Overview

overview

10

Static

static

3

018db4a20d...d5.exe

windows7-x64

10

018db4a20d...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-07-2023 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    018db4a20da672d3d610be2ba1d01ad5.exe

  • Size

    529KB

  • MD5

    018db4a20da672d3d610be2ba1d01ad5

  • SHA1

    7d4a5d699bc5c0f01882f06a858642f0bc17748a

  • SHA256

    976e1a7f53ef603d28c7c09dfe79131eb39db99d146b9f9bfb745c0fda784f0e

  • SHA512

    a8867578326961727253b621bed60cd4524f77aa686ff73bba88cc9fba16c7a2315500c4a2190f79ddd465e66b63341b9964cfab2c373d63b0c35bfedae33407

  • SSDEEP

    12288:UJO1NfvwaRdnQglAUghKdnEESOiB5QqakTtCL41BrgB3:UJO15vw82g4hsEiC5QLKC01q3

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\018db4a20da672d3d610be2ba1d01ad5.exe
    "C:\Users\Admin\AppData\Local\Temp\018db4a20da672d3d610be2ba1d01ad5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9704530.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9704530.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9724907.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9724907.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4524
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9162646.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9162646.exe
        3⤵
        • Executes dropped EXE
        PID:2560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9704530.exe
    Filesize

    261KB

    MD5

    1532d14881d395a664daf4d78a675bd3

    SHA1

    48be4f7e60a43285794f1dc4934df0a2d5811d5c

    SHA256

    26a66affe01d6351fd6f9a1d9facb3558ef99ad5ba95b6ed2daa32fd8f05db24

    SHA512

    15c263f8e4473d827cd27c25df66a520cc5a5f05cdd4d5533c4dac6bc04db424919d1b4e3920d3085341e119bf9a909abb7e87f8b21c9f0c3604d2635a6857ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9704530.exe
    Filesize

    261KB

    MD5

    1532d14881d395a664daf4d78a675bd3

    SHA1

    48be4f7e60a43285794f1dc4934df0a2d5811d5c

    SHA256

    26a66affe01d6351fd6f9a1d9facb3558ef99ad5ba95b6ed2daa32fd8f05db24

    SHA512

    15c263f8e4473d827cd27c25df66a520cc5a5f05cdd4d5533c4dac6bc04db424919d1b4e3920d3085341e119bf9a909abb7e87f8b21c9f0c3604d2635a6857ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9724907.exe
    Filesize

    96KB

    MD5

    96b17b46563b5387f5bb858e4c013c5c

    SHA1

    265e3c6571ca006b3fe53c4b57d43da650a3bf16

    SHA256

    f74ece98fef5d7c739971be262f64d372c48d4afdf75a72dce0245c0ec578b6a

    SHA512

    5bb1b6da193d7ea208723df3da841a7efa54467a6a5a1ade30ed1644394567d60f9421927897eb6c6ed97961b8a5f6353961d76df898e15756e084b14bf0b651

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9724907.exe
    Filesize

    96KB

    MD5

    96b17b46563b5387f5bb858e4c013c5c

    SHA1

    265e3c6571ca006b3fe53c4b57d43da650a3bf16

    SHA256

    f74ece98fef5d7c739971be262f64d372c48d4afdf75a72dce0245c0ec578b6a

    SHA512

    5bb1b6da193d7ea208723df3da841a7efa54467a6a5a1ade30ed1644394567d60f9421927897eb6c6ed97961b8a5f6353961d76df898e15756e084b14bf0b651

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9162646.exe
    Filesize

    257KB

    MD5

    ef5873e91794f70d33c148d37439fac2

    SHA1

    3aa6cc6c3e99e8a1ce49393da02a8164fe46109a

    SHA256

    764af360c00efeba23c2e0589f937eb10977761605e3fd276cb13350de5e4757

    SHA512

    8d87611dc983e9efd5d377313be7e00002518fac0391881e732658e8bcce031d300b1b525dfe0f2634d07ecc018e1767cb1e4ecca52d81e68c12bf13e1ee504c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9162646.exe
    Filesize

    257KB

    MD5

    ef5873e91794f70d33c148d37439fac2

    SHA1

    3aa6cc6c3e99e8a1ce49393da02a8164fe46109a

    SHA256

    764af360c00efeba23c2e0589f937eb10977761605e3fd276cb13350de5e4757

    SHA512

    8d87611dc983e9efd5d377313be7e00002518fac0391881e732658e8bcce031d300b1b525dfe0f2634d07ecc018e1767cb1e4ecca52d81e68c12bf13e1ee504c

    Download Submit

  • memory/908-133-0x00000000007D0000-0x0000000000844000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2560-162-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2560-167-0x0000000004BF0000-0x0000000005208000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2560-168-0x0000000005210000-0x000000000531A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2560-169-0x0000000005340000-0x0000000005352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2560-170-0x0000000005360000-0x000000000539C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-171-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2560-172-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4524-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download