19e08849de3be8a83b0d5bfdf57dff9470fcf780fbc83863eb93bcc0b

          SHA512

          400969416513d87b0ac55d4e6636f56a83f512bef2b202d77e96745f6892eeb3963344441e6e0870a96c730d502480c749286c72c15335c254f1c4dc1f58cbf1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
          Filesize

          96KB

          MD5

          6dd43c641739208db67ce75fd95c5a6b

          SHA1

          5e34a8eb6c07b9d0e5a7831038978a17b0f4299f

          SHA256

          cad21fb19e08849de3be8a83b0d5bfdf57dff9470fcf780fbc83863eb93bcc0b

          SHA512

          400969416513d87b0ac55d4e6636f56a83f512bef2b202d77e96745f6892eeb3963344441e6e0870a96c730d502480c749286c72c15335c254f1c4dc1f58cbf1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
          Filesize

          257KB

          MD5

          244c09aa8ba50d70e49d727b0918f837

          SHA1

          662e88794e0cff9d607a3a22b11f712b6d7d207c

          SHA256

          43949b9c1b167eab895db869cac266f34dc661e9182e6d1ad37634706d099e73

          SHA512

          167acc0b4d33b84d1661cbfae3c164c359b9863f894af2419829d0d9eb62929d3a5907e065ba45cabbe9db407a1e32ec99ac63e5e235491b3d8b159f15b90eab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
          Filesize

          257KB

          MD5

          244c09aa8ba50d70e49d727b0918f837

          SHA1

          662e88794e0cff9d607a3a22b11f712b6d7d207c

          SHA256

          43949b9c1b167eab895db869cac266f34dc661e9182e6d1ad37634706d099e73

          SHA512

          167acc0b4d33b84d1661cbfae3c164c359b9863f894af2419829d0d9eb62929d3a5907e065ba45cabbe9db407a1e32ec99ac63e5e235491b3d8b159f15b90eab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
          Filesize

          257KB

          MD5

          244c09aa8ba50d70e49d727b0918f837

          SHA1

          662e88794e0cff9d607a3a22b11f712b6d7d207c

          SHA256

          43949b9c1b167eab895db869cac266f34dc661e9182e6d1ad37634706d099e73

          SHA512

          167acc0b4d33b84d1661cbfae3c164c359b9863f894af2419829d0d9eb62929d3a5907e065ba45cabbe9db407a1e32ec99ac63e5e235491b3d8b159f15b90eab

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y9524744.exe
          Filesize

          260KB

          MD5

          05391c2b4897c92fcdd89480a1a61ff0

          SHA1

          e02f29e4a91ff3506d12f163685a2c80b5b8e645

          SHA256

          33497c0330d746bc6e38a74ea3b4f63fa33b58a5cb9cb94c947a6b5d25e6a5a1

          SHA512

          ef342d360e3eb73f03aa6705f3180543c7ee695030bd7888dea1e4d214933257533b1baf4c7c0bf03866813089785ccf6f4c23f2f7cb8a75a3a6c08e38ac1414

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y9524744.exe
          Filesize

          260KB

          MD5

          05391c2b4897c92fcdd89480a1a61ff0

          SHA1

          e02f29e4a91ff3506d12f163685a2c80b5b8e645

          SHA256

          33497c0330d746bc6e38a74ea3b4f63fa33b58a5cb9cb94c947a6b5d25e6a5a1

          SHA512

          ef342d360e3eb73f03aa6705f3180543c7ee695030bd7888dea1e4d214933257533b1baf4c7c0bf03866813089785ccf6f4c23f2f7cb8a75a3a6c08e38ac1414

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
          Filesize

          96KB

          MD5

          6dd43c641739208db67ce75fd95c5a6b

          SHA1

          5e34a8eb6c07b9d0e5a7831038978a17b0f4299f

          SHA256

          cad21fb19e08849de3be8a83b0d5bfdf57dff9470fcf780fbc83863eb93bcc0b

          SHA512

          400969416513d87b0ac55d4e6636f56a83f512bef2b202d77e96745f6892eeb3963344441e6e0870a96c730d502480c749286c72c15335c254f1c4dc1f58cbf1

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
          Filesize

          96KB

          MD5

          6dd43c641739208db67ce75fd95c5a6b

          SHA1

          5e34a8eb6c07b9d0e5a7831038978a17b0f4299f

          SHA256

          cad21fb19e08849de3be8a83b0d5bfdf57dff9470fcf780fbc83863eb93bcc0b

          SHA512

          400969416513d87b0ac55d4e6636f56a83f512bef2b202d77e96745f6892eeb3963344441e6e0870a96c730d502480c749286c72c15335c254f1c4dc1f58cbf1

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\k9537288.exe
          Filesize

          96KB

          MD5

          6dd43c641739208db67ce75fd95c5a6b

          SHA1

          5e34a8eb6c07b9d0e5a7831038978a17b0f4299f

          SHA256

          cad21fb19e08849de3be8a83b0d5bfdf57dff9470fcf780fbc83863eb93bcc0b

          SHA512

          400969416513d87b0ac55d4e6636f56a83f512bef2b202d77e96745f6892eeb3963344441e6e0870a96c730d502480c749286c72c15335c254f1c4dc1f58cbf1

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
          Filesize

          257KB

          MD5

          244c09aa8ba50d70e49d727b0918f837

          SHA1

          662e88794e0cff9d607a3a22b11f712b6d7d207c

          SHA256

          43949b9c1b167eab895db869cac266f34dc661e9182e6d1ad37634706d099e73

          SHA512

          167acc0b4d33b84d1661cbfae3c164c359b9863f894af2419829d0d9eb62929d3a5907e065ba45cabbe9db407a1e32ec99ac63e5e235491b3d8b159f15b90eab

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
          Filesize

          257KB

          MD5

          244c09aa8ba50d70e49d727b0918f837

          SHA1

          662e88794e0cff9d607a3a22b11f712b6d7d207c

          SHA256

          43949b9c1b167eab895db869cac266f34dc661e9182e6d1ad37634706d099e73

          SHA512

          167acc0b4d33b84d1661cbfae3c164c359b9863f894af2419829d0d9eb62929d3a5907e065ba45cabbe9db407a1e32ec99ac63e5e235491b3d8b159f15b90eab

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP001.TMP\l5574002.exe
          Filesize

          257KB

          MD5

          244c09aa8ba50d70e49d727b0918f837

          SHA1

          662e88794e0cff9d607a3a22b11f712b6d7d207c

          SHA256

          43949b9c1b167eab895db869cac266f34dc661e9182e6d1ad37634706d099e73

          SHA512

          167acc0b4d33b84d1661cbfae3c164c359b9863f894af2419829d0d9eb62929d3a5907e065ba45cabbe9db407a1e32ec99ac63e5e235491b3d8b159f15b90eab

          Download Submit

        • memory/580-97-0x0000000000340000-0x0000000000370000-memory.dmp

          Filesize

          192KB

          Download

        • memory/580-101-0x0000000002290000-0x0000000002296000-memory.dmp

          Filesize

          24KB

          Download

        • memory/580-102-0x00000000022A0000-0x00000000022E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/580-103-0x00000000022A0000-0x00000000022E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/656-83-0x0000000000020000-0x000000000002A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2232-54-0x0000000000310000-0x0000000000384000-memory.dmp

          Filesize

          464KB

          Download