Overview

overview

10

Static

static

3

b20d8f8d09...4f.exe

windows7-x64

10

b20d8f8d09...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-07-2023 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b20d8f8d0986ed9e0234ddf2714b704f.exe

  • Size

    529KB

  • MD5

    b20d8f8d0986ed9e0234ddf2714b704f

  • SHA1

    a10d378232e1122cd33508b60fca47f4034048cd

  • SHA256

    8c09092cba3a544a3ba407b5de2c7436523ba6dc5ca96fece657ab65480da2d8

  • SHA512

    3e62b5d768c796c05b33ae49ccc566df5c3213df0d2cc487a27874bf72c71a758f8a99887488711e364eb4bfc08a186502ef3a8e4df326ab570795c2d9d5a6c7

  • SSDEEP

    12288:z1ZVfvcaRdnQgmKn9cCpNQIbG3uIWKZZUwdBiMm0UfWA:z1ZRvc82gmKnzwIHIpZXdPyfx

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b20d8f8d0986ed9e0234ddf2714b704f.exe
    "C:\Users\Admin\AppData\Local\Temp\b20d8f8d0986ed9e0234ddf2714b704f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5390793.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5390793.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0796265.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0796265.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6352791.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6352791.exe
        3⤵
        • Executes dropped EXE
        PID:3276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5390793.exe
    Filesize

    261KB

    MD5

    9a03bc26c44db88666ca129cc070b430

    SHA1

    1f9b39892cab0ed16788da15cdeb241405bd6600

    SHA256

    c91d9712314e4b171ef8f3fc1c7f010844551862a9af5306a8675f4a9b02cefd

    SHA512

    ebe8c2ba275dd36703efacfc76f0cf84be14f6ae5433f331968c5f85a8aa16d9f223069837d81c60782507611f924809fa6e3e0d9799a517be7dbc2c79184439

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5390793.exe
    Filesize

    261KB

    MD5

    9a03bc26c44db88666ca129cc070b430

    SHA1

    1f9b39892cab0ed16788da15cdeb241405bd6600

    SHA256

    c91d9712314e4b171ef8f3fc1c7f010844551862a9af5306a8675f4a9b02cefd

    SHA512

    ebe8c2ba275dd36703efacfc76f0cf84be14f6ae5433f331968c5f85a8aa16d9f223069837d81c60782507611f924809fa6e3e0d9799a517be7dbc2c79184439

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0796265.exe
    Filesize

    97KB

    MD5

    ef0a46bbd3255abcdd45476fa9c702c9

    SHA1

    412ad7702455c4f8561f76c3dd42ea5426bda01b

    SHA256

    6be01a20adc80c93850cc32b79e366eac7c9fdadab9f26e54bc4455083aaacd8

    SHA512

    762269c0c63575bd1f51daf422e9ff5cf74bc8118fe8d150579b0fcd9d869ffe4d861ac8006d25e3f722dabbdc006f2bd370c957a1a78c9ad3912f9ca28db362

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0796265.exe
    Filesize

    97KB

    MD5

    ef0a46bbd3255abcdd45476fa9c702c9

    SHA1

    412ad7702455c4f8561f76c3dd42ea5426bda01b

    SHA256

    6be01a20adc80c93850cc32b79e366eac7c9fdadab9f26e54bc4455083aaacd8

    SHA512

    762269c0c63575bd1f51daf422e9ff5cf74bc8118fe8d150579b0fcd9d869ffe4d861ac8006d25e3f722dabbdc006f2bd370c957a1a78c9ad3912f9ca28db362

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6352791.exe
    Filesize

    257KB

    MD5

    d24c5b58ec43d9dba9f0c6244d715f0e

    SHA1

    8b6e1b40d99a2128a7cb185336502b44dc5dc57e

    SHA256

    e6e6a7451b097e75e729d16cc7a15704b823d68f8cf274083973d848ee28c62b

    SHA512

    306b6ad6fa2fc95b63ce1b3a2c44f1fa5b344ea6364477addc5e26b0e778e9ab1a9dc606f60800c1ea6a0f4fbbac7fa6838b0b710562cd772391dbcfc928a6ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6352791.exe
    Filesize

    257KB

    MD5

    d24c5b58ec43d9dba9f0c6244d715f0e

    SHA1

    8b6e1b40d99a2128a7cb185336502b44dc5dc57e

    SHA256

    e6e6a7451b097e75e729d16cc7a15704b823d68f8cf274083973d848ee28c62b

    SHA512

    306b6ad6fa2fc95b63ce1b3a2c44f1fa5b344ea6364477addc5e26b0e778e9ab1a9dc606f60800c1ea6a0f4fbbac7fa6838b0b710562cd772391dbcfc928a6ec

    Download Submit

  • memory/1524-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3276-162-0x0000000000580000-0x00000000005B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3276-167-0x000000000A0C0000-0x000000000A6D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3276-168-0x000000000A760000-0x000000000A86A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3276-169-0x000000000A8A0000-0x000000000A8B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3276-170-0x0000000004B30000-0x0000000004B40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3276-171-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3276-172-0x0000000004B30000-0x0000000004B40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-133-0x0000000000710000-0x0000000000784000-memory.dmp

    Filesize

    464KB

    Download