Overview

overview

10

Static

static

3

dea98214ec...95.exe

windows7-x64

10

dea98214ec...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2023 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dea98214ec29b7cd5cb24e695.exe

  • Size

    529KB

  • MD5

    dea98214ec29b7cd5cb24e6957d3122b

  • SHA1

    5e6e7063d689fc58282309aed47a037054a079de

  • SHA256

    55b8a711e22c32e0890552fcd9384eb4c830629379064880ff92127969cb449e

  • SHA512

    d0575b08b156145a7bcf8f348e569ddbcc7f7da7ce5cddffef5f6cde3c1c2c1cf9a80b4e1d45a401bcbcbeda6c7a3be6dcc3ab3cf47bca77dbe54540853afe13

  • SSDEEP

    12288:CbEbfvWaRdnQgaFjvXoIITSjxMd7cfxXgMG7cVC:CbEjvW82giofTCxXl3VC

Score
10/10
healerredlinefuroddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea98214ec29b7cd5cb24e695.exe
    "C:\Users\Admin\AppData\Local\Temp\dea98214ec29b7cd5cb24e695.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1589335.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1589335.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5331941.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5331941.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8599376.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8599376.exe
        3⤵
        • Executes dropped EXE
        PID:1692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1589335.exe
    Filesize

    260KB

    MD5

    2b13587756737f10d5e419e3d4889cc9

    SHA1

    df5df9b05e15e7c7e09b529a09d5984c551e4e2b

    SHA256

    385ee41e62c3aa616a88d2062995bc2fbf0a997e3033f735519b84e6a8835606

    SHA512

    ff7661300f1fbc9f574e533f2646c4e2fbad520d27b69979e459cf2f9d77227e3fdc0b781eeb40332f7c85aab07f3c9cbb6146104924758e739db2d0c88c8019

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1589335.exe
    Filesize

    260KB

    MD5

    2b13587756737f10d5e419e3d4889cc9

    SHA1

    df5df9b05e15e7c7e09b529a09d5984c551e4e2b

    SHA256

    385ee41e62c3aa616a88d2062995bc2fbf0a997e3033f735519b84e6a8835606

    SHA512

    ff7661300f1fbc9f574e533f2646c4e2fbad520d27b69979e459cf2f9d77227e3fdc0b781eeb40332f7c85aab07f3c9cbb6146104924758e739db2d0c88c8019

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5331941.exe
    Filesize

    96KB

    MD5

    72fd1a70f413ab854a0b5b1f578063be

    SHA1

    fad47a6bcd43c825a1c409bef3a8cbd89fadbce1

    SHA256

    5232710408f216cd7fbd8387e1a869e5c3001cb90c79999e2a8e046f80b8d858

    SHA512

    dd857736eef06f91e51b085f7bf019664bd965eb62c3d965ced7f402c201008842726cad6be47c347cefb81d2e02d522b98d9d35fb5e0e6cb06220cf222f4b18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5331941.exe
    Filesize

    96KB

    MD5

    72fd1a70f413ab854a0b5b1f578063be

    SHA1

    fad47a6bcd43c825a1c409bef3a8cbd89fadbce1

    SHA256

    5232710408f216cd7fbd8387e1a869e5c3001cb90c79999e2a8e046f80b8d858

    SHA512

    dd857736eef06f91e51b085f7bf019664bd965eb62c3d965ced7f402c201008842726cad6be47c347cefb81d2e02d522b98d9d35fb5e0e6cb06220cf222f4b18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8599376.exe
    Filesize

    257KB

    MD5

    b4e6f70ad8309362241b102d479e0c93

    SHA1

    dd5c11a702ca14370207f3bb8b78b5a7b34d7088

    SHA256

    0ccbb86504598e23eeaa986ccb059cd73dc8611035f673efe256522b4b9747d2

    SHA512

    90755d8643fdb1622ef95857367f42080f38a7440dbe95dd760a48cd91a79f4c71317d220088bef1939ac9b074d01941e4580c94defd84f9194b6a8a43f9b021

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8599376.exe
    Filesize

    257KB

    MD5

    b4e6f70ad8309362241b102d479e0c93

    SHA1

    dd5c11a702ca14370207f3bb8b78b5a7b34d7088

    SHA256

    0ccbb86504598e23eeaa986ccb059cd73dc8611035f673efe256522b4b9747d2

    SHA512

    90755d8643fdb1622ef95857367f42080f38a7440dbe95dd760a48cd91a79f4c71317d220088bef1939ac9b074d01941e4580c94defd84f9194b6a8a43f9b021

    Download Submit

  • memory/1692-162-0x00000000005A0000-0x00000000005D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1692-167-0x000000000A590000-0x000000000ABA8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1692-168-0x000000000A000000-0x000000000A10A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1692-169-0x000000000A140000-0x000000000A152000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1692-170-0x000000000A160000-0x000000000A19C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1692-171-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1692-172-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2436-133-0x00000000007D0000-0x0000000000844000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4656-153-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download