Analysis
-
max time kernel
274s -
max time network
288s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
08/07/2023, 23:45
General
-
Target
y3733283.exe
-
Size
261KB
-
MD5
cb0c35004c805640a337da72ebe2030a
-
SHA1
cc1ed6e754bb890b3ce7c8407608fb8b8293e743
-
SHA256
26e1b5dc0c6ccfb77c538bd2da023c7f1aa0a0b4b6d837c9da20195b7d3c358c
-
SHA512
74dc68a176542e11f4bc3845c98f4b62992c2c61453e0e8983ec0374cd225f9c05c1e61b150f867deb52561fbb9de439b264f95a1fe9b85d30979d004ee0938d
-
SSDEEP
6144:Kvy+bnr+yp0yN90QEXuZuWpGi68u+mYXi0ybf:RMrmy90poOF+mWiJbf
Malware Config
Extracted
redline
furod
77.91.68.70:19073
-
auth_value
d2386245fe11799b28b4521492a5879d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\y3733283.exe"C:\Users\Admin\AppData\Local\Temp\y3733283.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5488530.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5488530.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2253694.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2253694.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
Filesize
104KB
MD528ff84de4fbd58f9af457275278b05ea
SHA10696f91332febf09dd84d514d963c50e9aae658e
SHA256b3c4bea998032b736fdeb9af69bd54578e4b36bda9546b26e2dd4f4597db6a0e
SHA5127e92a44710cd9a2ed81919377d2e4a1ad55b405ee2c1cb24f0289aafa607a5310a17b6b0e506d251189412ad182e35b4ec7ea78013bcfec1b1b6cfa5d403ffe7
-
Filesize
104KB
MD528ff84de4fbd58f9af457275278b05ea
SHA10696f91332febf09dd84d514d963c50e9aae658e
SHA256b3c4bea998032b736fdeb9af69bd54578e4b36bda9546b26e2dd4f4597db6a0e
SHA5127e92a44710cd9a2ed81919377d2e4a1ad55b405ee2c1cb24f0289aafa607a5310a17b6b0e506d251189412ad182e35b4ec7ea78013bcfec1b1b6cfa5d403ffe7
-
Filesize
265KB
MD556f3c2c2f988d066b0a6af876fe2369c
SHA1c41b87d444e61749c7e502cf23323cec0704f455
SHA2566e2ae2723f3caa22c6de0851e0a7aaefbe08ab4fc83816d2c3962e37d723894d
SHA5123f4c551ea2f0c28fef4e854b4392db251b74cfaa66a7a05e16f155396c0cc3c7d6aeed7ec6f827a767d3ae9f93b1e5e2bac7d54ebc4b1989d73c4d63f2987c5a
-
Filesize
265KB
MD556f3c2c2f988d066b0a6af876fe2369c
SHA1c41b87d444e61749c7e502cf23323cec0704f455
SHA2566e2ae2723f3caa22c6de0851e0a7aaefbe08ab4fc83816d2c3962e37d723894d
SHA5123f4c551ea2f0c28fef4e854b4392db251b74cfaa66a7a05e16f155396c0cc3c7d6aeed7ec6f827a767d3ae9f93b1e5e2bac7d54ebc4b1989d73c4d63f2987c5a
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
40KB