Overview

overview

10

Static

static

3

b21fc8a880...0d.exe

windows7-x64

10

b21fc8a880...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2023, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b21fc8a88033c5d6048ec53a56c2db9684be35a60560d.exe

  • Size

    529KB

  • MD5

    a04edbdffe7cbe56e8099da8eebb9b0e

  • SHA1

    033226b55c2c41d5c58d7a93318c74e5eae7a0e3

  • SHA256

    b21fc8a88033c5d6048ec53a56c2db9684be35a60560d2cb37f931f3bbcf2fed

  • SHA512

    8bebdec514a96ab0ac7527008ce77196c9740eacb2811aec3411a7d519a69bd3a0284f703e9b1d2ec778b865cca0d6478c5ba13abef0db9dee5c49724392b1ec

  • SSDEEP

    12288:GpMNgtfvmaRdnQgn9rmzaBvoFa47/nRazCyanAu:GpMNgZvm82gnZya5oFFFySAu

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b21fc8a88033c5d6048ec53a56c2db9684be35a60560d.exe
    "C:\Users\Admin\AppData\Local\Temp\b21fc8a88033c5d6048ec53a56c2db9684be35a60560d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7617076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7617076.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6052393.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6052393.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:312
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947470.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947470.exe
        3⤵
        • Executes dropped EXE
        PID:4936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7617076.exe
    Filesize

    261KB

    MD5

    d4d6518bb534b31aefe80495e2bfa8c6

    SHA1

    48fcc38b85728e3aa978b798ebe9d17e4048cfb0

    SHA256

    6131d79b16dbad4c24555a097e3ca55f5c2e4650f3a67c77c922c17be592a2b6

    SHA512

    eaf503ec514ba970484148500e7615ef29316a2994d09b1e3b4d74a4efe6763b36ee7467ee0ffb03227580b649f30e91e36a3805e4a97dfaf2bd04e3baae31a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7617076.exe
    Filesize

    261KB

    MD5

    d4d6518bb534b31aefe80495e2bfa8c6

    SHA1

    48fcc38b85728e3aa978b798ebe9d17e4048cfb0

    SHA256

    6131d79b16dbad4c24555a097e3ca55f5c2e4650f3a67c77c922c17be592a2b6

    SHA512

    eaf503ec514ba970484148500e7615ef29316a2994d09b1e3b4d74a4efe6763b36ee7467ee0ffb03227580b649f30e91e36a3805e4a97dfaf2bd04e3baae31a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6052393.exe
    Filesize

    96KB

    MD5

    01be805cee48bb9f7c631575a3e79ea3

    SHA1

    3d8499e6357007f76e872d61d5e6a812d738e6dd

    SHA256

    c86a2db0de8a29175943623e0f9a35a371495978b8f9c55915ab18ac55918462

    SHA512

    c1fdb21f78e00f64a9294529cebeed89eb3bd32f5de63197e2810fdf10d9294694305a0121bab104d9a57b4ef6e0d2ed65a0e4984084d92a5760d8bacd1ca31d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6052393.exe
    Filesize

    96KB

    MD5

    01be805cee48bb9f7c631575a3e79ea3

    SHA1

    3d8499e6357007f76e872d61d5e6a812d738e6dd

    SHA256

    c86a2db0de8a29175943623e0f9a35a371495978b8f9c55915ab18ac55918462

    SHA512

    c1fdb21f78e00f64a9294529cebeed89eb3bd32f5de63197e2810fdf10d9294694305a0121bab104d9a57b4ef6e0d2ed65a0e4984084d92a5760d8bacd1ca31d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947470.exe
    Filesize

    257KB

    MD5

    b02074f0f0a9e80a448ed7299e1334d2

    SHA1

    b6943ff147635f855a1f329ba0502d108ad3b727

    SHA256

    55d5a4c3b7504caae5e66e65086a0b025fe4ab55185dd3293c1eed8d1e074105

    SHA512

    2933b46ce199ef6a03e7e899f58ff2ef0a5723a5b20953fb9984b375010967c4c707d557b2589c5f7af6656cf21496d241efbd690235ec2a222d2885bc961769

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947470.exe
    Filesize

    257KB

    MD5

    b02074f0f0a9e80a448ed7299e1334d2

    SHA1

    b6943ff147635f855a1f329ba0502d108ad3b727

    SHA256

    55d5a4c3b7504caae5e66e65086a0b025fe4ab55185dd3293c1eed8d1e074105

    SHA512

    2933b46ce199ef6a03e7e899f58ff2ef0a5723a5b20953fb9984b375010967c4c707d557b2589c5f7af6656cf21496d241efbd690235ec2a222d2885bc961769

    Download Submit

  • memory/312-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1420-133-0x00000000006A0000-0x0000000000714000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4936-162-0x0000000000490000-0x00000000004C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4936-167-0x000000000A6D0000-0x000000000ACE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4936-168-0x000000000A140000-0x000000000A24A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4936-169-0x000000000A280000-0x000000000A292000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4936-170-0x000000000A2A0000-0x000000000A2DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4936-171-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4936-172-0x0000000004C10000-0x0000000004C20000-memory.dmp

    Filesize

    64KB

    Download